LinkTed
Certain Domains cannot be resolved due to EDNSOptionCode(15) Error
I use the doh-client for years and never had any issues. But a few weeks ago I noticed certain domains cannot be resolved and I tried to figure out why. When I try to resolve www.univie.ac.at or www.rnz.de via doh-client I keep getting the following error:
[ERROR doh_client::handler] Could not retrieve DNS response from server: Decode Error: EDNSOptionCode(15)
It seems as if the error is briefly described here: https://www.rfc-editor.org/rfc/rfc8914.html#name-extended-dns-error-code-10-
If I'm not mistaken, the issue comes from a failure in handling of DNSSEC. I'm not 100% sure, but since the client is complaining about a decoding error, I assume the server sends a DNSSEC related packet (RRSIG?) which the client cannot parse and therefore the domain cannot be resolved.
Here is a bigger portion of the log for both domains:
Mar 31 23:53:52 pi.hole doh-client[12114]: [INFO doh_client::remote::session] Connected to cloudflare-dns.com at 1.1.1.1:443 Mar 31 23:53:52 pi.hole doh-client[12114]: [DEBUG doh_client::remote::session] Send DNS request to server: 0 Query rd NoError questions [www.univie.ac.at. IN A, ] additionals [. OPT 1232 0 0 false, ] Mar 31 23:53:52 pi.hole doh-client[12114]: [DEBUG doh_client::remote::session] Send HTTP2 request to server: Request { method: POST, uri: https://cloudflare-dns.com/dns-query, version: HTTP/1.1, headers: {"accept": "application/> Mar 31 23:53:52 pi.hole doh-client[12114]: [DEBUG doh_client::remote::session] Send HTTP2 body: b"\0\0\x01\0\0\x01\0\0\0\0\0\x01\x03www\x06univie\x02ac\x02at\0\0\x01\0\x01\0\0)\x04\xd0\0\0\0\0\0\0" Mar 31 23:53:52 pi.hole doh-client[12114]: [DEBUG rustls::client::tls13] Ticket saved Mar 31 23:53:52 pi.hole doh-client[12114]: [DEBUG rustls::client::tls13] Ticket saved Mar 31 23:53:52 pi.hole doh-client[12114]: [ERROR doh_client::handler] Could not retrieve DNS response from server: Decode Error: EDNSOptionCode(15) Mar 31 23:53:52 pi.hole doh-client[12114]: [DEBUG doh_client::remote::session] Disconnect connetion to server Mar 31 23:53:52 pi.hole doh-client[12114]: [DEBUG doh_client::handler] Cache fallback is disable Mar 31 23:53:52 pi.hole doh-client[12114]: [ERROR doh_client::run] Could not handle request: Could not get response for: Dns { id: 6631, flags: Flags { qr: false, opcode: Query, aa: false, tc: false, rd: true, ra: false, ad: fal> Mar 31 23:53:52 pi.hole doh-client[12114]: [DEBUG rustls::conn] Sending warning alert CloseNotify Mar 31 23:53:54 pi.hole doh-client[12114]: [DEBUG doh_client::run] Receive UDP packet: b"\x19\xe7\x01\0\0\x01\0\0\0\0\0\x01\x03www\x06univie\x02ac\x02at\0\0\x01\0\x01\0\0)\x04\xd0\0\0\0\0\0\0" Mar 31 23:53:54 pi.hole doh-client[12114]: [DEBUG doh_client::handler] Question is not found in cache Mar 31 23:53:54 pi.hole doh-client[12114]: [INFO doh_client::remote::session] Try to connect to 1.1.1.1:443: 1 Mar 31 23:53:54 pi.hole doh-client[12114]: [DEBUG rustls::client::hs] Resuming session Mar 31 23:53:54 pi.hole doh-client[12114]: [DEBUG rustls::client::hs] Using ciphersuite TLS13_AES_256_GCM_SHA384 Mar 31 23:53:54 pi.hole doh-client[12114]: [DEBUG rustls::client::tls13] Resuming using PSK Mar 31 23:53:54 pi.hole doh-client[12114]: [DEBUG rustls::client::tls13] TLS1.3 encrypted extensions: [Protocols([6832])] Mar 31 23:53:54 pi.hole doh-client[12114]: [DEBUG rustls::client::hs] ALPN protocol is Some(b"h2") Mar 31 23:53:54 pi.hole doh-client[12114]: [DEBUG doh_client::remote::helper] HTTP2 handshake Mar 31 23:53:54 pi.hole doh-client[12114]: [INFO doh_client::remote::session] Connected to cloudflare-dns.com at 1.1.1.1:443 Mar 31 23:53:54 pi.hole doh-client[12114]: [DEBUG doh_client::remote::session] Send DNS request to server: 0 Query rd NoError questions [www.univie.ac.at. IN A, ] additionals [. OPT 1232 0 0 false, ] Mar 31 23:53:54 pi.hole doh-client[12114]: [DEBUG doh_client::remote::session] Send HTTP2 request to server: Request { method: POST, uri: https://cloudflare-dns.com/dns-query, version: HTTP/1.1, headers: {"accept": "application/> Mar 31 23:53:54 pi.hole doh-client[12114]: [DEBUG doh_client::remote::session] Send HTTP2 body: b"\0\0\x01\0\0\x01\0\0\0\0\0\x01\x03www\x06univie\x02ac\x02at\0\0\x01\0\x01\0\0)\x04\xd0\0\0\0\0\0\0" Mar 31 23:53:54 pi.hole doh-client[12114]: [DEBUG rustls::client::tls13] Ticket saved
...
Apr 01 00:14:53 pi.hole doh-client[12114]: [DEBUG doh_client::remote::session] Send DNS request to server: 0 Query rd NoError questions [www.rnz.de. IN A, ] additionals [. OPT 1232 0 0 false, ] Apr 01 00:14:53 pi.hole doh-client[12114]: [DEBUG doh_client::remote::session] Send HTTP2 request to server: Request { method: POST, uri: https://cloudflare-dns.com/dns-query, version: HTTP/1.1, headers: {"accept": "application/> Apr 01 00:14:53 pi.hole doh-client[12114]: [DEBUG doh_client::remote::session] Send HTTP2 body: b"\0\0\x01\0\0\x01\0\0\0\0\0\x01\x03www\x03rnz\x02de\0\0\x01\0\x01\0\0)\x04\xd0\0\0\0\0\0\0" Apr 01 00:14:53 pi.hole doh-client[12114]: [ERROR doh_client::handler] Could not retrieve DNS response from server: Decode Error: EDNSOptionCode(15) Apr 01 00:14:53 pi.hole doh-client[12114]: [DEBUG doh_client::remote::session] Disconnect connetion to server Apr 01 00:14:53 pi.hole doh-client[12114]: [DEBUG doh_client::handler] Cache fallback is disable Apr 01 00:14:53 pi.hole doh-client[12114]: [ERROR doh_client::run] Could not handle request: Could not get response for: Dns { id: 22893, flags: Flags { qr: false, opcode: Query, aa: false, tc: false, rd: true, ra: false, ad: fa> Apr 01 00:14:53 pi.hole doh-client[12114]: [DEBUG doh_client::handler] Add records in cache: www.rnz.de. IN HTTPS, 18101 qr Query rd ra NoError questions [www.rnz.de. IN HTTPS, ] authorities [rnz.de. 7062 IN SOA web8.hd-it.eu. r> Apr 01 00:14:53 pi.hole doh-client[12114]: [DEBUG doh_client::handler] Add records in cache: www.rnz.de. IN AAAA, 58717 qr Query rd ra NoError questions [www.rnz.de. IN AAAA, ] authorities [rnz.de. 6682 IN SOA web8.hd-it.eu. roo> Apr 01 00:14:53 pi.hole doh-client[12114]: [ERROR doh_client::handler] Could not retrieve DNS response from server: Decode Error: EDNSOptionCode(15) Apr 01 00:14:53 pi.hole doh-client[12114]: [DEBUG doh_client::remote::session] Disconnect connetion to server Apr 01 00:14:53 pi.hole doh-client[12114]: [DEBUG doh_client::handler] Cache fallback is disable Apr 01 00:14:53 pi.hole doh-client[12114]: [ERROR doh_client::run] Could not handle request: Could not get response for: Dns { id: 22893, flags: Flags { qr: false, opcode: Query, aa: false, tc: false, rd: true, ra: false, ad: fa> Apr 01 00:14:53 pi.hole doh-client[12114]: [DEBUG rustls::conn] Sending warning alert CloseNotify Apr 01 00:14:54 pi.hole doh-client[12114]: [DEBUG doh_client::run] Receive UDP packet: b"Ym\x01\0\0\x01\0\0\0\0\0\x01\x03www\x03rnz\x02de\0\0\x01\0\x01\0\0)\x04\xd0\0\0\0\0\0\0" Apr 01 00:14:54 pi.hole doh-client[12114]: [DEBUG doh_client::handler] Question is not found in cache
My good old friend bluec0re wrote a small patch that can be added to Cargo.toml before building doh-client in this way. It resolves the issue for www.univie.ac.at, but not for www.rnz.de. The error after applying the patch looks like follows:
[INFO doh_client::remote::session] Try to connect to 1.1.1.1:443: 1 [INFO doh_client::remote::session] Connected to cloudflare-dns.com at 1.1.1.1:443 [ERROR doh_client::handler] Could not retrieve DNS response from server: Decode Error: NotEnoughBytes(2, 2) [ERROR doh_client::run] Could not handle request: Could not get response for: Dns { id: 17269, flags: Flags { qr: false, opcode: Query, aa: false, tc: false, rd: true, ra: false, ad: false, cd: false, rcode: NoError }, questions: [Question { domain_name: DomainName([Label("rnz"), Label("de")]), q_class: IN, q_type: A }], answers: [], authorities: [], additionals: [OPT(OPT { requestor_payload_size: 1232, extend_rcode: 0, version: 0, dnssec: false, edns_options: [] })] }
