[OpenAFS] Strange DNS SRV traffic resulting from stat() in 1.8.13.2

[Gunnar Krull]

Hi Jeffrey,

On 25/08/2025 17:19, Jeffrey Altman wrote:
>> 25-Aug-2025 07:15:47.756 client @0x7fa6b79fe168 172.27.2.4#34129 (_afs3-vlserver._udp.informatik.uni-goettingen.de/user/a/xxxxxx/.xxxlogin/.google_authenticator.informatik.uni-goettingen.de): query: _afs3-vlserver._udp.informatik.uni-goettingen.de/user/a/xxxxxx/.xxxlogin/.google_authenticator.informatik.uni-goettingen.de IN SRV +E(0) (134.76.81.212)
> 
> Likewise a lookup is being performed for “informatik.uni-goettingen.de/user/a/xxxxxx/.xxxlogin/.google_authenticator” as a single path component.
> 
> An strace of the originating process would be useful to examine.

here is one example of a strace that can be matched to the corresponding 
DNS query.

* strace of the process:

11442 13:56:30.961461 faccessat2(AT_FDCWD</>, 
"/afs/informatik.uni-goettingen.de/user/m/m.musterfrau/.ifi-login/authorized_keys", 
R_OK, AT_EACCESS) = -1 ENOENT (No such file or directory) <0.017024>

* corresonding generated DNS queries:

26-Aug-2025 13:56:30.989 client @0x7fa6b799e168 172.27.2.4#39324 
(_afs3-vlserver._udp.informatik.uni-goettingen.de/user/m/m.musterfrau/.ifi-login/authorized_keys): 
query: 
_afs3-vlserver._udp.informatik.uni-goettingen.de/user/m/m.musterfrau/.ifi-login/authorized_keys 
IN SRV +E(0) (134.76.81.212)
26-Aug-2025 13:56:30.993 client @0x7fa6b7d28168 172.27.2.4#32940 
(_afs3-vlserver._udp.informatik.uni-goettingen.de/user/m/m.musterfrau/.ifi-login/authorized_keys.informatik.uni-goettingen.de): 
query: 
_afs3-vlserver._udp.informatik.uni-goettingen.de/user/m/m.musterfrau/.ifi-login/authorized_keys.informatik.uni-goettingen.de 
IN SRV +E(0) (134.76.81.212)
26-Aug-2025 13:56:30.993 client @0x7fa6b799e168 172.27.2.4#45932 
(_afs3-vlserver._udp.informatik.uni-goettingen.de/user/m/m.musterfrau/.ifi-login/authorized_keys): 
query: 
_afs3-vlserver._udp.informatik.uni-goettingen.de/user/m/m.musterfrau/.ifi-login/authorized_keys 
IN SRV +E(0) (134.76.81.212)
26-Aug-2025 13:56:30.997 client @0x7fa6b799e168 172.27.2.4#43894 
(_afs3-vlserver._udp.informatik.uni-goettingen.de/user/m/m.musterfrau/.ifi-login/authorized_keys.informatik.uni-goettingen.de): 
query: 
_afs3-vlserver._udp.informatik.uni-goettingen.de/user/m/m.musterfrau/.ifi-login/authorized_keys.informatik.uni-goettingen.de 
IN SRV +E(0) (134.76.81.212)
26-Aug-2025 13:56:30.997 client @0x7fa6b799e168 172.27.2.4#37887 
(informatik.uni-goettingen.de/user/m/m.musterfrau/.ifi-login/authorized_keys): 
query: 
informatik.uni-goettingen.de/user/m/m.musterfrau/.ifi-login/authorized_keys 
IN AFSDB +E(0) (134.76.81.212)
26-Aug-2025 13:56:30.997 client @0x7fa6b7d28168 172.27.2.4#59276 
(informatik.uni-goettingen.de/user/m/m.musterfrau/.ifi-login/authorized_keys.informatik.uni-goettingen.de): 
query: 
informatik.uni-goettingen.de/user/m/m.musterfrau/.ifi-login/authorized_keys.informatik.uni-goettingen.de 
IN AFSDB +E(0) (134.76.81.212)
26-Aug-2025 13:56:31.001 client @0x7fa6b7d28168 172.27.2.4#35919 
(_afs3-vlserver._udp.informatik.uni-goettingen.de/user/m/m.musterfrau/.ifi-login/authorized_keys): 
query: 
_afs3-vlserver._udp.informatik.uni-goettingen.de/user/m/m.musterfrau/.ifi-login/authorized_keys 
IN SRV +E(0) (134.76.81.212)
26-Aug-2025 13:56:31.001 client @0x7fa6b799e168 172.27.2.4#36703 
(_afs3-vlserver._udp.informatik.uni-goettingen.de/user/m/m.musterfrau/.ifi-login/authorized_keys.informatik.uni-goettingen.de): 
query: 
_afs3-vlserver._udp.informatik.uni-goettingen.de/user/m/m.musterfrau/.ifi-login/authorized_keys.informatik.uni-goettingen.de 
IN SRV +E(0) (134.76.81.212)
26-Aug-2025 13:56:31.001 client @0x7fa6b7d28168 172.27.2.4#38808 
(_afs3-vlserver._udp.informatik.uni-goettingen.de/user/m/m.musterfrau/.ifi-login/authorized_keys): 
query: 
_afs3-vlserver._udp.informatik.uni-goettingen.de/user/m/m.musterfrau/.ifi-login/authorized_keys 
IN SRV +E(0) (134.76.81.212)
26-Aug-2025 13:56:31.005 client @0x7fa6b799e168 172.27.2.4#50967 
(_afs3-vlserver._udp.informatik.uni-goettingen.de/user/m/m.musterfrau/.ifi-login/authorized_keys.informatik.uni-goettingen.de): 
query: 
_afs3-vlserver._udp.informatik.uni-goettingen.de/user/m/m.musterfrau/.ifi-login/authorized_keys.informatik.uni-goettingen.de 
IN SRV +E(0) (134.76.81.212)
26-Aug-2025 13:56:31.005 client @0x7fa6b7d28168 172.27.2.4#57572 
(informatik.uni-goettingen.de/user/m/m.musterfrau/.ifi-login/authorized_keys): 
query: 
informatik.uni-goettingen.de/user/m/m.musterfrau/.ifi-login/authorized_keys 
IN AFSDB +E(0) (134.76.81.212)
26-Aug-2025 13:56:31.005 client @0x7fa6b7d28168 172.27.2.4#39195 
(informatik.uni-goettingen.de/user/m/m.musterfrau/.ifi-login/authorized_keys.informatik.uni-goettingen.de): 
query: 
informatik.uni-goettingen.de/user/m/m.musterfrau/.ifi-login/authorized_keys.informatik.uni-goettingen.de 
IN AFSDB +E(0) (134.76.81.212)


The same process generates many more DNS queries. These queries were 
triggered by some or all of these calls (copied from the strace log):

11442 13:56:30.762434 faccessat2(AT_FDCWD</>, 
"/afs/informatik.uni-goettingen.de/user/m/m.musterfrau/.ifi-login/.google_authenticator", 
R_OK, AT_EACCESS) = 0 <0.028036>
11457 13:56:30.810270 newfstatat(AT_FDCWD</>, 
"/afs/informatik.uni-goettingen.de/user/m/m.musterfrau/.ifi-login/.google_authenticator", 
{st_dev=makedev(0, 0x3e), st_ino=1006703510, st_mode=S_IFREG|0400, 
st_nlink=1, st_uid=495256031, st_gid=2000, st_blksize=4096, st_blocks=2, 
st_size=119, st_atime=1699975069 /* 2023-11-14T16:17:49+0100 */, 
st_atime_nsec=0, st_mtime=1699975069 /* 
2023-11-14T16:17:49.000000001+0100 */, st_mtime_nsec=1, 
st_ctime=1699975069 /* 2023-11-14T16:17:49+0100 */, st_ctime_nsec=0}, 0) 
= 0 <0.017592>
11457 13:56:30.828106 openat(AT_FDCWD</>, 
"/afs/informatik.uni-goettingen.de/user/m/m.musterfrau/.ifi-login/.google_authenticator", 
O_RDONLY) = 
4</afs/informatik.uni-goettingen.de/user/m/m.musterfrau/.ifi-login/.google_authenticator> 
<0.015814>
11457 13:56:30.859771 
fstat(4</afs/informatik.uni-goettingen.de/user/m/m.musterfrau/.ifi-login/.google_authenticator>, 
{st_dev=makedev(0, 0x3e), st_ino=1006703510, st_mode=S_IFREG|0400, 
st_nlink=1, st_uid=495256031, st_gid=2000, st_blksize=4096, st_blocks=2, 
st_size=119, st_atime=1699975069 /* 2023-11-14T16:17:49+0100 */, 
st_atime_nsec=0, st_mtime=1699975069 /* 
2023-11-14T16:17:49.000000001+0100 */, st_mtime_nsec=1, 
st_ctime=1699975069 /* 2023-11-14T16:17:49+0100 */, st_ctime_nsec=0}) = 
0 <0.000047>
11457 13:56:30.876787 
fadvise64(4</afs/informatik.uni-goettingen.de/user/m/m.musterfrau/.ifi-login/.google_authenticator>, 
0, 0, POSIX_FADV_SEQUENTIAL) = 0 <0.000055>
11457 13:56:30.893622 
copy_file_range(4</afs/informatik.uni-goettingen.de/user/m/m.musterfrau/.ifi-login/.google_authenticator>, 
NULL, 5</etc/ifi-login/m.musterfrau/.google_authenticator>, NULL, 
9223372035781033984, 0) = -1 EXDEV (Invalid cross-device link) <0.000047>
11457 13:56:30.910322 
read(4</afs/informatik.uni-goettingen.de/user/m/m.musterfrau/.ifi-login/.google_authenticator>, 
"CW3NLGG4RFQ5YHVO74SQ27QLVU\n\" RAT"..., 131072) = 119 <0.000847>
11457 13:56:30.928084 
read(4</afs/informatik.uni-goettingen.de/user/m/m.musterfrau/.ifi-login/.google_authenticator>, 
"", 131072) = 0 <0.000025>
11457 13:56:30.944824 
close(4</afs/informatik.uni-goettingen.de/user/m/m.musterfrau/.ifi-login/.google_authenticator>) 
= 0 <0.000028>


The process was running on Ubuntu 24.04, kernel 6.14.0-28-generic, 
OpenAFS Client 1.8.13.2-1ubuntu1.

It's a bit difficult to reproduce and trigger the DNS queries.
I hope this information is useful.

Regards,
Gunnar