dnsproxy: Fix bug where DNS request timed out too soon #31999

gandro · 2024-04-16T11:55:49Z

This fixes a bug where DNS requests would timeout after 2 seconds, instead of the intended 10 seconds. This resulted in a Timeout waiting for response to forwarded proxied DNS lookup log message whenver the response took longer than 2 seconds.

The dns.Client used by the proxy is already configured to use ProxyForwardTimeout value of 10 seconds, which would apply also to the dns.Client.DialTimeout, if it was not for the custom net.Dialer we use in Cilium. The logic in dns.Client.getTimeoutForRequest overwrites the request timeout with the timeout from the custom Dialer. Therefore, the intended ProxyForwardTimeout 10 second timeout value was overwritten with the much shorter net.Dialer.Timeout value of two seconds. This commit fixes that issue by using ProxyForwardTimeout for the net.Dialer too.

Fixes: cf3cc16 ("fqdn: dnsproxy: fix forwarding of the original security identity for TCP")

Reported-by: @ayuspin

Backporting because the above commit was backported all the way to v1.11.

gandro · 2024-04-16T12:07:09Z

/test

gandro · 2024-04-16T12:47:43Z

Putting back into draft. Local testing revealed that seems to be an issue in SharedClient which also does not respect the ProxyForwardTimeout.

This pulls in cilium/dns#11 which fixes a bug where the `SharedClient` logic did not respect the `c.Client.Timeout` field. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>

This fixes a bug where DNS requests would timeout after 2 seconds, instead of the intended 10 seconds. This resulted in a `Timeout waiting for response to forwarded proxied DNS lookup` error message whenever the response took longer than 2 seconds. The `dns.Client` used by the proxy is [already configured][1] to use `ProxyForwardTimeout` value of 10 seconds, which would apply also to the `dns.Client.DialTimeout`, if it was not for the custom `net.Dialer` we use in Cilium. The logic in [dns.Client.getTimeoutForRequest][2] overwrites the request timeout with the timeout from the custom `Dialer`. Therefore, the intended `ProxyForwardTimeout` 10 second timeout value was overwritten with the much shorter `net.Dialer.Timeout` value of two seconds. This commit fixes that issue by using `ProxyForwardTimeout` for the `net.Dialer` too. Fixes: cf3cc16 ("fqdn: dnsproxy: fix forwarding of the original security identity for TCP") [1]: https://github.com/cilium/cilium/blob/50943dbc02496c42a4375947a988fc233417e163/pkg/fqdn/dnsproxy/proxy.go#L1042 [2]: https://github.com/cilium/cilium/blob/94f6553f5b79383b561e8630bdf40bd824769ede/vendor/github.com/cilium/dns/client.go#L405 Reported-by: Andrii Iuspin <andrii.iuspin@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>

gandro · 2024-04-16T13:47:37Z

Putting back into draft. Local testing revealed that seems to be an issue in SharedClient which also does not respect the ProxyForwardTimeout.

Fixed the bug in cilium/dns, this now pulls in the updated version.

In manual testing, DNS timeouts now actually take 10 seconds again (where as without either commits, they time out after 2 seconds):

time="2024-04-16T13:54:45Z" level=debug msg="Forwarding DNS request for a name that is allowed" DNSRequestID=12784 dnsName=cilium.io. endpointID=3914 identity=770 ipAddr="10.244.1.16:51635" subsys=fqdn/dnsproxy
time="2024-04-16T13:54:55Z" level=warning msg="Timeout waiting for response to forwarded proxied DNS lookup" DNSRequestID=12784 dnsName=cilium.io. endpointID=3914 error="read udp 172.18.0.3:48540->192.168.1.1:53: i/o timeout" identity=770 ipAddr="10.244.1.16:51635" subsys=fqdn/dnsproxy

gandro · 2024-04-16T14:00:48Z

/test

pippolo84

LGTM, thanks! 💯

gandro · 2024-04-22T12:56:06Z

I need a review from a current vendor team member. Unfortunately Robin is no longer part of that team, so his review doesn't make the PR green. Added all current members.

sayboras

Looks good for vendor changes ✔️

gandro added release-note/bug This PR fixes an issue in a previous release of Cilium. needs-backport/1.13 area/fqdn Affects the FQDN policies feature needs-backport/1.15 This PR / issue needs backporting to the v1.15 branch labels Apr 16, 2024

gandro requested a review from a team as a code owner April 16, 2024 11:55

gandro requested a review from pippolo84 April 16, 2024 11:55

gandro force-pushed the pr/gandro/fqdn-respect-proxy-forward-timeout branch from 8b9bb6d to fd87f5b Compare April 16, 2024 12:02

gandro added affects/v1.11 This issue affects v1.11 branch affects/v1.12 This issue affects v1.12 branch labels Apr 16, 2024

gandro marked this pull request as draft April 16, 2024 12:47

gandro mentioned this pull request Apr 16, 2024

shared client: Fix global timeout not being respected cilium/dns#11

Merged

gandro added 2 commits April 16, 2024 15:46

vendor: Bump cilium/dns to fix bug where timeout was not respected

8ec8901

This pulls in cilium/dns#11 which fixes a bug where the `SharedClient` logic did not respect the `c.Client.Timeout` field. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>

gandro force-pushed the pr/gandro/fqdn-respect-proxy-forward-timeout branch from fd87f5b to 2256e10 Compare April 16, 2024 13:47

gandro marked this pull request as ready for review April 16, 2024 13:47

gandro requested a review from a team as a code owner April 16, 2024 13:47

gandro requested a review from rolinh April 16, 2024 13:47

gandro removed affects/v1.11 This issue affects v1.11 branch affects/v1.12 This issue affects v1.12 branch labels Apr 16, 2024

pippolo84 approved these changes Apr 17, 2024

View reviewed changes

rolinh approved these changes Apr 22, 2024

View reviewed changes

gandro requested review from tklauser, aanm and sayboras April 22, 2024 12:54

sayboras approved these changes Apr 22, 2024

View reviewed changes

sayboras added this pull request to the merge queue Apr 22, 2024

Merged via the queue into cilium:main with commit 931b816 Apr 22, 2024
41 checks passed

gandro mentioned this pull request Apr 29, 2024

v1.15 Backports 2024-04-29 #32230

Merged

18 tasks

gandro added backport-pending/1.15 The backport for Cilium 1.15.x for this PR is in progress. and removed needs-backport/1.15 This PR / issue needs backporting to the v1.15 branch labels Apr 29, 2024

gandro mentioned this pull request Apr 30, 2024

v1.14 Backports 2024-04-30 #32251

Merged

13 tasks

gandro added backport-pending/1.14 The backport for Cilium 1.14.x for this PR is in progress. and removed needs-backport/1.14 labels Apr 30, 2024

gandro mentioned this pull request Apr 30, 2024

v1.13 Backports 2024-04-30 #32252

Merged

10 tasks

gandro added backport-pending/1.13 and removed needs-backport/1.13 labels Apr 30, 2024

aanm mentioned this pull request May 2, 2024

Prepare for release v1.14.11 aanm/cilium#643

Merged

This was referenced May 10, 2024

Prepare for release v1.13.16 #32458

Merged

Prepare for release v1.14.11 #32460

Merged

Prepare for release v1.15.5 #32470

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

dnsproxy: Fix bug where DNS request timed out too soon #31999

dnsproxy: Fix bug where DNS request timed out too soon #31999

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

dnsproxy: Fix bug where DNS request timed out too soon #31999

dnsproxy: Fix bug where DNS request timed out too soon #31999

Uh oh!

Conversation

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!