Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Forwarding uses broken IPv6 parsing from config #2802

Open
b3t33 opened this issue Mar 9, 2025 · 0 comments
Open

Forwarding uses broken IPv6 parsing from config #2802

b3t33 opened this issue Mar 9, 2025 · 0 comments

Comments

@b3t33
Copy link

b3t33 commented Mar 9, 2025

Output of the following commands:

./dnscrypt-proxy -version

2.1.7

./dnscrypt-proxy -check

dnscrypt-proxy -check
[2025-03-09 17:41:20] [WARNING] [/tmp/repro/dnscrypt-proxy.toml] can be modified by other system users because [/tmp/repro] is writable by other users - If this is not intentional, it is recommended to fix the access permissions
[2025-03-09 17:41:20] [NOTICE] dnscrypt-proxy 2.1.7
[2025-03-09 17:41:20] [INFO] Source [public-resolvers] loading from URL [https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md]
[2025-03-09 17:42:00] [NOTICE] System DNS is not usable yet
[2025-03-09 17:42:00] [NOTICE] Resolving server host [raw.githubusercontent.com] using bootstrap resolvers over udp
[2025-03-09 17:42:00] [NOTICE] Source [public-resolvers] loaded
[2025-03-09 17:42:00] [NOTICE] Configuration successfully checked

./dnscrypt-proxy -resolve example.com

[2025-03-09 17:42:53] [WARNING] [/tmp/repro/dnscrypt-proxy.toml] can be modified by other system users because [/tmp/repro] is writable by other users - If this is not intentional, it is recommended to fix the access permissions
Resolving [example.com] using 127.0.0.1 port 53

Unable to resolve: [Timeout]

What is affected by this bug?

Forwarding rules get parsed using possibly invalid substrings of server IPv6 addresses.

With f531c8f the parsing logic trims the first [ from every IPv6 address and does not handle the port when trimming.

When does this occur?

Forwarding fails for IPv6 addresses specified like [2001:4860:4860::8888]:53 as in the wiki or example-forwarding-rules.txt.

Some indication from the logs are

[INFO] Forwarding [.] to [2001:4860:4860::8888]:53]
...
[DEBUG] Handling query for [google.com]
[DEBUG] Forwarding [google.com] to [2001:4860:4860::8888]:53]

note the mismatched square brackets.

However, using just [2001:4860:4860::8888] in forwarding-rules.txt works fine.

How do we replicate the issue?

With the following configuration, the failed forwarding can be observed.

 cat dnscrypt-proxy.toml 
listen_addresses = ['127.0.0.1:53', '[::1]:53']
forwarding_rules = 'forwarding-rules.txt'

log_level=0

[sources]
  [sources.public-resolvers]
    urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md']
    cache_file = 'public-resolvers.md'
    minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
    refresh_delay = 73
    prefix = ''

 cat forwarding-rules.txt 
. [2001:4860:4860::8888]:53

 dnscrypt-proxy --config dnscrypt-proxy.toml

 dnscrypt-proxy -resolve example.com

Expected behavior (i.e. solution)

Parsing of IPv6 addresses for forwarding should accept the format from the wiki and sample config.
In the forwarding plugin (see f531c8f) the trimming could be done to another local variable, or the port number can be handled/split.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@b3t33