There's some rough edges in the mobile UI/UX right now, for both the website and the resolver UI.

I'm seeing old gen grow and settle down at about 50MB right now. I assume most of this is RRs in the cache.

https://www.ietf.org/rfc/rfc4592.txt

specifically this portion:

2.2.1.  An Example

   To illustrate what is meant by existence consider this complete zone:

      $ORIGIN example.
      example.                 3600 IN  SOA   <SOA RDATA>
      example.                 3600     NS    ns.example.com.
      example.                 3600     NS    ns.example.net.
      *.example.               3600     TXT   "this is a wildcard"
      *.example.               3600     MX    10 host1.example.
      sub.*.example.           3600     TXT   "this is not a wildcard"
      host1.example.           3600     A     192.0.2.1
      _ssh._tcp.host1.example. 3600     SRV   <SRV RDATA>
      _ssh._tcp.host2.example. 3600     SRV   <SRV RDATA>
      subdel.example.          3600     NS    ns.example.com.
      subdel.example.          3600     NS    ns.example.net.

   A look at the domain names in a tree structure is helpful:

                                  |
                  -------------example------------
                 /           /         \          \
                /           /           \          \
               /           /             \          \
              *          host1          host2      subdel
              |            |             |
              |            |             |
             sub         _tcp          _tcp
                           |             |
                           |             |
                         _ssh          _ssh

   The following responses would be synthesized from one of the
   wildcards in the zone:

      QNAME=host3.example. QTYPE=MX, QCLASS=IN
           the answer will be a "host3.example. IN MX ..."

      QNAME=host3.example. QTYPE=A, QCLASS=IN
           the answer will reflect "no error, but no data"
           because there is no A RR set at '*.example.'

Specifically I suspect we'll currently return NAME_ERROR for this example:

      QNAME=host3.example. QTYPE=A, QCLASS=IN
           the answer will reflect "no error, but no data"
           because there is no A RR set at '*.example.'

I think we might need to have the DBAuthorityRRSource pull back all types+classes so it can make this decision in app code. the return type might also need to be modified so it can represent the difference between "name not found" and "name found but no RR's matched search". Maybe it throws a NameError exception - except that I don't think that necessarily merits using an exception and it's probably not good to be generating a stack trace etc for something that's not really exceptional from the perspective of the program. So while I'm not hugely fond of the API that presents, the return type is probably the right place for this information to go.

Example UI:

Clients:

Default: on/off

Always on for: [list of ip's]
Always off for: [list of ip's]

https://www.ietf.org/rfc/rfc4592.txt

right now we just return an NXDOMAIN error, but this prevent the client from potentially caching the negative.

to support https://github.com/notracking/hosts-blocklists

example:

address=/0--e.info/#

should result in a blocked_name of 0--e.info

an error shows up in the browser console.

Doesnt resolve, not sure what's up

basically, it's a box that you put a URL in and it strips it down to the domain, then clears all RR's for all subdomains up to (but excluding) the TLD.

This will allow running a less-interesting DNS server like bind9 as a secondary nameserver. It doesn't really make sense to run 2 full comfydns installs and there's not a lot of point in running a resolver-only comfydns.

I don't support subdomains, only TLD's. Let's fix that.

Need to remove constraint of "No dots" in TLD name creation, and stop calling them TLD's.

Also need to add a constraint of not dots in host records under (sub)domains

I need to use a LIFO data structure instead of a FIFO

e.g. I have a cached negative response for ci.josh.cafe but I just created it and would like it to resolve.

I want to check more rigorously that the resolver is correct.

I should:

1. consolidate all responses into a single "SendResponseState" that fires off the final response.
2. add an option to, prior to that last state, fly a request to 8.8.8.8 to double check my answer against theirs

in the future maybe it can send mismatches to comfydns.com?

I just read https://news.ycombinator.com/item?id=39255423 and I can't offhand recall exactly how I handle tcp truncation. I suspect I either throw an exception while converting the 2-octet length field or I silently overflow while converting a >16bit value.

Should double check the logic and tighten things up as needed.

comment captured:

That's an excellent question! When I was writing that I was pretty deep in DNS code and standards I think I just understood that as a rule of DNS. Or at the least, I believed I understood. Looking back a decade later I can't find any standard which supports my statement. However lots of other secondary sources seem to agree with me.
"In these situations, the client needs to re-transmit over TCP for which the size limit is 64000 bytes" [0]
"The first response via UDP is, no surprise, truncated, so we retry via TCP. But now the DNS result delivered via TCP is also truncated! That is, the DNS server has determined that the result will not fit into the maximum response size. Why is that?
"Our payload is 4096 * 16 = 65536 bytes RDATA, which should fit into the DNS packet, which uses a two byte RDLENGTH field. But we also need to again account for the overhead noted above: 12 bytes DNS header, 36 bytes for the query, 11 bytes additional records, and 16 bytes for each A record, yielding (4096 * 16) + 12 + 36 + 11 = 65595 bytes in total. And the maximum size of an IP packet is 16 bit (via the IPv4 total length / IPv6 payload length). And that is now our limiting factor: 65536 bytes for DNS overhead + payload."
My best guess is that DNS just makes the assumption that everything needs to fit in a single IP packet and it doesn't care if it is UDP or TCP.
It is worth investigating if you have spare time.
[0]: https://www.infoblox.com/dns-security-resource-center/dns-se...
[1]: https://www.netmeister.org/blog/dns-size.htm

Make log output suitable for log analysis

https://go.redirectingat.com/?id=92X590208&xcust=pcg_us_7022473153218810000&xs=1&url=https%3A%2F%2Fwww.asus.com%2FMini-PCs%2FMini-PC-PN50%2F&sref=https%3A%2F%2Fwww.pcgamer.com%2Fasus-unveils-a-nuc-competitor-with-amd-ryzen-and-radeon-hardware-inside

it's annoying to debug resolver/cache problems in text logs. so it's time to leverage TECHNOLOGY

I want to add a /trace page that has a text field. You type a query into the text field and submit it. CDNS then resolves the query but retains a bunch of query execution logging data for that query chain. The page then loads that and displays it in a very nice and easy to follow way.

Stretch goal: also run the same query with a totally clean cache. and be able to flip between the two to diff them.

Technical design:

there's a new task type, TRACE_TASK. the web UI creates one when you submit the text field.

there's a new DB table, trace_log, which will hold these long-term (and be deletable from the UI). some sub table, trade_log_entry will hold the individual parts.

The resolver will probably need to support some kind of observer pattern for the resolution steps.... I need to think more about that.

also add on conflict do nothing to cache statement

this lets you remove deleted servers without manually touching the db

There can be only one.

Joking aside, there's no need to ever have more than one comfydns resolver.

When I implemented this feature, I was imagining that you would potentially run:

• a database server
• a primary cdns resolver
• a secondary cdns resolver
• the web UI

all on separate hosts. And you might want to stage DNS changes, deploy them to the primary, and then potentially either roll back or fail over to the secondary. And obviously you want the secondary in case hardware fails on the primary or something.

I think a better setup would be:

• a db server
• a primary cdns server
• a secondary bind9 running as a dummy that only zone transfers your zones from the cdns resolver (since cdns supports AXFR)
• the web UI

Or more normally:

• cdns in a box
• a secondary bind9-transfer-only server as above

So in both scenarios it seems like it's just better to have one comfydns resolver and have the secondary be a resolver that isn't dependent on a relational database.

The happy path for multi-question queries is OK, but generally I'm too aggressive about short-circuiting when anything goes wrong with one of the questions.

This might be OK but I should double-check all my error handling to make sure giving up on the request is OK, or if I should try to set the rcode conservatively (NAME_ERROR if any of the questions had a name error) but keep going and try to return as many useful records as I can find.

1. Install unhandled exception handlers to make sure I'm getting all my logs
2. Consider adding object lifetime hooks (maybe the new Cleaner API?), and set some state in Request objects so that they mark when an answer has gone out for them, and then in the hook, if the request hasn't been answered, mark that request as lost in prometheus (increment a new requests_lost metric)
3. Go through and put extra guardrail logic in to see if we can get better coverage of exception handling: there's small bits of logic that I think might be able to throw exceptions that won't get caught, like when we're setting up callbacks and such.

• extract an interface
• implement one backed live by the db

the main issue is that I precompute PTR and NS records. But I probably shouldn't.

• move PTR and NS record generation to the rails frontend
• add a convenience button that auto-gens PTR records for all existing A records.