Resolver: fix error handling if we didn't receive a response

[thaJeztah]

Addresses moby/moby#41003
Addresses moby/moby#20494 (comment)

Commit d5e341e updated the DNS library
and updated the error handling.

Due to changes in the library, we now had to check the response itself
to check if the response was truncated (Truncated DNS replies should
be sent to the client so that the client can retry over TCP).

However, bea32b0 added an incorrect
nil check to fix a panic, which ignored situations where
an error was returned, but no response (for example, if we failed
to connect to the DNS server).

In that situation, the error would be ignored, and further down we
would consider the connection to have been succesfull, but the DNS
server not returning a result.

After a "successful" lookup (but no results), we break the loop,
and don't attempt lookups in other DNS servers.

Versions before bea32b0 would produce:

Name To resolve: bbc.co.uk.
[resolver] query bbc.co.uk. (A) from 172.21.0.2:36181, forwarding to udp:192.168.5.1
[resolver] read from DNS server failed, read udp 172.21.0.2:36181->192.168.5.1:53: i/o timeout
[resolver] query bbc.co.uk. (A) from 172.21.0.2:38582, forwarding to udp:8.8.8.8
[resolver] received A record "151.101.0.81" for "bbc.co.uk." from udp:8.8.8.8
[resolver] received A record "151.101.192.81" for "bbc.co.uk." from udp:8.8.8.8
[resolver] received A record "151.101.64.81" for "bbc.co.uk." from udp:8.8.8.8
[resolver] received A record "151.101.128.81" for "bbc.co.uk." from udp:8.8.8.8

Versions after that commit would ignore the error, and stop further lookups:

Name To resolve: bbc.co.uk.
[resolver] query bbc.co.uk. (A) from 172.21.0.2:59870, forwarding to udp:192.168.5.1
[resolver] external DNS udp:192.168.5.1 returned empty response for "bbc.co.uk."

This patch updates the logic to handle the error to log the error (and continue with the next DNS):

• if an error is returned, and no response was received
• if an error is returned, but it was not related to a truncated response

[thaJeztah]

ping @arkodg @cpuguy83 @SamWhited PTAL; this introduced a regression in 19.03.9

[SamWhited]

Oops, LGTM, thanks for the fix. I seem to have misunderstood what the previous logic was doing, but this makes sense.

[thaJeztah]

seem to have misunderstood what the previous logic was doing, but this makes sense.

Looking at the original PR I recalled I stared at that line a couple of times, but failed to see the issue. Perhaps the comment needs a rewrite (I just tried a few times, but couldn't come up with something better 🤔)

@arkodg maybe we need a test for this, but I wasn't sure how to best test this; suggestions welcome.

[tiborvass]

@thaJeztah isn't bea32b0 the commit that broke things?

[arkodg]

@thaJeztah can we recreate the empty response using a test similar to

libnetwork/resolver_test.go

Line 216 in 1ea375d

func TestDNSProxyServFail(t *testing.T) {

[thaJeztah]

@tiborvass Oh! You're right! Same line. I can update, but won't be near a computer for the next couple of hours; If you happen to have time, feel free to carry and update (or push to my branch directly)

[tiborvass]

Ok sorry y'all, I couldn't figure out the test in libnetwork. So I'm adding a test in moby's integration.

[tiborvass]

Proposed integration test in moby: http://github.com/tiborvass/docker/commit/ab176072d635d8c8ff3fc7f30e959ef5bd7b3244

[arkodg]

LGTM, thanks for jumping on this @thaJeztah @tiborvass

[tiborvass]

@arkodg updated the commit message to mention the commit that actually caused regression bea32b0