Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DNS.Resolvers should be used for DNS multiaddrs: /dnsaddr /dns /dns4 /dns6 #9199

Open
lidel opened this issue Aug 16, 2022 · 2 comments
Open
Labels
help wanted Seeking public contribution on this issue kind/bug A bug in existing code (including security flaws) need/triage Needs initial labeling and prioritization topic/dns

Comments

@lidel
Copy link
Member

lidel commented Aug 16, 2022

Version

0.14.0

Bug description

DNS.Resolvers allows for setting DNS over HTTPS resolver per domain or globally (. catch-all).

Custom DNS resolver set there is:

  • 🟢 used when resolving DNSLink records (content addresses)
  • 🔴 NOT used when resolving /dnsaddr, /dns, /dns4, /dns6 multiaddrs (peer addresses).

Threat model

Peer addresses include /p2p/{libp2p-key}, which removes the surface for MITM, so no peer identity spoofing / tampering is possible.

However, a privacy/censorship concern remains. DNS resolver provided by the operating system (delegating queries to user's ISP in cleartext) may lie about IPs, or simply return no TXT records, which will block access to things like bootstrappers at /dnsaddr/bootstrap.libp2p.io/, effectively cutting off user from IPFS network.

How to reproduce

To confirm that DNS.Resolvers is used for DNSLink, but not for DNSAddr, set bootstrap to DNS-only peers AND set DNS resolver to invalid one (which should always fail):

  "Bootstrap": [
    "/dnsaddr/bootstrap.libp2p.io/p2p/QmNnooDu7bfjPFoTZYxMNLWUQJyrVwtbZg5gBMjTezGAJN",
    "/dnsaddr/bootstrap.libp2p.io/p2p/QmQCU2EcMqAqQPR2i9bChDtGNJchTbq5TbXJJ16u19uLTa",
    "/dnsaddr/bootstrap.libp2p.io/p2p/QmbLHAnMoJPWSCR5Zhtx6BHJX9KiKNN6tpvbUcqanj75Nb",
    "/dnsaddr/bootstrap.libp2p.io/p2p/QmcZf59bWwK5XFi76CZX8cbJ4BhTzzA3gU1ZjYZcYW3dwt"
  ],
  "DNS": {
    "Resolvers": {
      ".": "https://dns.invalid/dns-query"
    }
  },

After rebooting your daemon (with fresh repo, no prior peers cached, no mdns):

  • 👍 ipfs resolve /ipns/en.wikipedia-on-ipfs.org will fail with could not resolve name
  • 👎 node starts fine and ipfs swarm connect /dnsaddr/bootstrap.libp2p.io/p2p/QmNnooDu7bfjPFoTZYxMNLWUQJyrVwtbZg5gBMjTezGAJN will connect just fine.
    • invalid DoH resolved was not used – we expected connection to fail the same way dnslink did, but it worked. this means DNS.Resolvers are not applied to multiaddrs, only to DNSLink.

What is interesting, doing manual ipfs swarm connect /dnsaddr/ipfs.aergia.eu fails as expected:

$ ipfs swarm connect /dnsaddr/ipfs.aergia.eu
Error: Post "https://dns.invalid/dns-query": dial tcp: lookup dns.invalid on 1.1.1.1:53: no such host

So.. parts are wired up (manual swarm connect), parts are not (bootstrappers).

Expected behavior

DNS.Resolvers (if defined) should be used for resolving all DNS-based multiaddrs, namely:

  • /dnsaddr
  • /dns
  • /dns4
  • /dns6

Related

cc libp2p/go-libp2p#1607

@lidel lidel added kind/bug A bug in existing code (including security flaws) need/triage Needs initial labeling and prioritization topic/dns labels Aug 16, 2022
@matyapiro31
Copy link

My issue is very relevant, so I write here,
1:These DoH config has no fall back system. (eg: when cloudflare service is not available, I want to use another DoH service.)
2: Add DNS over TLS/QUIC support. DoQ is the safest way to get DNS. some non-ICANN service, such as OpenNIC provides only DoT.

@lidel
Copy link
Member Author

lidel commented Aug 17, 2022

@matyapiro31 fallback resolvers are tracked in #8173. Please fill a separate issue for TLS/QUIC transport support 🙏

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
help wanted Seeking public contribution on this issue kind/bug A bug in existing code (including security flaws) need/triage Needs initial labeling and prioritization topic/dns
Projects
No open projects
Status: 🥞 Todo
Development

No branches or pull requests

3 participants