On Tue, Dec 8, 2020 at 8:34 PM Marius Schwarz <fedoradev@xxxxxxxxxxxx> wrote: > > Am 08.12.20 um 19:32 schrieb Dridi Boukelmoune: > > > >> Petr was so nice to supply a test procedure, i suggest that you use it also. > > I'll try to strace stuff to to see what's going on, but I can only > > assume that this BZ is not trying to resolve ip addresses through > > systemd-resolved. > > > > > > No, they didn't . An pretimed bind-libs update, caused apps not to be > able to resolve hostnames . they crashed. > All tools which did it themself, worked "in a way". they first tried > local resolving with /etc/hosts, thats where libc crashed, which took time, > and then used root dns to do theire jobs. > > It could have the same underlying issue: not matching sys libs. I > suggest to update them. Actually, it looks like this is happening for all NXDOMAIN replies. $ dig @1.1.1.1 com.example | grep -e SERVER -e HEADER ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 29880 ;; SERVER: 1.1.1.1#53(1.1.1.1) $ dig +timeout=1 com.example ; <<>> DiG 9.11.25-RedHat-9.11.25-2.fc33 <<>> +timeout=1 com.example ;; global options: +cmd ;; connection timed out; no servers could be reached A quick search for systemd-resolved nxdomain yields many results with a syslog I do not see on my system: > Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001 So it looks like my initial intuition that there could be a mitigation of sorts is starting to hold water. The problem now is that clients on my system using getaddrinfo in a way that was legit until now are now being DoS'd by systemd-resolved, waiting forever for a reply that is not coming. I wouldn't mind the mitigation, if only I could disable it. Does anyone know any better? I'm still suspecting I configured something wrong but at the same time systemd seems to have a history with NXDOMAIN handling. Thanks, Dridi _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
