[dnsdist-1.8.4] The sessionTimeout is invalid？

[chunyuliu106667777]

I have read the relevant parameter documentation about addDOHLocal in the dnsdist document,I found a parameter called sessionTimeout,I also read about TLS session management, which mentioned two reuse mechanisms. I am currently trying the first method, which is to reserve the session ID through the server. I believe that the session timeout in the addDOHLocal function is to control the timeout period of this session. I set it to 30 seconds and restarted the dnsdist service.

The following are the relevant configurations of dnsdist.

addLocal("0.0.0.0:53")
addDOHLocal("0.0.0.0:443", {"/home/test.crt"}, {"/home/test.key"}, "/dns-query", {reusePort=true,sessionTimeout=30})
newServer({address="127.0.0.1:530", useClientSubnet=true, healthCheckMode="up"})
setECSSourcePrefixV4(32)
setECSSourcePrefixV6(128)
setECSOverride(true)

I use session in Python to perform DoH access to services and Wireshark to capture packets, but I found that no matter what value the session timeout is set to, even if it is less than 10 seconds, the reuse of session connections is only within 10 seconds. When it exceeds 10 seconds, a re authentication process will be performed.

The following figure shows visits with intervals of less than 10 seconds within the same session.

The following figure shows access intervals of more than 10 seconds within the same session.

Finally, please attach the py script

import time
import base64
import urllib3
import requests
import dns.flags
import dns.query
import dns.message
import dns.rdatatype

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

session = requests.session()

def doh(resolver, domain, dns_type):
    message = dns.message.make_query(domain, dns_type)
    address = resolver + "?dns=" + base64.b64encode(message.to_wire()).decode("UTF8").rstrip("=")
    response = session.get(address, headers={"Content-type": "application/dns-message"}, verify=False)
    decode_resp = dns.message.from_wire(response.content, continue_on_error=True)
    print(decode_resp)


if __name__ == '__main__':
    doh("https://x.x.x.x/dns-query", "example.com", "A")
    time.sleep(12)
    doh("https://x.x.x.x/dns-query", "google.com", "A")
    session.close()

[omoerbeek]

I think there's some confusion between the python notion of a session and a TLS session.

Reading https://dnsdist.org/advanced/tls-sessions-management.html might help.

[chunyuliu106667777]

Ok, I read the document, which describes the client’s one (tickets) in detail, but I am restricted by external factors and can only use the server’s side (sessions). How should I test the sessionTimeout? Can you provide a test case? Thanks a lot.

[omoerbeek]

I tried your example and I'm seeing a dnsdist initiated closing of the connection after 10s. Playing with the options idleTimeout, sessionTimeout does not seem to make a difference. Maybe @rgacogne can shed his light?

[chunyuliu106667777]

@rgacogne I have found an issue regarding TLS session recovery. Can you give me some advice? Thank you.

[omoerbeek]

Please have some patience.

[rgacogne]

I'm only addressing the part about idleTimeout because so far it's not clear to me what is not working as expected with TLS sessions.
idleTimeout sets the time, in seconds, that dnsdist will allow an incoming HTTP/2 connection to remain open without any new query to be received. Note that I really do mean HTTP/2 here, as this setting does not apply to HTTP/1: as far as I can tell there is no such setting for HTTP/1 in h2o, and we do not support HTTP/1 when nghttp2 is used instead of h2o (dnsdist 1.9+). The problem with your test is that the requests library does not support HTTP/2. I confirmed the idle timeout works well using pycurl instead of requests:

import time
import base64
import urllib3
import pycurl
import dns.flags
import dns.query
import dns.message
import dns.rdatatype

conn = pycurl.Curl()
conn.setopt(pycurl.SSL_VERIFYPEER, 0)
conn.setopt(pycurl.SSL_VERIFYHOST, 0)
# this means "really do HTTP/2, not HTTP/1 with Upgrade headers"
conn.setopt(pycurl.HTTP_VERSION, pycurl.CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE)

conn.setopt(pycurl.HTTPHEADER, ["Content-type: application/dns-message",
                                "Accept: application/dns-message"])
conn.setopt(pycurl.TIMEOUT_MS, 1000)


def doh(resolver, domain, dns_type):
    message = dns.message.make_query(domain, dns_type)
    address = resolver + "?dns=" + base64.b64encode(message.to_wire()).decode("UTF8").rstrip("=")
    conn.setopt(pycurl.URL, address)
    response = conn.perform_rb()
    rcode = conn.getinfo(pycurl.RESPONSE_CODE)

    decode_resp = dns.message.from_wire(response, continue_on_error=True)
    print(decode_resp)

if __name__ == '__main__':
    doh("https://x.x.x.x/dns-query", "example.com", "A")
    time.sleep(12)
    doh("https://x.x.x.x/dns-query", "google.com", "A")

[omoerbeek]

Ah, I should have spotted the HTTP/1 vs HTTP/2 thing. That explains a lot, thanks!

[chunyuliu106667777]

Okay, thank you very much for your suggestion. I should read the relevant documents carefully again.