fix(gateway): keep DoH-confirmed Telegram IPs that match system DNS (#14520)#17043
Closed
0xsir0000 wants to merge 1 commit into
Closed
fix(gateway): keep DoH-confirmed Telegram IPs that match system DNS (#14520)#170430xsir0000 wants to merge 1 commit into
0xsir0000 wants to merge 1 commit into
Conversation
…ousResearch#14520) discover_fallback_ips() filtered out any DoH-resolved IP that also appeared in the system resolver's answer set, on the assumption that the system IP was unreachable. When DoH and system DNS agreed (a common case), the function returned the hardcoded _SEED_FALLBACK_IPS list instead — and on networks where those seed addresses are not routable, the Telegram fallback transport had nothing usable to retry against and polling failed. Drop the system_ips exclusion so DoH-confirmed IPs are preserved regardless of system DNS overlap. The TelegramFallbackTransport already tries the primary path first via system DNS, then falls through to the IP-rewrite path on connect failure; including the same IP in both lanes lets a transient primary failure recover via the explicit IP route instead of escalating to seed addresses. Update the two tests that codified the old exclusion to reflect the new, inclusion-by-default behaviour. Fixes NousResearch#14520
Sldark23
pushed a commit
to Sldark23/hermes-agent
that referenced
this pull request
Apr 28, 2026
- Fix issue NousResearch#17139: Handle deliver as list in cron scheduler (fixes telegram delivery) - Fix issue NousResearch#17086: custom endpoint URL rewrite preserves /anthropic path when api_mode=anthropic_messages - Fix issue NousResearch#17054: slack manifest uses "version" instead of broken major/minor_version - Fix issue NousResearch#17049: wmic subprocess uses encoding='utf-8' with errors='replace' on Windows - Fix issue NousResearch#17043: DoH resolved IPs no longer excluded when overlapping with system DNS - Fix issue NousResearch#17140: TTS tools use get_env_value() instead of os.getenv() for API keys - Fix: hermes_cli/config.py _sanitize_env_lines detects KEY= at non-identifier positions Files modified: - agent/auxiliary_client.py - cron/scheduler.py - gateway/platforms/telegram_network.py - hermes_cli/config.py - hermes_cli/gateway.py - hermes_cli/slack_cli.py - tools/tts_tool.py
This was referenced Apr 28, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
discover_fallback_ips()ingateway/platforms/telegram_network.pyfiltered out any DoH-resolved IP that also appeared in the local system resolver's answer set, on the assumption that the system IP was unreachable. When DoH and system DNS agreed (a common case), the function returned the hardcoded_SEED_FALLBACK_IPSlist instead — and on networks where those seed addresses are not routable, the Telegram fallback transport had no usable retry target and polling failed.This drops the
system_ipsexclusion so DoH-confirmed IPs are preserved regardless of system-DNS overlap.TelegramFallbackTransportalready tries the primary path first (via system DNS), then falls through to the IP-rewrite path on connect failure; including the same IP in both lanes lets a transient primary failure recover via the explicit IP route instead of escalating to seed addresses that may not route.The two existing tests that codified the old exclusion are updated to reflect the new inclusion-by-default behaviour and renamed for clarity.
Fixes #14520
Behavior change
[sys_ip, X], system resolves[sys_ip][X][sys_ip, X][sys_ip], system resolves[sys_ip]_SEED_FALLBACK_IPS(e.g.149.154.167.220)[sys_ip][X, Y], system resolves[sys_ip][X, Y][X, Y](unchanged)_SEED_FALLBACK_IPS(unchanged)_SEED_FALLBACK_IPS(unchanged)The third and fourth rows are unchanged, so users on networks where the seed list is reachable retain the existing safety net.
Test plan
tests/gateway/test_telegram_network.py— 46 tests pass (12 inTestDiscoverFallbackIps)tests/gateway/test_telegram_network_reconnect.py— 9 tests passtest_system_dns_ip_excluded→test_system_dns_ip_kept_when_doh_confirmstest_all_doh_ips_same_as_system_dns_uses_seed→test_all_doh_ips_same_as_system_dns_kept