DNS resolution fails for internationalized domain names #25558

saghul · 2019-01-18T08:07:09Z

Version: v10.14.2
Platform: Darwin november.local 18.2.0 Darwin Kernel Version 18.2.0: Mon Nov 12 20:24:46 PST 2018; root:xnu-4903.231.4~2/RELEASE_X86_64 x86_64
Subsystem: dns, cares_wrap

Currently the DNS module seems to utf-8 encode the names passed to c-ares for DNS resolution:

node/src/cares_wrap.cc

Line 1803 in 2c0a751

node::Utf8Value name(env->isolate(), string);

That doesn't work for internationalized domain names, which need to be IDNA encoded.

DNS is pretty much all ASCII, so IMHO Node shouldn't utf-8 encode on input.

Here is a list of international domain names to test.

This will produce an error:

> dns.resolve('españa.icom.museum', function(r, e) { console.log(r, e) })`
> { Error: queryA ENOTFOUND españa.icom.museum
    at QueryReqWrap.onresolve [as oncomplete] (dns.js:197:19)
  errno: 'ENOTFOUND',
  code: 'ENOTFOUND',
  syscall: 'queryA',
  hostname: 'españa.icom.museum' } undefined

Whereas the proper IDNA encoded version works:

> dns.resolve('xn--espaa-rta.icom.museum', function(e, r) { console.log(e, r) })
> null [ '91.194.60.138' ]

The text was updated successfully, but these errors were encountered:

targos · 2019-01-18T09:24:31Z

All supported versions of Node are affected. I'm looking into it.

santigimeno · 2019-01-18T09:41:01Z

Possible fix in #25559

silverwind · 2019-01-18T16:44:49Z

I'm quite surprised that this affects so many version. I'm pretty sure IDN did work at least at some point in time.

bnoordhuis · 2019-01-24T15:22:47Z

@santigimeno and I opened PRs but now that I think about it, this issue should be fixed once v10.x upgrades to libuv v1.24.0 because that's the first libuv release that includes libuv/libuv#2046.

Landing the PRs would still be useful for:

v6.x (and v8.x?), because libuv isn't upgraded on that branch, and
z/os, because EBCDIC

bnoordhuis · 2019-01-24T15:25:40Z

I'm pretty sure IDN did work at least at some point in time.

@silverwind If you'll allow me to self-quote from #25679 (comment):

[..] Node.js left it up to the system resolver or c-ares.

Leaving it to the system resolver introduces platform differences
because:

    some support IDNA 2008
    some only IDNA 2003 (glibc until 2.28), and
    some don't support IDNA at all (musl libc)

In other words, Node's behavior is currently platform-dependent (bad.)

Before this commit, Node.js left it up to the system resolver or c-ares. Leaving it to the system resolver introduces platform differences because: * some support IDNA 2008 * some only IDNA 2003 (glibc until 2.28), and * some don't support IDNA at all (musl libc) c-ares doesn't support IDNA either although curl does, by virtue of linking against libidn2. Upgrading from libidn1 to libidn2 in order to get proper IDNA 2008 support was the fix for curl's CVE-2016-8625. libidn2 is not an option (incompatible license) but ICU has an IDNA API and we already use that in one place. For non-ICU builds, we fall back to the bundled punycode.js that also supports IDNA 2008. Fixes: nodejs-private/security#97 Fixes: nodejs#25558

Before this commit, Node.js left it up to the system resolver or c-ares. Leaving it to the system resolver introduces platform differences because: * some support IDNA 2008 * some only IDNA 2003 (glibc until 2.28), and * some don't support IDNA at all (musl libc) c-ares doesn't support IDNA either although curl does, by virtue of linking against libidn2. Upgrading from libidn1 to libidn2 in order to get proper IDNA 2008 support was the fix for curl's CVE-2016-8625. libidn2 is not an option (incompatible license) but ICU has an IDNA API and we already use that in one place. For non-ICU builds, we fall back to the bundled punycode.js that also supports IDNA 2008. Fixes: https://github.com/nodejs-private/security/issues/97 Fixes: #25558 PR-URL: #25679 Reviewed-By: Santiago Gimeno <[email protected]> Reviewed-By: Saúl Ibarra Corretgé <[email protected]> Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Ruben Bridgewater <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Tiancheng "Timothy" Gu <[email protected]>

Fixes: nodejs/node#25558

saghul added the dns Issues and PRs related to the dns subsystem. label Jan 18, 2019

targos self-assigned this Jan 18, 2019

targos added v6.x confirmed-bug Issues with confirmed bugs. labels Jan 18, 2019

santigimeno mentioned this issue Jan 18, 2019

dns: idna encode hostnames before resolution #25559

Closed

4 tasks

targos removed their assignment Jan 18, 2019

addaleax closed this as completed in f399b01 Jan 28, 2019

CommanderStorm mentioned this issue Feb 21, 2024

[dns] Uptime Kuma Unable to Track Internationalized Domain Names (IDNs) louislam/uptime-kuma#3929

Closed

2 tasks

abhishekumar-tyagi pushed a commit to abhishekumar-tyagi/node that referenced this issue May 5, 2024

dns: idna encode hostnames before resolution

973bab3

Fixes: nodejs/node#25558

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

DNS resolution fails for internationalized domain names #25558

DNS resolution fails for internationalized domain names #25558

saghul commented Jan 18, 2019

targos commented Jan 18, 2019

santigimeno commented Jan 18, 2019

silverwind commented Jan 18, 2019

bnoordhuis commented Jan 24, 2019

bnoordhuis commented Jan 24, 2019

DNS resolution fails for internationalized domain names #25558

DNS resolution fails for internationalized domain names #25558

Comments

saghul commented Jan 18, 2019

targos commented Jan 18, 2019

santigimeno commented Jan 18, 2019

silverwind commented Jan 18, 2019

bnoordhuis commented Jan 24, 2019

bnoordhuis commented Jan 24, 2019