Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ztunnel/DNS Capture: DNS Additional Section merged into DNS Answer #1457

Open
2 tasks done
zirkome opened this issue Feb 14, 2025 · 3 comments
Open
2 tasks done

Ztunnel/DNS Capture: DNS Additional Section merged into DNS Answer #1457

zirkome opened this issue Feb 14, 2025 · 3 comments
Labels
area/traffic-flow Area: Traffic Flow

Comments

@zirkome
Copy link

zirkome commented Feb 14, 2025
edited
Loading

Is this the right place to submit this?

  • This is not a security vulnerability or a crashing bug
  • This is not a question about how to use Istio

Bug Description

Hi!

We have a new Istio service which is now failing on SRV queries. After investigation we found out that it is due to a DNS additional section returned by Azure DNS that is merged in the Answer section by ztunnel DNS proxy.
I was able to reproduce the issue outside Azure (i.e. AWS) by mimicking the same DNS answer via CoreDNS override.

    template ANY ANY _tcp.db.srv.tld {
      answer "{{ .Name }} 8 IN SRV 0 0 2400 privatelink-db.srv.tld."
      answer "{{ .Name }} 8 IN SRV 0 0 2401 privatelink-db.srv.tld."
      answer "{{ .Name }} 8 IN SRV 0 0 2402 privatelink-db.srv.tld."
      additional "privatelink-db.srv.tld. 8 IN A 10.140.0.250"
      additional "privatelink-db.srv.tld. 8 IN A 10.140.0.250"
      additional "privatelink-db.srv.tld. 8 IN A 10.140.0.250"
    }

Without Istio (or w/ DNS Capture disabled) we get the following from dig:

;; ANSWER SECTION:
_tcp.db.srv.tld. 8	IN SRV 0 0 2400 privatelink-db.srv.tld.
_tcp.db.srv.tld. 8	IN SRV 0 0 2401 privatelink-db.srv.tld.
_tcp.db.srv.tld. 8	IN SRV 0 0 2402 privatelink-db.srv.tld.

;; ADDITIONAL SECTION:
privatelink-db.srv.tld. 8 IN A	10.140.0.250
privatelink-db.srv.tld. 8 IN A	10.140.0.250
privatelink-db.srv.tld. 8 IN A	10.140.0.250

However inside the pod, part of the Istio mesh, when we run dig we get the following:

;; ANSWER SECTION:
_tcp.db.srv.tld. 30	IN SRV 0 0 2400 privatelink-db.srv.tld.
_tcp.db.srv.tld. 30	IN SRV 0 0 2401 privatelink-db.srv.tld.
_tcp.db.srv.tld. 30	IN SRV 0 0 2402 privatelink-db.srv.tld.
privatelink-db.srv.tld. 30 IN A	10.140.0.250
privatelink-db.srv.tld. 30 IN A	10.140.0.250
privatelink-db.srv.tld. 30 IN A	10.140.0.250

Version

$ istioctl version
client version: 1.24.2
control plane version: 1.24.2
data plane version: 1.24.2 (5 proxies)
$ kubectl version
Client Version: v1.32.1
Kustomize Version: v5.5.0
Server Version: v1.30.9

Additional Information

No response
@bleggett
Copy link
Contributor

Moving this to istio/ztunnel since it is likely a problem with the ztunnel DNS proxy.

@bleggett bleggett transferred this issue from istio/istio Feb 14, 2025
@bleggett bleggett added the area/traffic-flow Area: Traffic Flow label Feb 14, 2025
@howardjohn
Copy link
Member

Thanks for the report. I can reproduce and confirm its not impacting sidecars, only ztunnel

@howardjohn
Copy link
Member

I think this is a bug in the DNS library we depend on. I opened an issue in hickory-dns/hickory-dns#2781.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/traffic-flow Area: Traffic Flow
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@howardjohn @zirkome @bleggett