Acknowledge different types of error from NotifyOnDNSMsg #36990
Conversation
maintainer-s-little-helper
bot
added
the
dont-merge/needs-release-note-label
github-actions
bot
added
the
sig/policy
NotifyOnDNSMsg can send three types of error for each call. The DNS proxy needs to forward/deny the processing further based on these errors. Signed-off-by: Vipul Singh <singhvipul@microsoft.com>
vipul-21
force-pushed
the
singhvipul/errorhandling
branch
from
9d00c48 to
17365e5
Compare
| } | ||
| switch notifyOnDNSMsgContext.ErrorType { | ||
| case ErrTimeout: | ||
| scopedLog.Warn("Timeout waiting for processing of DNS query") |
There was a problem hiding this comment.
Can you motivate a bit more why it's better to have the client time out than being sent a REFUSED? Is this about retries?
There was a problem hiding this comment.
Yes correct, if it is refused there won't be retry from the client.
| DNSProxyResponse DNSProxyType = "response" | ||
| ) | ||
|
|
||
| // There are three type of Error returned by the NotifyOnDNSMsgFunc |
There was a problem hiding this comment.
| // There are three type of Error returned by the NotifyOnDNSMsgFunc | |
| // There are three types of errors returned by the NotifyOnDNSMsgFunc |
| } | ||
| switch notifyOnDNSMsgContext.ErrorType { | ||
| case ErrTimeout: | ||
| scopedLog.Warn("Timeout waiting for processing of DNS response") |
There was a problem hiding this comment.
This branch doesn't return after the log, which means we write the response to the client even if notifyOnDNSMsg may have failed. I think this is the intention?
There was a problem hiding this comment.
Yes, that is correct. This is intentional. Proxy request timeout can occur after we get the response and in that case we just log the warning and forward the response.
|
Thanks @bimmlerd for the review ! :)
The notifyOnDNSMsg sends an error if there is a DNS message processing issue. We typically don't ack errors in the ServeDNS method and when we do, we always send "refused," which isn't always appropriate. The goal of adding these error types to notifyOnDNSMsg is to ensure DNS requests/responses are denied or forwarded based on processing errors. (Future updates will use NotifyOnDNSMsgContext to send all parameters for better readability). |
There was a problem hiding this comment.
I think the PR steers the behaviour in the right direction, but it's rather difficult to reason through. As a proposal, do you think it'd make the code clearer if we had different callbacks? I was thinking maybe one for an error encountered (with an error kind similar to what this proposes) and one for request/response each?
I feel like some of the difficulty stems from the fact that this notifyOnDNSMsg is called both in the error and the normal case.
|
I agree with making the error callback and request/response(each) separated. I looked at the callbacks from DNS proxy and divided them into these categories(there are total 12 callbacks):
Does it make sense to separate out the stat/ep proxy state updates i.e.
There is also recording of the log which happens at the end that needs to be handled for each callback. Let me know your thoughts. |
Yeah it's pretty tangled at the moment😞 There's probably no way around trying to write down the full control flow for each of these and then try to find a clearer pattern which fits. The other approach would be to reason from first principles - i.e. what could the proxy do itself and for what does it really need to call out to other things. From a brief look through the code, it seems like the proxy currently wants to report errors to the daemon. I'm unsure whether this is truly necessary, or whether the tracing and metrics stuff could be handled internally to the proxy. If so, the query handling would probably also not need a callback. (Unless we factor out the DNS policy (not toFQDN) part from ServerDNS too - that could also be a separate component being called into by the proxy.) Response handling, on the other hand, must be forwarded to the policy subsystem (i.e. the core of notifyOnDNSMessage gated by being a response) - that part should certainly stay. (BTW, let's not make the next iteration use function pointers, but have the DNS proxy struct take an interface which other components can implement. That makes testing and reuse easier too, for the purposes of the SDP) |
|
This pull request has been automatically marked as stale because it |
github-actions
bot
added
the
stale
NotifyOnDNSMsg can send three types of error for each call from DNS proxy, i.e.
ErrTimeout,ErrNoEndpointandErrDNSMsgDetails. This commit introduced the acknowledgment of these error while processing the req/response in DNS prxoy and send refused if there is an error. This may not be true always. For example, during the timeout error in case of request, it be returned without forwarding the req further. The PR enhances the ability to either refuse the processing of msg further based on the type of dns msg and the response from the callback. Types of error:ErrTimeout: Proxy context timeoutErrNoEndpoint: Endpoint is nilErrDNSMsgDetails: Error processing DNS MsgNote: Planning to clean up the code as well by using the
NotifyOnDNSMsgContextfor encompassing all the other parameters sent to the callback. But will create a separate PR for that.