Dear Haproxy Maintainers, In dns_read_name() when dns name is used with name compression and start position of name is greater than 255, name is read from incorrect position ( actual position%256). This causes "Invalid dns error" and backend is marked as down permanently. eg: hexadecimal value at start of dns "0xc1 1b". "0xc" specifies name compression being used. in this scenario only "1b" (27) is taken as the start of the name but actual name starts from "11b" (283).
This is a regression scenario starting from version 1.7.0 and is present in current version. Resolution: Include nibble from byte used for checking compression. i.e take "11b" as start position of dns name. i am attaching patch to fix this bug. haproxy config to reproduce bug : .. resolvers dns-server nameserver dnsmasq 8.8.8.8:53 hold valid 300s global stats socket /var/run/haproxy-admin.sock mode 600 level admin ssl-server-verify none defaults mode http timeout connect 30000ms timeout client 30000ms timeout server 30000ms frontend http-in default_backend servers bind *:80 backend servers http-request set-header Host southeastasia.api.cognitive.microsoft.com server southeastasia.api.cognitive.microsoft.com southeastasia.api.cognitive.microsoft.com:443 ssl check resolvers dns-server resolve-prefer ipv4 .. Please let me know if any more information is needed for the same. Thanks and Regards, Nikhil Agrawal
dns-name-error.patch
Description: Binary data