Re: [dnsdist] Compiling with DNS-over-QUIC on OpenSUSE - quiche not found
Hi Oto! On 30/10/2023 14:06, Oto Šťáva via dnsdist wrote: I wanted to do some testing with the new DNS-over-QUIC implementation in dnsdist on my OpenSUSE machine. Quite understandably, OpenSUSE does not ship alpha versions of dnsdist, so I opted to compile the new version from source. I looked through the code to find out dnsdist uses Cloudflare's Quiche, which is also missing from OpenSUSE's repositories, and they do not seem to provide any good way of installing it from source into the system. Dnsdist contains a 'builder-support/helpers/install_quiche.sh' script, which runs successfully (or at least never complains about anything), but when I run './configure.sh --enable-dns-over-quic', I get the following message: configure: error: DNS over QUIC support requested but quiche was not found Is there something I'm missing here? Is it just some strange behaviour on OpenSUSE's side? I have not tried yet, but I guess that the directory in which our install script installs the Quiche pkg-config module file (/usr/lib/pkgconfig) is not in the default pkg-config path on openSUSE. This is also the case on RH-based distributions where we had to add [1] /usr/lib/pkgconfig to PKG_CONFIG_PATH for Quiche to be detected. Can you try setting PKG_CONFIG_PATH=/usr/lib/pkgconfig:/usr/lib64/pkgconfig at the end of your configure line? [1]: https://github.com/PowerDNS/pdns/blob/master/builder-support/specs/dnsdist.spec#L108 -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/ OpenPGP_signature.asc Description: OpenPGP digital signature ___ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
[dnsdist] Compiling with DNS-over-QUIC on OpenSUSE - quiche not found
Hi, everyone, I wanted to do some testing with the new DNS-over-QUIC implementation in dnsdist on my OpenSUSE machine. Quite understandably, OpenSUSE does not ship alpha versions of dnsdist, so I opted to compile the new version from source. I looked through the code to find out dnsdist uses Cloudflare's Quiche, which is also missing from OpenSUSE's repositories, and they do not seem to provide any good way of installing it from source into the system. Dnsdist contains a 'builder-support/helpers/install_quiche.sh' script, which runs successfully (or at least never complains about anything), but when I run './configure.sh --enable-dns-over-quic', I get the following message: configure: error: DNS over QUIC support requested but quiche was not found Is there something I'm missing here? Is it just some strange behaviour on OpenSUSE's side? Kind regards, Oto Šťáva Knot Resolver - CZ.NIC z.s.p.o. ___ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
Re: [dnsdist] Question about implementing dynBlockRulesGroup
Hi, On 30/10/2023 11:08, CamZie via dnsdist wrote: We would like to use DNSdist to block traffics that exceeds a QPS limit and we have configured the following as test: local dbr = dynBlockRulesGroup() dbr:setQueryRate(5, 1, "Exceeded query rate", 60) dbr:setQTypeRate(DNSQType.ANY, 2, 1, "Exceeded ANY rate", 60) function maintenance() dbr:apply() end However, when we do 10 queries with the following command, all 10 requests still goes through successfully: for a in {0..10}; do dig -t a @ +short; done From the console, we can see that the client has been detected and is listed in the blocklist but still the 10 queries has gone through even though we have limited it to 5. showDynBlocks() What Seconds Blocks Warning Action Reason /32 56 0 false Drop Exceeded query rate This is expected, as 'maintenance' is called every second so it might take up to a second for the client to get blocked. Is there a way we can immediately drop the connection after reaching max 5 queries per second as defined in the config? This is the same case with the ANY requests restriction. MaxQPSIPRule [1]should do that. It is a bit more expensive than dynamic blocks when you have a lot of queries per second because it has to update a state for every query, but the "shards" parameter added in 1.8.0 should help a lot under heavy load. [1]: https://dnsdist.org/rules-actions.html#MaxQPSIPRule Best regards, -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/ OpenPGP_signature.asc Description: OpenPGP digital signature ___ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
[dnsdist] Question about implementing dynBlockRulesGroup
Hello, We would like to use DNSdist to block traffics that exceeds a QPS limit and we have configured the following as test: local dbr = dynBlockRulesGroup() dbr:setQueryRate(5, 1, "Exceeded query rate", 60) dbr:setQTypeRate(DNSQType.ANY, 2, 1, "Exceeded ANY rate", 60) function maintenance() dbr:apply() end However, when we do 10 queries with the following command, all 10 requests still goes through successfully: for a in {0..10}; do dig -t a @ +short; done From the console, we can see that the client has been detected and is listed in the blocklist but still the 10 queries has gone through even though we have limited it to 5. > showDynBlocks() What Seconds Blocks Warning Action Reason/32 56 0 false Drop Exceeded query rate Is there a way we can immediately drop the connection after reaching max 5 queries per second as defined in the config? This is the same case with the ANY requests restriction. Thanks,___ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist