DNS Rebind

How the Trust1Connector solves the DNS rebind issue

DNS Rebind automatic resolution is implemented starting from v3.8.4, older version can solve this by following the troubleshooting guide: Connector Connection Issues

Introduction

The connector is using a DNS (depending on the connector partner), with a default value of:

https://t1c.t1t.io

The given URL is registered with DNSSEC enabled, and resolves to a 'localhost' domain.

Although the connector can run in a different mode (http, localhost, custom domain name, etc.), to solve the above issue, the following causes are probable:

  • DNS Rebind is enforced from your router or ISP (Internet Service Provider)

  • The domain name is not whitelisted in your internal network

  • A local proxy is running and prevents the internal connector communication

  • An antivirus is blocking the connector communication

  • Your (custom) DNS server does not contain resolution for localhost and t1c.t1t.io

The functionality for automatic DNS Rebind resolutation solves the local connectivity issue by adding the DNS used by the connector to the host file of the device.

As the connector is running in user-mode, and thus not have elevated rights, a separate process will be started on the operating system, asking the user to enter the `admin password` only with the purpose of adding the record to the host file of the system.

When a user does not have `administrator` access to his device, and IT administrator can solve the issue (an apply it to all users from that domain).

When installing the Trust1Connector in an owned system network, by default we ask to:

  • allow the outbound DNS for the Distribution Server

  • whitelist the local DNS used (t1c.t1t.io) on the router(s) or firewall(s)

  • allow or whitelist the local DNS in anti-virus agents

Typically when one of the above apply, and is not executed, the connector will run, but may not be reachable.

Logical Flow

The following diagram show the logic begin the one-time check. The process runs on startup on a seperate system thread, and when executed succesfully, persists a marker file (.dnsrebind) in the installation directory of the connector.

flowchart LR
    AA((Start)) --> A
    A[Check connectivity] --> B{Is connected?}
    B -->|yes| D((END))
    
    B -->|no| F{Marker exists?}
    F -->|yes| G[Check connectivity]
    
    F -->|no| H{Host file updated?}
    H -->|yes| G[Check connectivity]
    H -->|no| J[Append domain to hostfile]
    
    J --> K{Marker exists?}
    K -->|no| M[Create marker]
    
    M --> G[Check connectivity]
    K -->|yes| G[Check connectivity]
    
    G --> O{Is connected?}
    O -->|yes| P[End]
    O -->|no| Q[Error message]
    Q --> P((END))

Process States

Clean

Starting from from a clean installation, it will go trough the flow above and based on the outcome of the DNS resolving, the process will update the hostfile and create the markerfile

Success - marker present

The process will go trough the flow above and when successful, a DNS check is executed which a successful response.

Success - no marker present

The process will go trough the flow above and when successful, the process will create the marker file without the need of updating the hostfile

Failure - marker present

The process will go trough the flow above and when `failure`, the process will see the marker file, resulting in a error message that it could not resolve the domain. In this scenario, the markerfile indicates that the hostfile has been updated so the problem must be elsewhere.

Failure - no marker present

The process will go trough the flow above and when `failure`, the process will create the marker file and update the hostfile. When the final DNS check fails and it will return an error message.

Here the markerfile also indicates that the hostfile has been updated so the problem must be elsewhere.

When the markerfile `.dnsrebind` is present in the connector directory, this means that the DNS entry has been added (or is already present) in the local host file.

Adding the .dnsrebind file in the user folder, prevents the logic to be executed at service startup.

Last updated