From b872dd0e1e98869d76ffe0b9878e799d92ac0cc1 Mon Sep 17 00:00:00 2001 From: Simone Basso Date: Fri, 13 May 2022 19:00:51 +0200 Subject: [PATCH] fix(netxlite): HTTPSSvc: better no_answer checks (#727) I've seen some measurements returning some IP addresses for HTTPSSvc queries but not returning any ALPN value. For example: ``` % d4 decoding DNS round trip 0: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57768 ;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;psiphon.ca. IN HTTPS ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57768 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;psiphon.ca. IN HTTPS ;; ANSWER SECTION: psiphon.ca. 121 IN A 31.13.85.53 ``` Now, the response is clearly bogus. At the time of this writing that IP address belongs to Facebook. This measurement has been collected in China, so it's expected for the GFW to behave like this. Yet, I don't feel like it's accurate to report this measurement as a "no answer" response. Rather, this response is a valid one containing a clearly invalid IP address and should be flagged as such. Originally: https://github.com/bassosimone/websteps-illustrated/commit/57a023bcf4ebb1dd9dbdac83c18dc53a165011f8 See https://github.com/ooni/probe/issues/2096 --- internal/netxlite/dnsdecoder.go | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/internal/netxlite/dnsdecoder.go b/internal/netxlite/dnsdecoder.go index fda5a47..6a08e0a 100644 --- a/internal/netxlite/dnsdecoder.go +++ b/internal/netxlite/dnsdecoder.go @@ -32,7 +32,11 @@ func (d *DNSDecoderMiekg) DecodeHTTPS(data []byte) (*model.HTTPSSvc, error) { if err != nil { return nil, err } - out := &model.HTTPSSvc{} + out := &model.HTTPSSvc{ + ALPN: []string{}, // ensure it's not nil + IPv4: []string{}, // ensure it's not nil + IPv6: []string{}, // ensure it's not nil + } for _, answer := range reply.Answer { switch avalue := answer.(type) { case *dns.HTTPS: @@ -52,7 +56,7 @@ func (d *DNSDecoderMiekg) DecodeHTTPS(data []byte) (*model.HTTPSSvc, error) { } } } - if len(out.ALPN) <= 0 { + if len(out.IPv4) <= 0 && len(out.IPv6) <= 0 { return nil, ErrOODNSNoAnswer } return out, nil