Opened 4 years ago

Last modified 4 years ago

#2024 closed defect

Error log contains "unexpected response for" when resolver is called — at Version 1

Reported by: darius-m@… Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.18.x
Keywords: resolver Cc:
uname -a: Linux test-nginx-resolv 4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.18.0
built by gcc 7.4.0 (Ubuntu 7.4.0-1ubuntu1~18.04.1)
built with OpenSSL 1.1.1 11 Sep 2018
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-1.18.0/debian/debuild-base/nginx-1.18.0=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'

Description (last modified by darius-m@…)

Whenever the resolver is called to resolve a name for the first time, a line containing "unexpected response for", with error level "error" appears in the error log.

The following configuration can be used to reproduce the error:

server {
	listen 80;
	listen [::]:80;

	server_name localhost;

	resolver 1.1.1.1 valid=5s ipv6=off;

	allow 127.0.0.1;
	deny all;

	location / {
		set $server www.nginx.com;
		proxy_pass http://$server;
	}
}

After running curl localhost/, the error.log file contains a line with unexpected response for www.nginx.com. The same error also appears for SSL OSCP stapling, but using proxy_pass was preferred since it is much easier to reproduce.

I am unsure how dangerous this error actually is, as the server appears to fetch the correct information despite this message, and it does not repeat as long as the DNS entry is kept in the resolver's cache. I used valid=5s as a resolver parameter to make sure the error shows up repeatedly, but can be reproduced without it (it is rarer howerver, since the DNS entry will last longer).

The installed nginx is the one delivered through the apt package manager from the newest nginx repositories for Ubuntu, but appears to not be specific to Ubuntu.

Change History (1)

comment:1 by darius-m@…, 4 years ago

Description: modified (diff)
Note: See TracTickets for help on using tickets.