-
Notifications
You must be signed in to change notification settings - Fork 296
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ENH: cymru expert: prevent extra lookups, handle invalid asnames #2352
Conversation
Yes, a unit test for one of these special cases would be very good. For example the AS266522, which you mentioned in the issue The fix looks good on first glance. |
Right. Well. Having the IP in the test event seemed to mess with things. |
IP_QUERY = "%s.origin%s.asn.cymru.com." | ||
ASN_QUERY = "AS%s.asn.cymru.com." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If it's possible, it would be nice to provide a test for this change as well
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The tests cover IP and ASN lookups.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It technically doesn't cover the search domain part.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is what I meant :)
@@ -168,6 +168,8 @@ def __asn_query_parse(text): | |||
if items[4]: | |||
# unicode characters need to be decoded explicitly | |||
# with the help of https://stackoverflow.com/questions/60890590/ | |||
result['as_name'] = items[4].encode('latin1').decode('utf8') | |||
as_name = items[4].encode('latin1', errors='ignore').decode('utf8') | |||
if as_name: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this the "Avoid extraneous search domain-based queries on NXDOMAIN result"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's the added periods in IP_QUERY
and ASN_QUERY
, actually.
Example: if you have a search domain of "lan" and resolving homeserver
fails with NXDOMAIN, then the search domain will cause homeserver.lan.
to be queried.
However, if, for instance, 1.2.3.4.origin4.cymru.com
returns NXDOMAIN, then 1.2.3.4.origin4.cymru.com.lan.
would be queried.
But, the added period at the end signifies that this is a fully qualified domain name and such queries should not be made.
The test explicitly sets the search domain to It is not a perfect solution (it relies on the However, I'm wondering, is there any legitimate use case for |
yes, I think we can safely require dnspython >= 2.0 now. I don't have any reason at hand why search is on. If the tests succeed with search disabled, let's go for it :) |
@monoidic Is this PR ready to merge or do you want to change the DNS-related parts? |
I'd been busy with other projects and forgout about this. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the changes are acceptable, then I will add changelog entries as well.
Yes, please document the changed minimum required version of dnspython, this has impact on the supported OSs (dropping out Ubuntu 20.04, which need to be removed from the docs, from intelmq-vagrant and at the next release from the packages).
if dns.version.MAJOR < 2: | ||
return dns.resolver.query(*args, **kwargs) | ||
return dns.resolver.resolve(*args, **kwargs, search=True) | ||
return dns.resolver.resolve(*args, **kwargs) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With that change the function is obsolete now. But that's something for a major version as it is a change in the interface.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you leave a ticket to remove it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added to #1444
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good. What I'm not happy about is that we rely on the real answers in tests instead of some mocking solution (and DNS is relatively unstable), but it's a general problem, nothing related to the change :)
if dns.version.MAJOR < 2: | ||
return dns.resolver.query(*args, **kwargs) | ||
return dns.resolver.resolve(*args, **kwargs, search=True) | ||
return dns.resolver.resolve(*args, **kwargs) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you leave a ticket to remove it?
Support for Debian 10 Buster was dropped in PR#2352 certtools#2352
This PR fixes #2132 by ignoring AS names with invalid characters, as suggested by Sebastian.
It also ensures that Cymru DNS queries that return NXDOMAIN do not cause any extraneous queries due to search domains.
(TODO: changelog, add unit test with invalid characters)