Thanks for adding tests for this functionality. This goes as far as can be reasonably expected without emulating a DNS server in the tests 😅

Code review ACK 75ee018

thank you for the reviews @lsilva01, @willcl-ark, @laanwj, @mzumsande & @jnewbery!

I've incorporated all the review comments (diff).

I also changed the regtest dns seed to be dummySeed.invalid (diff). Since .invalid is reserved to ensure no real results will be returned (wiki, IETF RFC), it seems like a good fit here.

Code review ACK a8834fa

Code Review ACK a8834fa0513d6bfcd4dfc759bbb841c02fcf8517

This probably needs a rebase / exception added for the new test after #22490 was merged.

thanks for the reviews @kristapsk & @practicalswift! & for the re-reviews @jnewbery & @mzumsande ☺️

@practicalswift
I took all your suggestions to further reduce changes of external communication except for being able to apply the IP addresses reserved for testing. Thanks again for these! I learned about how FQDNs work.

@mzumsande
as I mentioned over here #22490 (comment), I surprisingly don't need to rebase or add an exception!

I realized that test doesn't actually need rebase or an exception added, because passing in something like self.start_node(0, ["-connect=fakenodeaddr"]) from the individual test appends the -connect arg as a command-line argument, which overrules what's been set in the .conf file.

I locally rebased & confirmed that the tests still pass, but opted not to push the rebase here to make it easier to re-review. But lmk if you think it would be better to rebase & set self.disable_autoconnect and I'm happy to do so.

I took all your suggestions to further reduce changes of external communication except for being able to apply the IP addresses reserved for testing. Thanks again for these! I learned about how FQDNs work.

Excellent!

It is outside of the scope of this PR but I think it would make sense to err on the safe side and specify all seed domain names with an ending dot to make them unambiguous.

In other words …

    vSeeds.emplace_back("seed.bitcoin.sipa.be."); // Pieter Wuille, only supports x1, x5, x9, and xd

… instead of the current …

    vSeeds.emplace_back("seed.bitcoin.sipa.be"); // Pieter Wuille, only supports x1, x5, x9, and xd

The former is guaranteed to be interpreted as seed.bitcoin.sipa.be. whereas the latter may be interpreted as sayseed.bitcoin.sipa.be.megacorp.com. depending on the content of the user's /etc/resolv.conf.

The case I'm thinking about is if search megacorp.com is specified in /etc/resolv.conf and say options ndots:5 is used.

Looking up seed.bitcoin.sipa.be would then result in the following DNS traffic:

IP <src> > <resolver>.53: A? seed.bitcoin.sipa.be.megacorp.com.
IP <resolver>.53 > <src>: NXDomain
IP <src> > <resolver>.53: A? seed.bitcoin.sipa.be.
IP <resolver>.53 > <src>: Some valid response.

In other words seed.bitcoin.sipa.be.megacorp.com. would be tried before seed.bitcoin.sipa.be. :(

I haven't tried it myself but if I'm thinking correctly here then adding search localtest.me and options ndots:15 to /etc/resolv.conf should break DNS seeding since the DNS server for localtest.me will return 127.0.0.1 for *.localtest.me.

I guess an alternative way to fix this could be to add the ending dot (if missing) when building the host string:

diff --git a/src/net.cpp b/src/net.cpp
index 073643fb7..c68c497ea 100644
--- a/src/net.cpp
+++ b/src/net.cpp
@@ -1714,7 +1714,7 @@ void CConnman::ThreadDNSAddressSeed()
             std::vector<CNetAddr> vIPs;
             std::vector<CAddress> vAdd;
             ServiceFlags requiredServiceBits = GetDesirableServiceFlags(NODE_NONE);
-            std::string host = strprintf("x%x.%s", requiredServiceBits, seed);
+            std::string host = strprintf("x%x.%s.", requiredServiceBits, seed);
             CNetAddr resolveSource;
             if (!resolveSource.SetInternal(host)) {
                 continue;

Some background context from https://bugzilla.mozilla.org/show_bug.cgi?id=134402:

The BSD Unix implementation of the name resolver established numerous
conventions that have become defacto standards for Unix and Linux, but are
not formally Internet standards, and are not commonly found on other 
platforms, such as Windows.  These include such things as:

…

b) a trailing dot tells BSD's DNS name resolver not to try appending domain 
name suffixes.  E.g. for a client in the mozilla.com domain, the DNS name 
foo.bar can be interpreted as foo.bar.mozilla.com as well as foo.bar, but 
foo.bar. is only interpreted as foo.bar and not as foo.bar.mozilla.com.  
These are only conventions of some OSes, and not Internet standards.  

all review comments have been addressed.

specify all seed domain names with an ending dot to make them unambiguous..

@practicalswift, very interesting! thanks for digging in & sharing your findings! I'll have to learn more myself but this seems like a good idea. Shall we open an issue?

ACK 82b6f89

I locally rebased & confirmed that the tests still pass, but opted not to push the rebase here to make it easier to re-review. But lmk if you think it would be better to rebase & set self.disable_autoconnect and I'm happy to do so.

not necessary, I didn't realize that it would work, but your explanation makes sense.

The former is guaranteed to be interpreted as seed.bitcoin.sipa.be. whereas the latter may be interpreted as sayseed.bitcoin.sipa.be.megacorp.com. depending on the content of the user's /etc/resolv.conf.

@practicalswift, very interesting! thanks for digging in & sharing your findings! I'll have to learn more myself but this seems like a good idea. Shall we open an issue?

Feel free to open an issue if you feel for it: I'm afraid I won't be able to find time to work on this any time soon, but I'd be glad to help out with review :)

An /etc/resolv.conf file with this content should be sufficient to reproduce the issue (if my theory holds: I haven't had time to check beyond reading the source!):

search localtest.me
options ndots:15
nameserver 8.8.8.8
nameserver 8.8.4.4

8.8.8.8 and 8.8.4.4 are Google Public DNS, and localtest.me is a domain name setup with a DNS server that will respond with 127.0.0.1 for all queries including a lookup of say seed.bitcoin.sipa.be.localtest.me.

The former is guaranteed to be interpreted as seed.bitcoin.sipa.be. whereas the latter may be interpreted as sayseed.bitcoin.sipa.be.megacorp.com. depending on the content of the user's /etc/resolv.conf.

@practicalswift, very interesting! thanks for digging in & sharing your findings! I'll have to learn more myself but this seems like a good idea. Shall we open an issue?

Feel free to open an issue if you feel for it: I'm afraid I won't be able to find time to work on this any time soon, but I'd be glad to help out with review :)

An /etc/resolv.conf file with this content should be sufficient to reproduce the issue (if my theory holds: I haven't had time to check beyond reading the source!):

A simpler way that should reproduce the issue without having to make any changes to /etc/resolv.conf:

$ RES_OPTIONS="options ndots:15" LOCALDOMAIN="localtest.me" src/bitcoind

If my thinking is correct that should make the DNS seeding queries return 127.0.0.1 due to seed.bitcoin.sipa.be being interpreted as seed.bitcoin.sipa.be.localtest.me, etc.

reACK 82b6f89

The DNS querying logic and related config options certainly are somewhat convoluted / confusing. This is not helped by the fact that certain options (soft)-set other options, or sometimes behave un-intuitively. I think there is definitely scope to improve this code further going forward.

cc @ajtowns