[Linphone-developers] Belle-sip DNS Via TCP Issue

[Trevor Alpeter]

We are seeing DNS resolution errors in our Linphone client and have
tracked it down to belle-sip's handling of throttling behavior
implemented by Google's DNS servers. Under certain conditions, Google's
servers will return an empty UDP DNS response with the truncation bit
set. RFC-compliant clients will retry via TCP and succeed. This
technique is described in Google's DNS threats and mitigations security
document [1].

We have observed that belle-sip will retry via TCP if it receives a UDP
response with the truncation bit set. However, it fails to return the
response it receives via TCP to Linphone. This results in the user
failing to register with the SIP server.

We created a Python script to replicate this DNS behavior that can be
found at [2]. The script returns empty responses with the truncation bit
set for all UDP queries. It handles TCP queries normally. The script
requires the dnslib package, which can be installed via pip. The script
currently returns 127.0.0.1 as the address for queries.

When testing on an Ubuntu client, we observed that native operating
system programs, such as nslookup, were successfully able to resolve
'sip.linphone.org.' However, the belle_sip_resolve utility consistently
fails. If we run the utility with the '--debug' flag, it appears that it
times out while attempting to resolve the address.

My best guess at the moment is that there is an issue parsing the TCP
responses, although I don't see any error messages or anything. I plan
to debug the library to see if I can further isolate the issue.

Any insight or input on this issue is appreciated.

Thanks in advance.

Trevor

[1] https://developers.google.com/speed/public-dns/docs/security#rate_limit

[2] https://gist.github.com/trevora-edge/5784c9c8c5684b4a3993