net: avoid extra dns query per seed #10446
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Concept ACK. The six-byte hash is a good idea; I thought of replacing it with simply the |
|
Concept ACK. |
|
It would be kinda nice if we blocked DNS names from resolving to internal IPs, since that should never happen, and unlike local/tor/whatever, there is no reason you'd ever want to -connect to them. |
|
@TheBlueMatt Agreed in principle. Though they do fail the IsValid test, so we'd never actually attempt a connection to them: https://github.com/bitcoin/bitcoin/pull/10446/files#diff-b64569708508232923e5fe3059396334R216 I can add explicit filtering to resolving if that would make you more comfortable? |
|
Concept ACK, but can you adapt the touched code to the style guide? Agree with @TheBlueMatt, but maybe we should also do that for onion addresses? |
theuni
force-pushed
the
no-double-resolve
branch
from
89a98f0 to
b366b2f
Compare
|
Since there have been no (ut)ACKs and there were several things to change, I went ahead and made changes, squashed, and rebased. I believe this is good to go now. changes since the first round:
|
|
@sipa by filtering onion addresses the same way that internal ones are done here, we'd prevent dns seeds from handing out onion addresses. I'm not sure if the current seeders include those (I think they do), but I see no reason to filter them either way. |
sipa
reviewed
Jun 13, 2017
src/netaddress.h
Outdated
| @@ -45,6 +46,12 @@ class CNetAddr | |||
| */ | |||
| void SetRaw(Network network, const uint8_t *data); | |||
|
|
|||
| /** | |||
| * Transform an arbitrary string into a non-routable ipv6 address. | |||
| * Useful for mapping resolved addresses back to thir source. | |||
There was a problem hiding this comment.
What, no responsible disclosure? Jeez!
We currently do two resolves for dns seeds: one for the results, and one to serve in addrman as the source for those addresses. There's no requirement that the source hostname resolves to the stored identifier, only that the mapping is unique. So rather than incurring the second lookup, combine a private subnet with a hash of the hostname. The resulting v6 ip is guaranteed not to be publicy routable, and has only a negligible chance of colliding with a user's internal network (which would be of no consequence anyway).
In order to prevent mixups, our internal range is never allowed as a resolve result. This means that no user-provided string will ever be confused with an internal address.
This addresss the TODO to avoid resolving twice.
theuni
force-pushed
the
no-double-resolve
branch
from
b366b2f to
6cdc488
Compare
laanwj
reviewed
Jun 22, 2017
src/chainparams.cpp
Outdated
| vSeeds.push_back(CDNSSeedData("petertodd.org", "seed.btc.petertodd.org", true)); // Peter Todd, only supports x1, x5, x9, and xd | ||
| vSeeds.emplace_back("seed.bitcoin.sipa.be", true); // Pieter Wuille, only supports x1, x5, x9, and xd | ||
| vSeeds.emplace_back("dnsseed.bluematt.me", true); // Matt Corallo, only supports x9 | ||
| vSeeds.emplace_back("dnsseed.bitcoin.dashjr.org"); // Luke Dashjr |
There was a problem hiding this comment.
Sorry for the last minute comment, feel free to say you don't want to do it in this PR. But as all these lines are updated I think this is a nice opportunity to remove the default argument for supportsServiceBitsFilteringIn and add explicit , false here.
There was a problem hiding this comment.
No problem, I found one tiny additional thing to change on this today, I'll go ahead with your suggestion while I'm at it.
There was a problem hiding this comment.
Pushed a small commit for this to avoid invalidating review.
|
Added a very small commit to use an internal address for seed nodes. I believe this is ready for merge. |
|
utACK c1be285 |
|
utACK c1be285 |
laanwj
added a commit
that referenced
this pull request
Jun 24, 2017
c1be285 chainparams: make supported service bits option explicit (Cory Fields) d5c7c1c net: use an internal address for fixed seeds (Cory Fields) 6cdc488 net: switch to dummy internal ip for dns seed source (Cory Fields) 6d0bd5b net: do not allow resolving to an internal address (Cory Fields) 7f31762 net: add an internal subnet for representing unresolved hostnames (Cory Fields) Tree-SHA512: 9bf1042bef546ac3ef0e0d3a9a5555eb21628ff2674a0cf8c6367194b22bfdab477adf452c0e7c56f44e0fb37debc5e14bdb623452e076fb9c492c7702601d7a
PastaPastaPasta
pushed a commit
to PastaPastaPasta/dash
that referenced
this pull request
Jul 6, 2019
c1be285 chainparams: make supported service bits option explicit (Cory Fields) d5c7c1c net: use an internal address for fixed seeds (Cory Fields) 6cdc488 net: switch to dummy internal ip for dns seed source (Cory Fields) 6d0bd5b net: do not allow resolving to an internal address (Cory Fields) 7f31762 net: add an internal subnet for representing unresolved hostnames (Cory Fields) Tree-SHA512: 9bf1042bef546ac3ef0e0d3a9a5555eb21628ff2674a0cf8c6367194b22bfdab477adf452c0e7c56f44e0fb37debc5e14bdb623452e076fb9c492c7702601d7a
PastaPastaPasta
pushed a commit
to PastaPastaPasta/dash
that referenced
this pull request
Jul 8, 2019
c1be285 chainparams: make supported service bits option explicit (Cory Fields) d5c7c1c net: use an internal address for fixed seeds (Cory Fields) 6cdc488 net: switch to dummy internal ip for dns seed source (Cory Fields) 6d0bd5b net: do not allow resolving to an internal address (Cory Fields) 7f31762 net: add an internal subnet for representing unresolved hostnames (Cory Fields) Tree-SHA512: 9bf1042bef546ac3ef0e0d3a9a5555eb21628ff2674a0cf8c6367194b22bfdab477adf452c0e7c56f44e0fb37debc5e14bdb623452e076fb9c492c7702601d7a
PastaPastaPasta
pushed a commit
to PastaPastaPasta/dash
that referenced
this pull request
Jul 9, 2019
c1be285 chainparams: make supported service bits option explicit (Cory Fields) d5c7c1c net: use an internal address for fixed seeds (Cory Fields) 6cdc488 net: switch to dummy internal ip for dns seed source (Cory Fields) 6d0bd5b net: do not allow resolving to an internal address (Cory Fields) 7f31762 net: add an internal subnet for representing unresolved hostnames (Cory Fields) Tree-SHA512: 9bf1042bef546ac3ef0e0d3a9a5555eb21628ff2674a0cf8c6367194b22bfdab477adf452c0e7c56f44e0fb37debc5e14bdb623452e076fb9c492c7702601d7a
PastaPastaPasta
pushed a commit
to PastaPastaPasta/dash
that referenced
this pull request
Jul 11, 2019
c1be285 chainparams: make supported service bits option explicit (Cory Fields) d5c7c1c net: use an internal address for fixed seeds (Cory Fields) 6cdc488 net: switch to dummy internal ip for dns seed source (Cory Fields) 6d0bd5b net: do not allow resolving to an internal address (Cory Fields) 7f31762 net: add an internal subnet for representing unresolved hostnames (Cory Fields) Tree-SHA512: 9bf1042bef546ac3ef0e0d3a9a5555eb21628ff2674a0cf8c6367194b22bfdab477adf452c0e7c56f44e0fb37debc5e14bdb623452e076fb9c492c7702601d7a
barrystyle
pushed a commit
to PACGlobalOfficial/PAC
that referenced
this pull request
Jan 22, 2020
c1be285 chainparams: make supported service bits option explicit (Cory Fields) d5c7c1c net: use an internal address for fixed seeds (Cory Fields) 6cdc488 net: switch to dummy internal ip for dns seed source (Cory Fields) 6d0bd5b net: do not allow resolving to an internal address (Cory Fields) 7f31762 net: add an internal subnet for representing unresolved hostnames (Cory Fields) Tree-SHA512: 9bf1042bef546ac3ef0e0d3a9a5555eb21628ff2674a0cf8c6367194b22bfdab477adf452c0e7c56f44e0fb37debc5e14bdb623452e076fb9c492c7702601d7a
random-zebra
added a commit
to PIVX-Project/PIVX
that referenced
this pull request
Jun 9, 2021
fcdf87a Populate services in GetLocalAddress (Alex Morcos) a0a079f Return early in IsBanned. (Gregory Maxwell) 7772138 Remove redundant nullptr checks before deallocation (practicalswift) 5390862 net: remove unimplemented functions. (furszy) 74d0482 Limit setAskFor and retire requested entries only when a getdata returns. (Gregory Maxwell) 3b3bf63 prevent peer flooding request queue for an inv (kazcw) c814967 Fix subscript[0] potential bugs in key.cpp (Jeremy Rubin) 8e2e79e Remove unnecessary branches in utilstrencodings string constructors. (Jeremy Rubin) 25a16b3 Fix subscript[0] in utilstrencodings.cpp (Jeremy Rubin) df0584e Fix subscript[0] in streams.h (Jeremy Rubin) b7e64a5 Fix subscript[0] in validation.cpp (Jeremy Rubin) 2f7b73b Fix subscript[0] in torcontrol (Jeremy Rubin) 3b883eb Fix subscript[0] in netaddress.cpp (Jeremy Rubin) e5f5401 Fix subscript[0] in base58.cpp (Jeremy Rubin) 7d4ec87 Cleanup (safe, it was checked) subscript[0] in MurmurHash3 (and cleanup MurmurHash3 to be more clear). (Jeremy Rubin) 5e14f54 Fix subscript[0] in compressor.cpp (Jeremy Rubin) 48a622d Fix subscript[0] bug in net.cpp if GetGroup returns a 0-sized vector (Jeremy Rubin) af4cba3 net: use an internal address for fixed seeds (Cory Fields) 36368c5 net: switch to dummy internal ip for dns seed source (Cory Fields) 8f31295 net: do not allow resolving to an internal address (Cory Fields) 8ba3a40 net: add an internal subnet for representing unresolved hostnames (Cory Fields) c60b875 fix uninitialized read when stringifying an addrLocal (Kaz Wesley) 3d36540 add test demonstrating addrLocal UB (Kaz Wesley) Pull request description: Grouped some net updates (plus a miscellaneous one) coming from upstream. Part of another deep rabbit hole that i'm doing in parallel of the tier two work. PRs List: * bitcoin#7079. * bitcoin#9804. * bitcoin#10424 * bitcoin#10446. * bitcoin#10564. * bitcoin#14728. ACKs for top commit: random-zebra: Code ACK fcdf87a Tree-SHA512: ee81c834641aa6fdb9ca4396657457358a4b32f7862d60716e914dcfc2d355970937bd0fb4e164faaa0f4ea26d263ca8a2af4d8d5d6615b2db5bf89ec70d15f3
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This addresses the TODO here: https://github.com/bitcoin/bitcoin/blob/master/src/net.cpp#L1604 and is necessary before introducing async dns queries.
Right now, we resolve an extra hostname for each dns seed, so that we have some source ip to identify them with in addrman. It's entirely arbitrary and unnecessary.
Instead, create a dummy "ip" for this association with a prefix of fd6b:88c0:8724::/48 (fd + sha256(bitcoin)[0:5]).
I've also changed the "source ip" to match a hash of the host with the subdomain included, rather than having all results mapped to the top-level domain.
I'm not sure whether we need to bother with addrman forwards-compatibility for graceful downgrades. Thoughts on that?