-
-
Notifications
You must be signed in to change notification settings - Fork 533
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Apply host DNS settings on peer state change #2291
base: main
Are you sure you want to change the base?
Apply host DNS settings on peer state change #2291
Conversation
ec6228a
to
21f265a
Compare
This approach would break non-routed dns servers (e.g. 8.8.8.8 without exit node), correct? |
Not at all, it would just not apply settings until the client is connected to one peer. I am going to try and actually formulate this to a PR I may update the activate and deactivate upstream handlers to take a flag to skip applying system settings so as fix the DNS updates from management. |
21f265a
to
09778a6
Compare
@lixmal this is ready not sure if perhaps this should be gated under a config option and the default would be maintain the current behavior. Test and let me know what you think |
Actually I got an idea to make a hybrid model, let me get that going instead |
Looking forward for this fix. If I could help in any way to test this (for example on a setup I described in #2002 (comment)) let me know. |
09778a6
to
7b40359
Compare
Okay so this will waitforresponse and trigger probes base when a peer connstatus changes |
@lixmal and @mlsmaycon can we get a build so @LeszekBlazewski can provide some feedback |
You can find the binaries in the artifacts in this PR: https://github.com/netbirdio/netbird/actions/runs/10422794281 |
508030c
to
365f6b7
Compare
Hey guys, I have run some tests with the latest binaries built in this PR. My setup:
After comparing the current behaviour (netbird 0.28.7) vs the built binaries, I have found out that indeed the introduced changes postpone DNS servers evaluation until a routing peer is connected which does potentially address the issue mentioned in #2002 ... unless the nameserver is not supposed to be handled by that connected peer. Based on the logs, I have observed that nameserver probing is triggered regardless of the peer that got just connected ( I guess it's assumed that all configured netbird DNS servers can be handled by all connected peers or there are other technical limitations which prevent figuring out such information, as described below). For example in my described setup, it would make sense to probe the nameservers from point 1 only if the routing peer which handles But still, I think that not applying the config when the DNS server is not reachable is key here and that seems to work. Moreover the backoff over time will fix the above mentioned issue and all the DNS servers who are reachable will be connected. |
I made this patch to show what is one potential fix, probing base on routes when a peer connects will get more complicated, but it is possible. This patch still includes the old logic as fallback, so triggering if public DNS servers are configured they should get apply very early on |
I will try and add the ability to trigger a peer with route. What I gather though was that the App was performing and behaving better apply DNS changes base on when peers connect, is that right? |
Yeah, for sure. With the patch from this PR the amount of timed out calls to private NS is minimised. One thing I wanted to figure out and I am wondering if this could be related to my setup somehow is: Based on the logs, even after the peer which handles 10.3.X.X traffic connects (logs indicate that), the first few calls to probe the private NS still fail and only after few seconds they come back online. I will try to investigate this since I am confident that those NS are available at all times and it could be related to the exit node node or the routing peer connecting as relay. |
Do you have any system extensions that filter DNS requests, such as Cisco Umbrella? Assuming this is a macOS device |
The only thing running in the background is eset with the Network Access Protection enabled which might do some DNS filtering (I am not sure since I don't have access to the management of this antivirus but I was told it does not). I will make sure to disable it when testing. What is interesting is that the NS requests fail only initially and then just work without me doing any changes. |
365f6b7
to
2196243
Compare
This patch now support enabling publicly accessible servers at processing the DNS update time and/or start |
aa5c94f
to
f7c8dc2
Compare
Minor updates to behavior in order to ensure publicly accessible servers work from the start without a peer. I unfortunately didn't filter probing base on network. So test this one out. I will see what I can do about that front, but this would need to be more heavily refactored since I would need to start another network monitor |
Indeed, did a quick test and the public nameservers were enabled almost instantly whereas the rest got processed later on. I am doing some checks on why the first initial few nameserver requests after the connection to the peer which is supposed to handle that traffic still fail. |
f7c8dc2
to
443ce47
Compare
583f0c0
to
30e9cb7
Compare
This patch adds an additional DNS probe trigger by ConnStatus changes to any peer. This is an attempt to limit the number of DNS changes applied to Darwin, Windows and BSD hosts. There should be no change whatsoever on how iOS and Android operate. How publicly accessible DNS servers get applied to the host should also remain unchanged.
Verison 29+ introduce new functions for the built-in relay that notify when peer state has changed. Similarly for this feature to work, there are handlers that need to close the aPeerConnStatusChanged channel to signal a change.
30e9cb7
to
814369b
Compare
@LeszekBlazewski can you test the latest build, the patch has been updated to work with the latest 29.x releases. I believe @mlsmaycon will be reviewing this soon https://github.com/netbirdio/netbird/actions/runs/10997072510?pr=2291 |
Hi, sorry but I won't be able to test this until the 7th of October.
…On Mon, 23 Sept 2024, 17:16 Carlos Hernandez, ***@***.***> wrote:
@LeszekBlazewski <https://github.com/LeszekBlazewski> can you test the
latest build, the patch has been updated to work with the latest 29.x
releases. I believe @mlsmaycon <https://github.com/mlsmaycon> will be
reviewing this soon
https://github.com/netbirdio/netbird/actions/runs/10997072510?pr=2291
—
Reply to this email directly, view it on GitHub
<#2291 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AIKPEJU26ZGWPW6TVGSJ7I3ZYAWDXAVCNFSM6AAAAABLEXUR26VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNRYGYYDOMRYGM>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Quality Gate passedIssues Measures |
…te_change * upstream/main: (81 commits) Fix cached device flow oauth (netbirdio#2833) Avoid failing all other matrix tests if one fails (netbirdio#2839) add all group to add peer affected peers network map check (netbirdio#2830) [client] Log windows panics (netbirdio#2829) Fix unused servers cleanup (netbirdio#2826) [management] Add DB access duration to logs for context cancel (netbirdio#2781) Allocate new buffer for every package (netbirdio#2823) [client] Nil check on ICE remote conn (netbirdio#2806) [management] remove network map diff calculations (netbirdio#2820) Create FUNDING.yml (netbirdio#2814) Create funding.json (netbirdio#2813) [management] add metrics to network map diff (netbirdio#2811) [client] Fix the broken dependency gvisor.dev/gvisor (netbirdio#2789) fix meta is equal slices (netbirdio#2807) [client] Fix multiple peer name filtering in netbird status command (netbirdio#2798) [management] Setup key improvements (netbirdio#2775) [client] allow relay leader on iOS (netbirdio#2795) [client] Remove legacy forwarding rules in userspace mode (netbirdio#2782) [client] Ignore route rules with no sources instead of erroring out (netbirdio#2786) [misc] Update Zitadel from v2.54.10 to v2.64.1 ...
@LeszekBlazewski this now applies settings base on routing table |
i have same problem, like #2002, and this PR fix my problem. But, it's possible to be rebase to last version ? |
Yeah, I will rebase it and see if I can fix some tests.
Get Outlook for iOS<https://aka.ms/o0ukef>
…________________________________
From: Eustache Arthur ***@***.***>
Sent: Thursday, November 28, 2024 8:02:26 AM
To: netbirdio/netbird ***@***.***>
Cc: Carlos Hernandez ***@***.***>; Mention ***@***.***>
Subject: Re: [netbirdio/netbird] Apply host DNS settings on peer state change (PR #2291)
i have same problem, like #2002<#2002>, and this PR fix my problem.
But, it's possible to be rebase to last version ?
—
Reply to this email directly, view it on GitHub<#2291 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ABMJBTKCQ4TGDXQHY3L55TT2C4WAFAVCNFSM6AAAAABLEXUR26VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKMBWGMYTQMRYG4>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
…te_change * upstream/main: (55 commits) [client] Account different policiy rules for routes firewall rules (netbirdio#2939) Add guide when signing key is not found (netbirdio#2942) [tests] Enable benchmark tests on github actions (netbirdio#2961) [management] Add performance test for login and sync calls (netbirdio#2960) [management] refactor to use account object instead of separate db calls for peer update (netbirdio#2957) [client] Code cleaning in net pkg and fix exit node feature on Android(netbirdio#2932) [management] Refactor nameserver groups to use store methods (netbirdio#2888) [management] Refactor DNS settings to use store methods (netbirdio#2883) [management] Refactor policy to use store methods (netbirdio#2878) [management] Refactor posture check to use store methods (netbirdio#2874) [client] Allow routing to fallback to exclusion routes if rules are not supported (netbirdio#2909) [client] Set up sysctl and routing table name only if routing rules are available (netbirdio#2933) [client] Test nftables for incompatible iptables rules (netbirdio#2948) [client] Don't return error in userspace mode without firewall (netbirdio#2924) Import time package (netbirdio#2940) [misc] Renew slack link (netbirdio#2938) [relay] Refactor initial Relay connection (netbirdio#2800) [management] Fix getSetupKey call (netbirdio#2927) [client] Fix allow netbird rule verdict (netbirdio#2925) [management] Add activity events to group propagation flow (netbirdio#2916) ...
Quality Gate passedIssues Measures |
I have updated this PR, but it is a WIP, please test. I need update this PR to support other platforms |
Yes, i don't see problem, for me that work on latest version |
Describe your changes
This is a PoC and a potential fix #2002. This patch is not full fleshed out and their are some unattended side effects, but I wanted to get your thoughts and opinions @mlsmaycon and @pascal-fischer and @lixmal.
More Info:
This essential tries to ensure that host dns changes aren't applied til at least one routing peer is connected and DNS servers are reachable. It does so by tying deactivation and reactivation of upstream servers to Peerlist state changes in the status recorder.
As it stands, now
status -d
doesn't accurately reflect the status on first connection. That is because I haven't figure out an effective method to deactivate the servers without more intense changes. Primarily because of how the deactivate and reactivate callbacks are structure and their dependence of the removeIndex. One potential workaround is to modify deactivate to skip applying host config, so that we can fix this side effect.Thoughts and discussion please
Issue ticket number and link
Checklist