Hi Klaus, On 17/01/2022 21:05, Klaus Darilion wrote:
Pierre GriƩ from Nameshield contributed an XDP program to reply to blocked UDP queries with a truncated response directly from thekernel, in a similar way to what we were already doing using eBPF socket filters. This version adds support for eBPF pinned maps, allowing dnsdist to populate the maps using our dynamic blocking mechanism, and letting the external XDP program do the actual blocking or response.How does this work in detail? If example.com is on these lists (filtering or truncate response), will it block also www.example.com (and other subdomains) or only exactly the name on the list?
I'm afraid the current XDP program would only block the exact name on the list. Now that the actual program can live outside of dnsdist it would be easier to write a new XDP program doing suffix matching, but no-one has done so yet. The main issue was that we wanted to keep our eBPF code working on older kernels where the number of eBPF instructions is very limited, but it would be very fine for an external XDP program to target newer kernels only. I would be happy to merge such a program in our "contrib" directory :-)
Best regards, -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
