DNS truncation and can't access admin.google.com from within AppVM
56 views
Skip to first unread message
Taylor Hornby
Oct 11, 2015, 1:40:45 PM10/11/15
to qubes-users
Hey qubes-users,
I've installed Qubes 3.0 RC3 which has been fully updated. I'm encountering an issue with the following symptoms:
- In all of my AppVMs (debian-based and fedora-based), web browsing works normally except for browsing to certain domains like `admin.google.com`. On those domains, the browser can't resolve the DNS.
- If you try to do an nslookup in a terminal in the AppVM, you get:
- Other domains seem to work:
- Using dig instead of nslookup within the AppVM works, even for admin.google.com.
- Here are the resolvers (default):
I suspect that `admin.google.com` is victim to this because the result when you query for its A record is huge; you get back 16 IP addresses. The workaround I'm using is to manually edit `/etc/resolv.conf`, changing the nameserver to `8.8.8.8` and then restarting iceweasel.
Can anyone else reproduce it? Any ideas for a better way to fix it?
I've installed Qubes 3.0 RC3 which has been fully updated. I'm encountering an issue with the following symptoms:
- In all of my AppVMs (debian-based and fedora-based), web browsing works normally except for browsing to certain domains like `admin.google.com`. On those domains, the browser can't resolve the DNS.
- If you try to do an nslookup in a terminal in the AppVM, you get:
user@superaccounts:~$ nslookup admin.google.com
;; Truncated, retrying in TCP mode.
;; Connection to 10.137.2.1#53(10.137.2.1) for admin.google.com failed: host unreachable.
^C (... seems to hang forever ...)
;; Truncated, retrying in TCP mode.
;; Connection to 10.137.2.1#53(10.137.2.1) for admin.google.com failed: host unreachable.
^C (... seems to hang forever ...)
- Other domains seem to work:
user@superaccounts:~$ nslookup bqp.io
Server: 10.137.2.1
Address: 10.137.2.1#53
Name: bqp.io
Address: 192.95.8.31
Server: 10.137.2.1
Address: 10.137.2.1#53
Name: bqp.io
Address: 192.95.8.31
- Using dig instead of nslookup within the AppVM works, even for admin.google.com.
- Here are the resolvers (default):
user@superaccounts:~$ cat /etc/resolv.conf
nameserver 10.137.2.1
nameserver 10.137.2.254
- The only thing I've found that seems related is this, mentioning truncation and TCP being firewalled:nameserver 10.137.2.1
nameserver 10.137.2.254
I suspect that `admin.google.com` is victim to this because the result when you query for its A record is huge; you get back 16 IP addresses. The workaround I'm using is to manually edit `/etc/resolv.conf`, changing the nameserver to `8.8.8.8` and then restarting iceweasel.
Can anyone else reproduce it? Any ideas for a better way to fix it?
Jeremias E.
Oct 11, 2015, 7:30:19 PM10/11/15
to qubes-users
Hello,
I was not able to reproduce it with Firefox running under a Fedora AppVM.
Have you tried another browser?
You could route your traffic through a tor vm.
Best regards
J. Eppler
I was not able to reproduce it with Firefox running under a Fedora AppVM.
Have you tried another browser?
You could route your traffic through a tor vm.
Best regards
J. Eppler
Marek Marczykowski-Górecki
Oct 11, 2015, 7:40:15 PM10/11/15
to Taylor Hornby, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Sun, Oct 11, 2015 at 10:40:45AM -0700, Taylor Hornby wrote:
> - The only thing I've found that seems related is this, mentioning
> truncation and TCP being firewalled:
>
> https://groups.google.com/forum/#!searchin/qubes-users/DNS$20truncate/qubes-users/ndbPjm71CxY/haG46YnEJKcJ
>
> I suspect that `admin.google.com` is victim to this because the result when
> you query for its A record is huge; you get back 16 IP addresses. The
> workaround I'm using is to manually edit `/etc/resolv.conf`, changing the
> nameserver to `8.8.8.8` and then restarting iceweasel.
>
> Can anyone else reproduce it? Any ideas for a better way to fix it?
Oops, we have ignored the fact that DNS can also use TCP...
Copied the report here:
https://github.com/QubesOS/qubes-issues/issues/1325
Take a look at this commit:
https://github.com/marmarek/qubes-core-agent-linux/commit/ce443b2e182997d8a4ca377ef00c2ceb4fb0c59e
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJWGvNXAAoJENuP0xzK19csyYIH/RGWT+qyUAkZzaZb1JZwg7Bv
D8Qm08k+RTSrD+2yGDUfyEbTmuqEOZe+lY5q9iV544Aqb+jrU14iKUTM2HK+C7Eo
n9G3/nsc4FiOHWe32fhA/5u7DTnzdrdLZY0QD+5rF51TIsK4Jb9v6Ny74twq/RYQ
mcy72bYxUWbvsjYXvsEyUDHUzhRIPslUTd8oua1+4JtH8vyMOZnu3Vj5NrrWh5bp
+ciX2nmzfsA3jaSIUB4NjlW7dcQt2P09tCl9FUcCLyxHr0bNNwZxZI3Y7TWN5W3w
+i2iJubnjMUBDoYkUURDEey9CbPoA0/9IjplUXulIxKBuXeX7xhn5XflXaEdELE=
=BA0t
-----END PGP SIGNATURE-----
Hash: SHA256
On Sun, Oct 11, 2015 at 10:40:45AM -0700, Taylor Hornby wrote:
> - The only thing I've found that seems related is this, mentioning
> truncation and TCP being firewalled:
>
> https://groups.google.com/forum/#!searchin/qubes-users/DNS$20truncate/qubes-users/ndbPjm71CxY/haG46YnEJKcJ
>
> I suspect that `admin.google.com` is victim to this because the result when
> you query for its A record is huge; you get back 16 IP addresses. The
> workaround I'm using is to manually edit `/etc/resolv.conf`, changing the
> nameserver to `8.8.8.8` and then restarting iceweasel.
>
> Can anyone else reproduce it? Any ideas for a better way to fix it?
Copied the report here:
https://github.com/QubesOS/qubes-issues/issues/1325
Take a look at this commit:
https://github.com/marmarek/qubes-core-agent-linux/commit/ce443b2e182997d8a4ca377ef00c2ceb4fb0c59e
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJWGvNXAAoJENuP0xzK19csyYIH/RGWT+qyUAkZzaZb1JZwg7Bv
D8Qm08k+RTSrD+2yGDUfyEbTmuqEOZe+lY5q9iV544Aqb+jrU14iKUTM2HK+C7Eo
n9G3/nsc4FiOHWe32fhA/5u7DTnzdrdLZY0QD+5rF51TIsK4Jb9v6Ny74twq/RYQ
mcy72bYxUWbvsjYXvsEyUDHUzhRIPslUTd8oua1+4JtH8vyMOZnu3Vj5NrrWh5bp
+ciX2nmzfsA3jaSIUB4NjlW7dcQt2P09tCl9FUcCLyxHr0bNNwZxZI3Y7TWN5W3w
+i2iJubnjMUBDoYkUURDEey9CbPoA0/9IjplUXulIxKBuXeX7xhn5XflXaEdELE=
=BA0t
-----END PGP SIGNATURE-----
Taylor Hornby
Oct 12, 2015, 2:45:52 PM10/12/15
to Marek Marczykowski-Górecki, qubes-users
On Mon, 2015-10-12 at 01:40 +0200, Marek Marczykowski-Górecki wrote:
> On Sun, Oct 11, 2015 at 10:40:45AM -0700, Taylor Hornby wrote:
> > - The only thing I've found that seems related is this, mentioning
> > truncation and TCP being firewalled:
> >
> > https://groups.google.com/forum/#!searchin/qubes-users/DNS$20trunca
> > te/qubes-users/ndbPjm71CxY/haG46YnEJKcJ
> >
> > I suspect that `admin.google.com` is victim to this because the
> > result when
> > you query for its A record is huge; you get back 16 IP addresses.
> > The
> > workaround I'm using is to manually edit `/etc/resolv.conf`,
> > changing the
> > nameserver to `8.8.8.8` and then restarting iceweasel.
> >
> > Can anyone else reproduce it? Any ideas for a better way to fix it?
>
> Oops, we have ignored the fact that DNS can also use TCP...
>
> Copied the report here:
> https://github.com/QubesOS/qubes-issues/issues/1325
>
> Take a look at this commit:
> https://github.com/marmarek/qubes-core-agent-linux/commit/ce443b2e182
> 997d8a4ca377ef00c2ceb4fb0c59e
>
[re-sending this because I just realized I accidentally replied off-
> On Sun, Oct 11, 2015 at 10:40:45AM -0700, Taylor Hornby wrote:
> > - The only thing I've found that seems related is this, mentioning
> > truncation and TCP being firewalled:
> >
> > https://groups.google.com/forum/#!searchin/qubes-users/DNS$20trunca
> > te/qubes-users/ndbPjm71CxY/haG46YnEJKcJ
> >
> > I suspect that `admin.google.com` is victim to this because the
> > result when
> > you query for its A record is huge; you get back 16 IP addresses.
> > The
> > workaround I'm using is to manually edit `/etc/resolv.conf`,
> > changing the
> > nameserver to `8.8.8.8` and then restarting iceweasel.
> >
> > Can anyone else reproduce it? Any ideas for a better way to fix it?
>
> Oops, we have ignored the fact that DNS can also use TCP...
>
> Copied the report here:
> https://github.com/QubesOS/qubes-issues/issues/1325
>
> Take a look at this commit:
> https://github.com/marmarek/qubes-core-agent-linux/commit/ce443b2e182
> 997d8a4ca377ef00c2ceb4fb0c59e
>
list, sorry]
I manually applied the patch to /usr/lib/qubes/qubes-setup-dnat-to-ns
in the fedora-21 TemplateVM and it fixed the problem, thanks!
I still get
;; Truncated, retrying in TCP mode.
too, so I don't think it's a Qubes problem. I wonder if Google is aware
of it.
-Taylor
Reply all
Reply to author
Forward
0 new messages