Re: [dnsdist] Compiling with DNS-over-QUIC on OpenSUSE - quiche not found
Hi Oto! On 30/10/2023 14:06, Oto Šťáva via dnsdist wrote: I wanted to do some testing with the new DNS-over-QUIC implementation in dnsdist on my OpenSUSE machine. Quite understandably, OpenSUSE does not ship alpha versions of dnsdist, so I opted to compile the new version from source. I looked through the code to find out dnsdist uses Cloudflare's Quiche, which is also missing from OpenSUSE's repositories, and they do not seem to provide any good way of installing it from source into the system. Dnsdist contains a 'builder-support/helpers/install_quiche.sh' script, which runs successfully (or at least never complains about anything), but when I run './configure.sh --enable-dns-over-quic', I get the following message: configure: error: DNS over QUIC support requested but quiche was not found Is there something I'm missing here? Is it just some strange behaviour on OpenSUSE's side? I have not tried yet, but I guess that the directory in which our install script installs the Quiche pkg-config module file (/usr/lib/pkgconfig) is not in the default pkg-config path on openSUSE. This is also the case on RH-based distributions where we had to add [1] /usr/lib/pkgconfig to PKG_CONFIG_PATH for Quiche to be detected. Can you try setting PKG_CONFIG_PATH=/usr/lib/pkgconfig:/usr/lib64/pkgconfig at the end of your configure line? [1]: https://github.com/PowerDNS/pdns/blob/master/builder-support/specs/dnsdist.spec#L108 -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/ OpenPGP_signature.asc Description: OpenPGP digital signature ___ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
[dnsdist] Compiling with DNS-over-QUIC on OpenSUSE - quiche not found
Hi, everyone, I wanted to do some testing with the new DNS-over-QUIC implementation in dnsdist on my OpenSUSE machine. Quite understandably, OpenSUSE does not ship alpha versions of dnsdist, so I opted to compile the new version from source. I looked through the code to find out dnsdist uses Cloudflare's Quiche, which is also missing from OpenSUSE's repositories, and they do not seem to provide any good way of installing it from source into the system. Dnsdist contains a 'builder-support/helpers/install_quiche.sh' script, which runs successfully (or at least never complains about anything), but when I run './configure.sh --enable-dns-over-quic', I get the following message: configure: error: DNS over QUIC support requested but quiche was not found Is there something I'm missing here? Is it just some strange behaviour on OpenSUSE's side? Kind regards, Oto Šťáva Knot Resolver - CZ.NIC z.s.p.o. ___ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
Re: [dnsdist] Question about implementing dynBlockRulesGroup
Hi,
On 30/10/2023 11:08, CamZie via dnsdist wrote:
We would like to use DNSdist to block traffics that exceeds a QPS limit
and we have configured the following as test:
local dbr = dynBlockRulesGroup()
dbr:setQueryRate(5, 1, "Exceeded query rate", 60)
dbr:setQTypeRate(DNSQType.ANY, 2, 1, "Exceeded ANY rate", 60)
function maintenance()
dbr:apply()
end
However, when we do 10 queries with the following command, all 10
requests still goes through successfully:
for a in {0..10}; do dig -t a @ +short; done
From the console, we can see that the client has been detected and is
listed in the blocklist but still the 10 queries has gone through even
though we have limited it to 5.
showDynBlocks()
What Seconds Blocks Warning Action
Reason
/32 56 0 false Drop
Exceeded query rate
This is expected, as 'maintenance' is called every second so it might
take up to a second for the client to get blocked.
Is there a way we can immediately drop the connection after reaching max
5 queries per second as defined in the config? This is the same case
with the ANY requests restriction.
MaxQPSIPRule [1]should do that. It is a bit more expensive than dynamic
blocks when you have a lot of queries per second because it has to
update a state for every query, but the "shards" parameter added in
1.8.0 should help a lot under heavy load.
[1]: https://dnsdist.org/rules-actions.html#MaxQPSIPRule
Best regards,
--
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
OpenPGP_signature.asc
Description: OpenPGP digital signature
___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist
[dnsdist] Question about implementing dynBlockRulesGroup
Hello,
We would like to use DNSdist to block traffics that exceeds a QPS limit and we
have configured the following as test:
local dbr = dynBlockRulesGroup()
dbr:setQueryRate(5, 1, "Exceeded query rate", 60)
dbr:setQTypeRate(DNSQType.ANY, 2, 1, "Exceeded ANY rate", 60)
function maintenance()
dbr:apply()
end
However, when we do 10 queries with the following command, all 10 requests
still goes through successfully:
for a in {0..10}; do dig -t a @ +short; done
From the console, we can see that the client has been detected and is listed in
the blocklist but still the 10 queries has gone through even though we have
limited it to 5.
> showDynBlocks()
What Seconds Blocks Warning Action Reason/32 56 0 false Drop
Exceeded query rate
Is there a way we can immediately drop the connection after reaching max 5
queries per second as defined in the config? This is the same case with the ANY
requests restriction.
Thanks,___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist
