libnetwork/resolver_test.go - third_party/github.com/moby/moby - Git at Google

 package libnetwork

 import (
 	"context"
 	"encoding/hex"
 	"errors"
 	"net"
 	"syscall"
 	"testing"
 	"time"

 	"github.com/containerd/log"
 	"github.com/docker/docker/internal/testutils/netnsutils"
 	"github.com/miekg/dns"
 	"github.com/sirupsen/logrus"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
 )

 // a simple/null address type that will be used to fake a local address for unit testing
 type tstaddr struct {
 	network string
 }

 func (a *tstaddr) Network() string {
 	if a.network != "" {
 		return a.network
 	}
 	return "tcp"
 }

 func (a *tstaddr) String() string { return "(fake)" }

 // a simple writer that implements dns.ResponseWriter for unit testing purposes
 type tstwriter struct {
 	network string
 	msg     *dns.Msg
 }

 func (w *tstwriter) WriteMsg(m *dns.Msg) (err error) {
 	// Assert that the message is serializable.
 	if _, err := m.Pack(); err != nil {
 		return err
 	}
 	w.msg = m
 	return nil
 }

 func (w *tstwriter) Write(m []byte) (int, error) { return 0, nil }

 func (w *tstwriter) LocalAddr() net.Addr {
 	return &tstaddr{network: w.network}
 }

 func (w *tstwriter) RemoteAddr() net.Addr {
 	return &tstaddr{network: w.network}
 }

 func (w *tstwriter) TsigStatus() error { return nil }

 func (w *tstwriter) TsigTimersOnly(b bool) {}

 func (w *tstwriter) Hijack() {}

 func (w *tstwriter) Close() error { return nil }

 func (w *tstwriter) GetResponse() *dns.Msg { return w.msg }

 func (w *tstwriter) ClearResponse() { w.msg = nil }

 func checkNonNullResponse(t *testing.T, m *dns.Msg) {
 	t.Helper()
 	if m == nil {
 		t.Fatal("Null DNS response found. Non Null response msg expected.")
 	}
 }

 func checkDNSAnswersCount(t *testing.T, m *dns.Msg, expected int) {
 	t.Helper()
 	answers := len(m.Answer)
 	if answers != expected {
 		t.Fatalf("Expected number of answers in response: %d. Found: %d", expected, answers)
 	}
 }

 func checkDNSResponseCode(t *testing.T, m *dns.Msg, expected int) {
 	t.Helper()
 	if m.MsgHdr.Rcode != expected {
 		t.Fatalf("Expected DNS response code: %d (%s). Found: %d (%s)", expected, dns.RcodeToString[expected], m.MsgHdr.Rcode, dns.RcodeToString[m.MsgHdr.Rcode])
 	}
 }

 func checkDNSRRType(t *testing.T, actual, expected uint16) {
 	t.Helper()
 	if actual != expected {
 		t.Fatalf("Expected DNS Rrtype: %d. Found: %d", expected, actual)
 	}
 }

 func newDNSHandlerServFailOnce(requests *int) func(w dns.ResponseWriter, r *dns.Msg) {
 	return func(w dns.ResponseWriter, r *dns.Msg) {
 		m := new(dns.Msg)
 		m.SetReply(r)
 		m.Compress = false
 		if *requests == 0 {
 			m.SetRcode(r, dns.RcodeServerFailure)
 		}
 		*requests = *requests + 1
 		if err := w.WriteMsg(m); err != nil {
 			log.G(context.TODO()).WithError(err).Error("Error writing dns response")
 		}
 	}
 }

 func waitForLocalDNSServer(t *testing.T) {
 	retries := 0
 	maxRetries := 10

 	for retries < maxRetries {
 		t.Log("Try connecting to DNS server ...")
 		// this test and retry mechanism only works for TCP. With UDP there is no
 		// connection and the test becomes inaccurate leading to unpredictable results
 		tconn, err := net.DialTimeout("tcp", "127.0.0.1:53", 10*time.Second)
 		retries = retries + 1
 		if err != nil {
 			if oerr, ok := err.(*net.OpError); ok {
 				// server is probably initializing
 				if oerr.Err == syscall.ECONNREFUSED {
 					continue
 				}
 			} else {
 				// something is wrong: we should stop for analysis
 				t.Fatal(err)
 			}
 		}
 		if tconn != nil {
 			tconn.Close()
 			break
 		}
 	}
 }

 // Packet 24 extracted from
 // https://gist.github.com/vojtad/3bac63b8c91b1ec50e8d8b36047317fa/raw/7d75eb3d3448381bf252ae55ea5123a132c46658/host.pcap
 // (https://github.com/moby/moby/issues/44575)
 // which is a non-compliant DNS reply > 512B (w/o EDNS(0)) to the query
 //
 //	s3.amazonaws.com. IN A
 const oversizedDNSReplyMsg = "\xf5\x11\x81\x80\x00\x01\x00\x20\x00\x00\x00\x00\x02\x73\x33\x09" +
 	"\x61\x6d\x61\x7a\x6f\x6e\x61\x77\x73\x03\x63\x6f\x6d\x00\x00\x01" +
 	"\x00\x01\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x04\x00\x04\x34\xd9" +
 	"\x11\x9e\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x04\x00\x04\x34\xd8" +
 	"\x4c\x66\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x04\x00\x04\x34\xd8" +
 	"\xda\x10\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x04\x00\x04\x34\xd9" +
 	"\x01\x3e\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x04\x00\x04\x34\xd9" +
 	"\x88\x68\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x04\x00\x04\x34\xd9" +
 	"\x66\x9e\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x04\x00\x04\x34\xd9" +
 	"\x5f\x28\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x04\x00\x04\x34\xd8" +
 	"\x8e\x4e\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x00\x00\x04\x36\xe7" +
 	"\x84\xf0\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x00\x00\x04\x34\xd8" +
 	"\x92\x45\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x04\x00\x04\x34\xd8" +
 	"\x8f\xa6\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x04\x00\x04\x36\xe7" +
 	"\xc0\xd0\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x04\x00\x04\x34\xd9" +
 	"\xfe\x28\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x04\x00\x04\x34\xd8" +
 	"\xaa\x3d\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x04\x00\x04\x34\xd8" +
 	"\x4e\x56\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x04\x00\x04\x34\xd9" +
 	"\xea\xb0\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x04\x00\x04\x34\xd8" +
 	"\x6d\xed\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x04\x00\x04\x34\xd8" +
 	"\x28\x00\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x00\x00\x04\x34\xd9" +
 	"\xe9\x78\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x00\x00\x04\x34\xd9" +
 	"\x6e\x9e\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x00\x00\x04\x34\xd9" +
 	"\x45\x86\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x00\x00\x04\x34\xd8" +
 	"\x30\x38\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x00\x00\x04\x36\xe7" +
 	"\xc6\xa8\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x00\x00\x04\x03\x05" +
 	"\x01\x9d\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x05\x00\x04\x34\xd9" +
 	"\xa8\xe8\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x05\x00\x04\x34\xd9" +
 	"\x64\xa6\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x05\x00\x04\x34\xd8" +
 	"\x3c\x48\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x05\x00\x04\x34\xd8" +
 	"\x35\x20\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x05\x00\x04\x34\xd9" +
 	"\x54\xf6\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x05\x00\x04\x34\xd9" +
 	"\x5d\x36\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x05\x00\x04\x34\xd9" +
 	"\x30\x36\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x05\x00\x04\x36\xe7" +
 	"\x83\x90"

 // Regression test for https://github.com/moby/moby/issues/44575
 func TestOversizedDNSReply(t *testing.T) {
 	srv, err := net.ListenPacket("udp", "127.0.0.1:0")
 	assert.NilError(t, err)
 	defer srv.Close()
 	go func() {
 		buf := make([]byte, 65536)
 		for {
 			n, src, err := srv.ReadFrom(buf)
 			if errors.Is(err, net.ErrClosed) {
 				return
 			}
 			t.Logf("[<-%v]\n%s", src, hex.Dump(buf[:n]))
 			if n < 2 {
 				continue
 			}
 			resp := []byte(oversizedDNSReplyMsg)
 			resp[0], resp[1] = buf[0], buf[1] // Copy query ID into response.
 			_, err = srv.WriteTo(resp, src)
 			if errors.Is(err, net.ErrClosed) {
 				return
 			}
 			if err != nil {
 				t.Log(err)
 			}
 		}
 	}()

 	srvAddr := srv.LocalAddr().(*net.UDPAddr)
 	rsv := NewResolver("", true, noopDNSBackend{})
 	// The resolver logs lots of valuable info at level debug. Redirect it
 	// to t.Log() so the log spew is emitted only if the test fails.
 	rsv.logger = testLogger(t)
 	rsv.SetExtServers([]extDNSEntry{
 		{IPStr: srvAddr.IP.String(), port: uint16(srvAddr.Port), HostLoopback: true},
 	})

 	w := &tstwriter{network: srvAddr.Network()}
 	q := new(dns.Msg).SetQuestion("s3.amazonaws.com.", dns.TypeA)
 	rsv.serveDNS(w, q)
 	resp := w.GetResponse()
 	checkNonNullResponse(t, resp)
 	t.Log("Response: ", resp.String())
 	checkDNSResponseCode(t, resp, dns.RcodeSuccess)
 	assert.Assert(t, len(resp.Answer) >= 1)
 	checkDNSRRType(t, resp.Answer[0].Header().Rrtype, dns.TypeA)
 }

 func testLogger(t *testing.T) *logrus.Entry {
 	logger := logrus.New()
 	logger.SetLevel(logrus.DebugLevel)
 	logger.SetOutput(tlogWriter{t})
 	return logrus.NewEntry(logger)
 }

 type tlogWriter struct{ t *testing.T }

 func (w tlogWriter) Write(p []byte) (n int, err error) {
 	w.t.Logf("%s", p)
 	return len(p), nil
 }

 type noopDNSBackend struct{ DNSBackend }

 func (noopDNSBackend) ResolveName(_ context.Context, name string, iplen int) ([]net.IP, bool) {
 	return nil, false
 }

 func (noopDNSBackend) ExecFunc(f func()) error { f(); return nil }

 func (noopDNSBackend) NdotsSet() bool { return false }

 func (noopDNSBackend) HandleQueryResp(name string, ip net.IP) {}

 func TestReplySERVFAIL(t *testing.T) {
 	cases := []struct {
 		name     string
 		q        *dns.Msg
 		proxyDNS bool
 	}{
 		{
 			name: "InternalError",
 			q:    new(dns.Msg).SetQuestion("_sip._tcp.example.com.", dns.TypeSRV),
 		},
 		{
 			name: "ProxyDNS=false",
 			q:    new(dns.Msg).SetQuestion("example.com.", dns.TypeA),
 		},
 		{
 			name:     "ProxyDNS=true", // No extDNS servers configured -> no answer from any upstream
 			q:        new(dns.Msg).SetQuestion("example.com.", dns.TypeA),
 			proxyDNS: true,
 		},
 	}
 	for _, tt := range cases {
 		t.Run(tt.name, func(t *testing.T) {
 			rsv := NewResolver("", tt.proxyDNS, badSRVDNSBackend{})
 			rsv.logger = testLogger(t)
 			w := &tstwriter{}
 			rsv.serveDNS(w, tt.q)
 			resp := w.GetResponse()
 			checkNonNullResponse(t, resp)
 			t.Log("Response: ", resp.String())
 			checkDNSResponseCode(t, resp, dns.RcodeServerFailure)
 		})
 	}
 }

 type badSRVDNSBackend struct{ noopDNSBackend }

 func (badSRVDNSBackend) ResolveService(_ context.Context, _ string) ([]*net.SRV, []net.IP) {
 	return []*net.SRV{nil, nil, nil}, nil // Mismatched slice lengths
 }

 func TestProxyNXDOMAIN(t *testing.T) {
 	mockSOA, err := dns.NewRR(".	86367	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2023051800 1800 900 604800 86400\n")
 	assert.NilError(t, err)
 	assert.Assert(t, mockSOA != nil)

 	serveStarted := make(chan struct{})
 	srv := &dns.Server{
 		Net:  "udp",
 		Addr: "127.0.0.1:0",
 		Handler: dns.HandlerFunc(func(w dns.ResponseWriter, r *dns.Msg) {
 			msg := new(dns.Msg).SetRcode(r, dns.RcodeNameError)
 			msg.Ns = append(msg.Ns, dns.Copy(mockSOA))
 			w.WriteMsg(msg)
 		}),
 		NotifyStartedFunc: func() { close(serveStarted) },
 	}
 	serveDone := make(chan error, 1)
 	go func() {
 		defer close(serveDone)
 		serveDone <- srv.ListenAndServe()
 	}()

 	select {
 	case err := <-serveDone:
 		t.Fatal(err)
 	case <-serveStarted:
 	}

 	defer func() {
 		if err := srv.Shutdown(); err != nil {
 			t.Error(err)
 		}
 		<-serveDone
 	}()

 	// This test, by virtue of running a server and client in different
 	// not-locked-to-thread goroutines, happens to be a good canary for
 	// whether we are leaking unlocked OS threads set to the wrong network
 	// namespace. Make a best-effort attempt to detect that situation so we
 	// are not left chasing ghosts next time.
 	netnsutils.AssertSocketSameNetNS(t, srv.PacketConn.(*net.UDPConn))

 	srvAddr := srv.PacketConn.LocalAddr().(*net.UDPAddr)
 	rsv := NewResolver("", true, noopDNSBackend{})
 	rsv.SetExtServers([]extDNSEntry{
 		{IPStr: srvAddr.IP.String(), port: uint16(srvAddr.Port), HostLoopback: true},
 	})

 	// The resolver logs lots of valuable info at level debug. Redirect it
 	// to t.Log() so the log spew is emitted only if the test fails.
 	rsv.logger = testLogger(t)

 	w := &tstwriter{network: srvAddr.Network()}
 	q := new(dns.Msg).SetQuestion("example.net.", dns.TypeA)
 	rsv.serveDNS(w, q)
 	resp := w.GetResponse()
 	checkNonNullResponse(t, resp)
 	t.Log("Response:\n" + resp.String())
 	checkDNSResponseCode(t, resp, dns.RcodeNameError)
 	assert.Assert(t, is.Len(resp.Answer, 0))
 	assert.Assert(t, is.Len(resp.Ns, 1))
 	assert.Equal(t, resp.Ns[0].String(), mockSOA.String())
 }

 type ptrDNSBackend struct {
 	noopDNSBackend
 	zone map[string]string
 }

 func (b *ptrDNSBackend) ResolveIP(_ context.Context, name string) string {
 	return b.zone[name]
 }

 // Regression test for https://github.com/moby/moby/issues/46928
 func TestInvalidReverseDNS(t *testing.T) {
 	rsv := NewResolver("", false, &ptrDNSBackend{zone: map[string]string{"4.3.2.1": "sixtyfourcharslong9012345678901234567890123456789012345678901234"}})
 	rsv.logger = testLogger(t)

 	w := &tstwriter{}
 	q := new(dns.Msg).SetQuestion("4.3.2.1.in-addr.arpa.", dns.TypePTR)
 	rsv.serveDNS(w, q)
 	resp := w.GetResponse()
 	checkNonNullResponse(t, resp)
 	t.Log("Response: ", resp.String())
 	checkDNSResponseCode(t, resp, dns.RcodeServerFailure)
 }
	package libnetwork

	import (
	"context"
	"encoding/hex"
	"errors"
	"net"
	"syscall"
	"testing"
	"time"

	"github.com/containerd/log"
	"github.com/docker/docker/internal/testutils/netnsutils"
	"github.com/miekg/dns"
	"github.com/sirupsen/logrus"
	"gotest.tools/v3/assert"
	is "gotest.tools/v3/assert/cmp"
	)

	// a simple/null address type that will be used to fake a local address for unit testing
	type tstaddr struct {
	network string
	}

	func (a *tstaddr) Network() string {
	if a.network != "" {
	return a.network
	}
	return "tcp"
	}

	func (a *tstaddr) String() string { return "(fake)" }

	// a simple writer that implements dns.ResponseWriter for unit testing purposes
	type tstwriter struct {
	network string
	msg *dns.Msg
	}

	func (w tstwriter) WriteMsg(m dns.Msg) (err error) {
	// Assert that the message is serializable.
	if _, err := m.Pack(); err != nil {
	return err
	}
	w.msg = m
	return nil
	}

	func (w *tstwriter) Write(m []byte) (int, error) { return 0, nil }

	func (w *tstwriter) LocalAddr() net.Addr {
	return &tstaddr{network: w.network}
	}

	func (w *tstwriter) RemoteAddr() net.Addr {
	return &tstaddr{network: w.network}
	}

	func (w *tstwriter) TsigStatus() error { return nil }

	func (w *tstwriter) TsigTimersOnly(b bool) {}

	func (w *tstwriter) Hijack() {}

	func (w *tstwriter) Close() error { return nil }

	func (w tstwriter) GetResponse() dns.Msg { return w.msg }

	func (w *tstwriter) ClearResponse() { w.msg = nil }

	func checkNonNullResponse(t testing.T, m dns.Msg) {
	t.Helper()
	if m == nil {
	t.Fatal("Null DNS response found. Non Null response msg expected.")
	}
	}

	func checkDNSAnswersCount(t testing.T, m dns.Msg, expected int) {
	t.Helper()
	answers := len(m.Answer)
	if answers != expected {
	t.Fatalf("Expected number of answers in response: %d. Found: %d", expected, answers)
	}
	}

	func checkDNSResponseCode(t testing.T, m dns.Msg, expected int) {
	t.Helper()
	if m.MsgHdr.Rcode != expected {
	t.Fatalf("Expected DNS response code: %d (%s). Found: %d (%s)", expected, dns.RcodeToString[expected], m.MsgHdr.Rcode, dns.RcodeToString[m.MsgHdr.Rcode])
	}
	}

	func checkDNSRRType(t *testing.T, actual, expected uint16) {
	t.Helper()
	if actual != expected {
	t.Fatalf("Expected DNS Rrtype: %d. Found: %d", expected, actual)
	}
	}

	func newDNSHandlerServFailOnce(requests int) func(w dns.ResponseWriter, r dns.Msg) {
	return func(w dns.ResponseWriter, r *dns.Msg) {
	m := new(dns.Msg)
	m.SetReply(r)
	m.Compress = false
	if *requests == 0 {
	m.SetRcode(r, dns.RcodeServerFailure)
	}
	requests = requests + 1
	if err := w.WriteMsg(m); err != nil {
	log.G(context.TODO()).WithError(err).Error("Error writing dns response")
	}
	}
	}

	func waitForLocalDNSServer(t *testing.T) {
	retries := 0
	maxRetries := 10

	for retries < maxRetries {
	t.Log("Try connecting to DNS server ...")
	// this test and retry mechanism only works for TCP. With UDP there is no
	// connection and the test becomes inaccurate leading to unpredictable results
	tconn, err := net.DialTimeout("tcp", "127.0.0.1:53", 10*time.Second)
	retries = retries + 1
	if err != nil {
	if oerr, ok := err.(*net.OpError); ok {
	// server is probably initializing
	if oerr.Err == syscall.ECONNREFUSED {
	continue
	}
	} else {
	// something is wrong: we should stop for analysis
	t.Fatal(err)
	}
	}
	if tconn != nil {
	tconn.Close()
	break
	}
	}
	}

	// Packet 24 extracted from
	// https://gist.github.com/vojtad/3bac63b8c91b1ec50e8d8b36047317fa/raw/7d75eb3d3448381bf252ae55ea5123a132c46658/host.pcap
	// (https://github.com/moby/moby/issues/44575)
	// which is a non-compliant DNS reply > 512B (w/o EDNS(0)) to the query
	//
	// s3.amazonaws.com. IN A
	const oversizedDNSReplyMsg = "\xf5\x11\x81\x80\x00\x01\x00\x20\x00\x00\x00\x00\x02\x73\x33\x09" +
	"\x61\x6d\x61\x7a\x6f\x6e\x61\x77\x73\x03\x63\x6f\x6d\x00\x00\x01" +
	"\x00\x01\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x04\x00\x04\x34\xd9" +
	"\x11\x9e\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x04\x00\x04\x34\xd8" +
	"\x4c\x66\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x04\x00\x04\x34\xd8" +
	"\xda\x10\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x04\x00\x04\x34\xd9" +
	"\x01\x3e\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x04\x00\x04\x34\xd9" +
	"\x88\x68\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x04\x00\x04\x34\xd9" +
	"\x66\x9e\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x04\x00\x04\x34\xd9" +
	"\x5f\x28\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x04\x00\x04\x34\xd8" +
	"\x8e\x4e\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x00\x00\x04\x36\xe7" +
	"\x84\xf0\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x00\x00\x04\x34\xd8" +
	"\x92\x45\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x04\x00\x04\x34\xd8" +
	"\x8f\xa6\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x04\x00\x04\x36\xe7" +
	"\xc0\xd0\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x04\x00\x04\x34\xd9" +
	"\xfe\x28\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x04\x00\x04\x34\xd8" +
	"\xaa\x3d\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x04\x00\x04\x34\xd8" +
	"\x4e\x56\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x04\x00\x04\x34\xd9" +
	"\xea\xb0\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x04\x00\x04\x34\xd8" +
	"\x6d\xed\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x04\x00\x04\x34\xd8" +
	"\x28\x00\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x00\x00\x04\x34\xd9" +
	"\xe9\x78\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x00\x00\x04\x34\xd9" +
	"\x6e\x9e\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x00\x00\x04\x34\xd9" +
	"\x45\x86\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x00\x00\x04\x34\xd8" +
	"\x30\x38\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x00\x00\x04\x36\xe7" +
	"\xc6\xa8\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x00\x00\x04\x03\x05" +
	"\x01\x9d\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x05\x00\x04\x34\xd9" +
	"\xa8\xe8\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x05\x00\x04\x34\xd9" +
	"\x64\xa6\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x05\x00\x04\x34\xd8" +
	"\x3c\x48\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x05\x00\x04\x34\xd8" +
	"\x35\x20\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x05\x00\x04\x34\xd9" +
	"\x54\xf6\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x05\x00\x04\x34\xd9" +
	"\x5d\x36\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x05\x00\x04\x34\xd9" +
	"\x30\x36\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x05\x00\x04\x36\xe7" +
	"\x83\x90"

	// Regression test for https://github.com/moby/moby/issues/44575
	func TestOversizedDNSReply(t *testing.T) {
	srv, err := net.ListenPacket("udp", "127.0.0.1:0")
	assert.NilError(t, err)
	defer srv.Close()
	go func() {
	buf := make([]byte, 65536)
	for {
	n, src, err := srv.ReadFrom(buf)
	if errors.Is(err, net.ErrClosed) {
	return
	}
	t.Logf("[<-%v]\n%s", src, hex.Dump(buf[:n]))
	if n < 2 {
	continue
	}
	resp := []byte(oversizedDNSReplyMsg)
	resp[0], resp[1] = buf[0], buf[1] // Copy query ID into response.
	_, err = srv.WriteTo(resp, src)
	if errors.Is(err, net.ErrClosed) {
	return
	}
	if err != nil {
	t.Log(err)
	}
	}
	}()

	srvAddr := srv.LocalAddr().(*net.UDPAddr)
	rsv := NewResolver("", true, noopDNSBackend{})
	// The resolver logs lots of valuable info at level debug. Redirect it
	// to t.Log() so the log spew is emitted only if the test fails.
	rsv.logger = testLogger(t)
	rsv.SetExtServers([]extDNSEntry{
	{IPStr: srvAddr.IP.String(), port: uint16(srvAddr.Port), HostLoopback: true},
	})

	w := &tstwriter{network: srvAddr.Network()}
	q := new(dns.Msg).SetQuestion("s3.amazonaws.com.", dns.TypeA)
	rsv.serveDNS(w, q)
	resp := w.GetResponse()
	checkNonNullResponse(t, resp)
	t.Log("Response: ", resp.String())
	checkDNSResponseCode(t, resp, dns.RcodeSuccess)
	assert.Assert(t, len(resp.Answer) >= 1)
	checkDNSRRType(t, resp.Answer[0].Header().Rrtype, dns.TypeA)
	}

	func testLogger(t testing.T) logrus.Entry {
	logger := logrus.New()
	logger.SetLevel(logrus.DebugLevel)
	logger.SetOutput(tlogWriter{t})
	return logrus.NewEntry(logger)
	}

	type tlogWriter struct{ t *testing.T }

	func (w tlogWriter) Write(p []byte) (n int, err error) {
	w.t.Logf("%s", p)
	return len(p), nil
	}

	type noopDNSBackend struct{ DNSBackend }

	func (noopDNSBackend) ResolveName(_ context.Context, name string, iplen int) ([]net.IP, bool) {
	return nil, false
	}

	func (noopDNSBackend) ExecFunc(f func()) error { f(); return nil }

	func (noopDNSBackend) NdotsSet() bool { return false }

	func (noopDNSBackend) HandleQueryResp(name string, ip net.IP) {}

	func TestReplySERVFAIL(t *testing.T) {
	cases := []struct {
	name string
	q *dns.Msg
	proxyDNS bool
	}{
	{
	name: "InternalError",
	q: new(dns.Msg).SetQuestion("_sip._tcp.example.com.", dns.TypeSRV),
	},
	{
	name: "ProxyDNS=false",
	q: new(dns.Msg).SetQuestion("example.com.", dns.TypeA),
	},
	{
	name: "ProxyDNS=true", // No extDNS servers configured -> no answer from any upstream
	q: new(dns.Msg).SetQuestion("example.com.", dns.TypeA),
	proxyDNS: true,
	},
	}
	for _, tt := range cases {
	t.Run(tt.name, func(t *testing.T) {
	rsv := NewResolver("", tt.proxyDNS, badSRVDNSBackend{})
	rsv.logger = testLogger(t)
	w := &tstwriter{}
	rsv.serveDNS(w, tt.q)
	resp := w.GetResponse()
	checkNonNullResponse(t, resp)
	t.Log("Response: ", resp.String())
	checkDNSResponseCode(t, resp, dns.RcodeServerFailure)
	})
	}
	}

	type badSRVDNSBackend struct{ noopDNSBackend }

	func (badSRVDNSBackend) ResolveService(_ context.Context, _ string) ([]*net.SRV, []net.IP) {
	return []*net.SRV{nil, nil, nil}, nil // Mismatched slice lengths
	}

	func TestProxyNXDOMAIN(t *testing.T) {
	mockSOA, err := dns.NewRR(". 86367 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2023051800 1800 900 604800 86400\n")
	assert.NilError(t, err)
	assert.Assert(t, mockSOA != nil)

	serveStarted := make(chan struct{})
	srv := &dns.Server{
	Net: "udp",
	Addr: "127.0.0.1:0",
	Handler: dns.HandlerFunc(func(w dns.ResponseWriter, r *dns.Msg) {
	msg := new(dns.Msg).SetRcode(r, dns.RcodeNameError)
	msg.Ns = append(msg.Ns, dns.Copy(mockSOA))
	w.WriteMsg(msg)
	}),
	NotifyStartedFunc: func() { close(serveStarted) },
	}
	serveDone := make(chan error, 1)
	go func() {
	defer close(serveDone)
	serveDone <- srv.ListenAndServe()
	}()

	select {
	case err := <-serveDone:
	t.Fatal(err)
	case <-serveStarted:
	}

	defer func() {
	if err := srv.Shutdown(); err != nil {
	t.Error(err)
	}
	<-serveDone
	}()

	// This test, by virtue of running a server and client in different
	// not-locked-to-thread goroutines, happens to be a good canary for
	// whether we are leaking unlocked OS threads set to the wrong network
	// namespace. Make a best-effort attempt to detect that situation so we
	// are not left chasing ghosts next time.
	netnsutils.AssertSocketSameNetNS(t, srv.PacketConn.(*net.UDPConn))

	srvAddr := srv.PacketConn.LocalAddr().(*net.UDPAddr)
	rsv := NewResolver("", true, noopDNSBackend{})
	rsv.SetExtServers([]extDNSEntry{
	{IPStr: srvAddr.IP.String(), port: uint16(srvAddr.Port), HostLoopback: true},
	})

	// The resolver logs lots of valuable info at level debug. Redirect it
	// to t.Log() so the log spew is emitted only if the test fails.
	rsv.logger = testLogger(t)

	w := &tstwriter{network: srvAddr.Network()}
	q := new(dns.Msg).SetQuestion("example.net.", dns.TypeA)
	rsv.serveDNS(w, q)
	resp := w.GetResponse()
	checkNonNullResponse(t, resp)
	t.Log("Response:\n" + resp.String())
	checkDNSResponseCode(t, resp, dns.RcodeNameError)
	assert.Assert(t, is.Len(resp.Answer, 0))
	assert.Assert(t, is.Len(resp.Ns, 1))
	assert.Equal(t, resp.Ns[0].String(), mockSOA.String())
	}

	type ptrDNSBackend struct {
	noopDNSBackend
	zone map[string]string
	}

	func (b *ptrDNSBackend) ResolveIP(_ context.Context, name string) string {
	return b.zone[name]
	}

	// Regression test for https://github.com/moby/moby/issues/46928
	func TestInvalidReverseDNS(t *testing.T) {
	rsv := NewResolver("", false, &ptrDNSBackend{zone: map[string]string{"4.3.2.1": "sixtyfourcharslong9012345678901234567890123456789012345678901234"}})
	rsv.logger = testLogger(t)

	w := &tstwriter{}
	q := new(dns.Msg).SetQuestion("4.3.2.1.in-addr.arpa.", dns.TypePTR)
	rsv.serveDNS(w, q)
	resp := w.GetResponse()
	checkNonNullResponse(t, resp)
	t.Log("Response: ", resp.String())
	checkDNSResponseCode(t, resp, dns.RcodeServerFailure)
	}