Re: [dnsdist] DoH issues after 1.8.3 -> 1.9.0 upgrade
Remi Gacogne via dnsdist: thanks for the pointer, really looking forward to the dnsdist version that has this solved. Sure, I expect to release 1.9.2 including this fix in the next couple weeks. thanks! Note that this metric (doh_http_version_queries) is incremented after doing some sanity checks but before actually parsing the DNS query, so unfortunately we cannot be sure these are valid DoH queries. At this point they could be bots. Can you check doh_version_status_responses for httpversion=1 and status=200 instead? Thanks for pointing that out. In our case these two graphs overlap very closely. Maybe because only requests using the correct hostname in the SNI actually reach dnsdist in the first place. So the practical solution to use dnsdist 1.9.0 with nghttp2 and still support HTTP/1.1 clients is to use a webserver like nginx in front of dnsdist? Yes, a reverse proxy like nginx or HAProxy might be the best option to keep HTTP/1.1 support at this point. Turns out nginx does not speak HTTP/2 with upstream servers but HAProxy does according to the documentation. I'm afraid we are currently not increasing any counter in this exact case, I'll see what I can do about it. Thanks, appreciated. You are correct, but in practice I am yet to see a DoH client using HTTP/1.1 in production. Would be interesting to know how much non-HTTP/2 traffic large DoH service providers see in practice, maybe I'm going to reach out on the dns-operations mailing list. I just don't want to increase the code complexity and attack surface just to reply to crawlers.. Yes, that makes sense :) best regards, Christoph ___ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
Re: [dnsdist] DoH issues after 1.8.3 -> 1.9.0 upgrade
Hi,
On 18/03/2024 22:00, Christoph via dnsdist wrote:
This might be related:https://github.com/PowerDNS/pdns/issues/13850,
not backported yet
thanks for the pointer, really looking forward to the dnsdist version
that has this solved.
Sure, I expect to release 1.9.2 including this fix in the next couple weeks.
The new nghttp2 provider for
incoming DNS over HTTPS does not support HTTP/1.1. In 1.9.x it's
still possible to switch back to the legacy h2o provider but note
that it will likely go away in the next major version of DNSdist. In
our testing the lack of HTTP/1.1 support was not an issue for actual
DNS over HTTPS clients, with most of HTTP/1.1 queries coming from
crawlers/bots, but of course we will reconsider if you find out that
legitimate DoH clients are impacted.
we see about 5-10% of non-version 2 DoH requests by looking at:
sum by (version)
(irate(dnsdist_frontend_doh_http_version_queries{job="$job"}[$__rate_interval]))
Note that this metric (doh_http_version_queries) is incremented after
doing some sanity checks but before actually parsing the DNS query, so
unfortunately we cannot be sure these are valid DoH queries. At this
point they could be bots. Can you check doh_version_status_responses for
httpversion=1 and status=200 instead?
So the practical solution to use dnsdist 1.9.0 with nghttp2 and
still support HTTP/1.1 clients is to use a webserver like nginx in front
of dnsdist?
Yes, a reverse proxy like nginx or HAProxy might be the best option to
keep HTTP/1.1 support at this point.
I expected an increase of this metric during our partial outage but
this value did not increase, is this expected?
irate(dnsdist_frontend_doh_version_status_responses{httpversion="1",status="400",job="$job"}[$__rate_interval])
dnsdist_frontend_noncompliantqueries also didn't increase.
Which value is expected to increase?
I'm afraid we are currently not increasing any counter in this exact
case, I'll see what I can do about it.
btw:
dnsdist's v1.9.0 answer to HTTP requests not using HTTP/2:
This server implements RFC 8484 - DNS Queries over HTTP, and
requires HTTP/2 in accordance with section 5.2 of the RFC.
but RFC8484 does not actually require HTTP/2, right?
https://www.rfc-editor.org/rfc/rfc8484.html#section-5.2
> 5.2. HTTP/2
HTTP/2 [RFC7540] is the minimum RECOMMENDED version of HTTP for use
with DoH.
It is recommended but not a "MUST".
You are correct, but in practice I am yet to see a DoH client using
HTTP/1.1 in production. Bind 9, Unbound and Knot also only support DNS
over HTTP/2. That being said, I'm really open to implementing DNS over
HTTP/1.1 if it serves a real purpose, I just don't want to increase the
code complexity and attack surface just to reply to crawlers..
Best regards,
--
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
OpenPGP_signature.asc
Description: OpenPGP digital signature
___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist
Re: [dnsdist] DoH issues after 1.8.3 -> 1.9.0 upgrade
Otto Moerbeek wrote:
This might be related:https://github.com/PowerDNS/pdns/issues/13850,
not backported yet
thanks for the pointer, really looking forward to the dnsdist version
that has this solved.
Remi wrote:
In addition to the issue mentioned by Otto, it might also be that the
monitoring does not support HTTP/2.
yes, that appears to be the case uptimerobot does not support HTTP/2 and
was affected, our blackbox_exporter appears to support HTTP/2 and was
not affected.
The new nghttp2 provider for
incoming DNS over HTTPS does not support HTTP/1.1. In 1.9.x it's
still possible to switch back to the legacy h2o provider but note
that it will likely go away in the next major version of DNSdist. In
our testing the lack of HTTP/1.1 support was not an issue for actual
DNS over HTTPS clients, with most of HTTP/1.1 queries coming from
crawlers/bots, but of course we will reconsider if you find out that
legitimate DoH clients are impacted.
we see about 5-10% of non-version 2 DoH requests by looking at:
sum by (version)
(irate(dnsdist_frontend_doh_http_version_queries{job="$job"}[$__rate_interval]))
So the practical solution to use dnsdist 1.9.0 with nghttp2 and
still support HTTP/1.1 clients is to use a webserver like nginx in front
of dnsdist?
I expected an increase of this metric during our partial outage but
this value did not increase, is this expected?
irate(dnsdist_frontend_doh_version_status_responses{httpversion="1",status="400",job="$job"}[$__rate_interval])
dnsdist_frontend_noncompliantqueries also didn't increase.
Which value is expected to increase?
btw:
dnsdist's v1.9.0 answer to HTTP requests not using HTTP/2:
This server implements RFC 8484 - DNS Queries over HTTP, and
requires HTTP/2 in accordance with section 5.2 of the RFC.
but RFC8484 does not actually require HTTP/2, right?
https://www.rfc-editor.org/rfc/rfc8484.html#section-5.2
> 5.2. HTTP/2
HTTP/2 [RFC7540] is the minimum RECOMMENDED version of HTTP for use
with DoH.
It is recommended but not a "MUST".
best regards,
Christoph
___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist
Re: [dnsdist] DoH issues after 1.8.3 -> 1.9.0 upgrade
Hi Christoph,
In addition to the issue mentioned by Otto, it might also be that the
monitoring does not support HTTP/2. The new nghttp2 provider for
incoming DNS over HTTPS does not support HTTP/1.1. In 1.9.x it's still
possible to switch back to the legacy h2o provider but note that it will
likely go away in the next major version of DNSdist. In our testing the
lack of HTTP/1.1 support was not an issue for actual DNS over HTTPS
clients, with most of HTTP/1.1 queries coming from crawlers/bots, but of
course we will reconsider if you find out that legitimate DoH clients
are impacted.
Best regards,
Remi
On 17/03/2024 19:12, Otto Moerbeek via dnsdist wrote:
On Sun, Mar 17, 2024 at 06:41:13PM +0100, Christoph via dnsdist wrote:
Hi,
in February we upgraded our test DoH/DoT server from 1.8.3 to 1.9.0
but we did not notice any problems so we upgraded our production server
from 1.8.3 to 1.9.0 yesterday.
Immediately after upgrading our monitoring claimed our DoH service is
unavailable (HTTP 400) but we were unable to reproduce it using firefox.
A closer look confirmed that there is some issue because we see about 50%
less DoH requests in our grafana graphs showing DoH request rates.
Having a look at the request rates per HTTP method suggests that we "loose"
almost all GET requests but also a significant fraction of POST DoH
requests.
sum by (method)
(irate(dnsdist_frontend_doh_http_method_queries{job="$job"}[$__rate_interval]))
After looking at the TLS versions graph I noticed a clear correlation
but then I realized that all our DoH requests are TLS version 1.3
because we set minTLSVersion='tls1.3' - so this might be irrelevant.
irate(dnsdist_frontend_tlsqueries{job="$job"}[$__rate_interval])
2024-03-16 20:57:59 dnsdist upgraded: 1.8.3_1 -> 1.9.0
2024-03-16 20:59 monitoring says DoH is down (HTTP 400 - Bad Request)
monitoring requests this:
https://doh.applied-privacy.net/query?dns=l1sBAAABA3d3dw1rbm90LXJlc29sdmVyAmN6AAAcAAE
Mar 17 02:40:45 bender-dpriv1 kernel: pid 77544 (dnsdist), jid 0, uid 208:
exited on signal 11 -> also interesting put likely unrelated?
Today we downgraded to 1.8.3, and everything went back to normal.
Is anyone else observing similar issues on dnsdist 1.9.0?
DoT does not appear to be affected.
best regards,
Christoph
OS: FreeBSD 13.2
dnsdist installed via pkg
our dnsdist config:
newServer({address="109.70.100.136", maxInFlight=1000, sockets=32,
name="clamps"})
newServer({address="109.70.100.140", maxInFlight=1000, sockets=32,
name="roberto"})
--newServer({address="109.70.100.133", sockets=4, name="titanius-dpriv1"})
setServerPolicy(leastOutstanding)
addTLSLocal("0.0.0.0",
"/usr/local/etc/ssl/lego/certificates/doh.applied-privacy.net.crt",
"/usr/local/etc/ssl/lego/certificates/doh.applied-privacy.net.key",
{ciphers='ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256',
minTLSVersion='tls1.2', tcpFastOpenQueueSize=1000, maxInFlight=1000 })
addTLSLocal("[::]",
"/usr/local/etc/ssl/lego/certificates/doh.applied-privacy.net.crt",
"/usr/local/etc/ssl/lego/certificates/doh.applied-privacy.net.key",
{ciphers='ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256',
minTLSVersion='tls1.2', tcpFastOpenQueueSize=1000, maxInFlight=1000 })
addDOHLocal("0.0.0.0:444",
"/usr/local/etc/ssl/lego/certificates/doh.applied-privacy.net.crt",
"/usr/local/etc/ssl/lego/certificates/doh.applied-privacy.net.key",
"/query", {minTLSVersion='tls1.3', serverTokens='doh',
tcpFastOpenQueueSize=1000, tcpListenQueueSize=4096 })
addDOHLocal("[::]:444",
"/usr/local/etc/ssl/lego/certificates/doh.applied-privacy.net.crt",
"/usr/local/etc/ssl/lego/certificates/doh.applied-privacy.net.key",
"/query", {minTLSVersion='tls1.3', serverTokens='doh',
tcpFastOpenQueueSize=1000, tcpListenQueueSize=4096 })
setACL({'0.0.0.0/0', '::/0'})
controlSocket('127.0.0.1:5199')
setConsoleACL('127.0.0.1/8')
setKey()
pc = newPacketCache(5, {maxTTL=86400, minTTL=3, temporaryFailureTTL=60,
staleTTL=60, dontAge=false})
getPool(""):setCache(pc)
webserver("127.0.0.1:8083")
setWebserverConfig({...})
setVerboseHealthChecks(true)
addAction(QTypeRule(65535), RCodeAction(DNSRCode.NOTIMP))
This might be related: https://github.com/PowerDNS/pdns/issues/13850,
not backported yet
-Otto
___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist
OpenPGP_signature.asc
Description: OpenPGP digital signature
___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist
Re: [dnsdist] DoH issues after 1.8.3 -> 1.9.0 upgrade
On Sun, Mar 17, 2024 at 06:41:13PM +0100, Christoph via dnsdist wrote:
> Hi,
>
> in February we upgraded our test DoH/DoT server from 1.8.3 to 1.9.0
> but we did not notice any problems so we upgraded our production server
> from 1.8.3 to 1.9.0 yesterday.
>
> Immediately after upgrading our monitoring claimed our DoH service is
> unavailable (HTTP 400) but we were unable to reproduce it using firefox.
>
> A closer look confirmed that there is some issue because we see about 50%
> less DoH requests in our grafana graphs showing DoH request rates.
>
> Having a look at the request rates per HTTP method suggests that we "loose"
> almost all GET requests but also a significant fraction of POST DoH
> requests.
>
> sum by (method)
> (irate(dnsdist_frontend_doh_http_method_queries{job="$job"}[$__rate_interval]))
>
> After looking at the TLS versions graph I noticed a clear correlation
> but then I realized that all our DoH requests are TLS version 1.3
> because we set minTLSVersion='tls1.3' - so this might be irrelevant.
>
> irate(dnsdist_frontend_tlsqueries{job="$job"}[$__rate_interval])
>
> 2024-03-16 20:57:59 dnsdist upgraded: 1.8.3_1 -> 1.9.0
> 2024-03-16 20:59 monitoring says DoH is down (HTTP 400 - Bad Request)
> monitoring requests this:
> https://doh.applied-privacy.net/query?dns=l1sBAAABA3d3dw1rbm90LXJlc29sdmVyAmN6AAAcAAE
> Mar 17 02:40:45 bender-dpriv1 kernel: pid 77544 (dnsdist), jid 0, uid 208:
> exited on signal 11 -> also interesting put likely unrelated?
>
> Today we downgraded to 1.8.3, and everything went back to normal.
>
> Is anyone else observing similar issues on dnsdist 1.9.0?
>
> DoT does not appear to be affected.
>
> best regards,
> Christoph
>
> OS: FreeBSD 13.2
> dnsdist installed via pkg
>
> our dnsdist config:
>
> newServer({address="109.70.100.136", maxInFlight=1000, sockets=32,
> name="clamps"})
> newServer({address="109.70.100.140", maxInFlight=1000, sockets=32,
> name="roberto"})
> --newServer({address="109.70.100.133", sockets=4, name="titanius-dpriv1"})
> setServerPolicy(leastOutstanding)
>
> addTLSLocal("0.0.0.0",
> "/usr/local/etc/ssl/lego/certificates/doh.applied-privacy.net.crt",
> "/usr/local/etc/ssl/lego/certificates/doh.applied-privacy.net.key",
> {ciphers='ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256',
> minTLSVersion='tls1.2', tcpFastOpenQueueSize=1000, maxInFlight=1000 })
> addTLSLocal("[::]",
> "/usr/local/etc/ssl/lego/certificates/doh.applied-privacy.net.crt",
> "/usr/local/etc/ssl/lego/certificates/doh.applied-privacy.net.key",
> {ciphers='ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256',
> minTLSVersion='tls1.2', tcpFastOpenQueueSize=1000, maxInFlight=1000 })
>
> addDOHLocal("0.0.0.0:444",
> "/usr/local/etc/ssl/lego/certificates/doh.applied-privacy.net.crt",
> "/usr/local/etc/ssl/lego/certificates/doh.applied-privacy.net.key",
> "/query", {minTLSVersion='tls1.3', serverTokens='doh',
> tcpFastOpenQueueSize=1000, tcpListenQueueSize=4096 })
> addDOHLocal("[::]:444",
> "/usr/local/etc/ssl/lego/certificates/doh.applied-privacy.net.crt",
> "/usr/local/etc/ssl/lego/certificates/doh.applied-privacy.net.key",
> "/query", {minTLSVersion='tls1.3', serverTokens='doh',
> tcpFastOpenQueueSize=1000, tcpListenQueueSize=4096 })
>
> setACL({'0.0.0.0/0', '::/0'})
> controlSocket('127.0.0.1:5199')
> setConsoleACL('127.0.0.1/8')
>
> setKey()
>
> pc = newPacketCache(5, {maxTTL=86400, minTTL=3, temporaryFailureTTL=60,
> staleTTL=60, dontAge=false})
> getPool(""):setCache(pc)
>
> webserver("127.0.0.1:8083")
> setWebserverConfig({...})
> setVerboseHealthChecks(true)
> addAction(QTypeRule(65535), RCodeAction(DNSRCode.NOTIMP))
This might be related: https://github.com/PowerDNS/pdns/issues/13850,
not backported yet
-Otto
___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist
[dnsdist] DoH issues after 1.8.3 -> 1.9.0 upgrade
Hi,
in February we upgraded our test DoH/DoT server from 1.8.3 to 1.9.0
but we did not notice any problems so we upgraded our production server
from 1.8.3 to 1.9.0 yesterday.
Immediately after upgrading our monitoring claimed our DoH service is
unavailable (HTTP 400) but we were unable to reproduce it using firefox.
A closer look confirmed that there is some issue because we see about
50% less DoH requests in our grafana graphs showing DoH request rates.
Having a look at the request rates per HTTP method suggests that we
"loose" almost all GET requests but also a significant fraction of POST
DoH requests.
sum by (method)
(irate(dnsdist_frontend_doh_http_method_queries{job="$job"}[$__rate_interval]))
After looking at the TLS versions graph I noticed a clear correlation
but then I realized that all our DoH requests are TLS version 1.3
because we set minTLSVersion='tls1.3' - so this might be irrelevant.
irate(dnsdist_frontend_tlsqueries{job="$job"}[$__rate_interval])
2024-03-16 20:57:59 dnsdist upgraded: 1.8.3_1 -> 1.9.0
2024-03-16 20:59 monitoring says DoH is down (HTTP 400 - Bad Request)
monitoring requests this:
https://doh.applied-privacy.net/query?dns=l1sBAAABA3d3dw1rbm90LXJlc29sdmVyAmN6AAAcAAE
Mar 17 02:40:45 bender-dpriv1 kernel: pid 77544 (dnsdist), jid 0, uid
208: exited on signal 11 -> also interesting put likely unrelated?
Today we downgraded to 1.8.3, and everything went back to normal.
Is anyone else observing similar issues on dnsdist 1.9.0?
DoT does not appear to be affected.
best regards,
Christoph
OS: FreeBSD 13.2
dnsdist installed via pkg
our dnsdist config:
newServer({address="109.70.100.136", maxInFlight=1000, sockets=32,
name="clamps"})
newServer({address="109.70.100.140", maxInFlight=1000, sockets=32,
name="roberto"})
--newServer({address="109.70.100.133", sockets=4, name="titanius-dpriv1"})
setServerPolicy(leastOutstanding)
addTLSLocal("0.0.0.0",
"/usr/local/etc/ssl/lego/certificates/doh.applied-privacy.net.crt",
"/usr/local/etc/ssl/lego/certificates/doh.applied-privacy.net.key",
{ciphers='ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256',
minTLSVersion='tls1.2', tcpFastOpenQueueSize=1000, maxInFlight=1000 })
addTLSLocal("[::]",
"/usr/local/etc/ssl/lego/certificates/doh.applied-privacy.net.crt",
"/usr/local/etc/ssl/lego/certificates/doh.applied-privacy.net.key",
{ciphers='ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256',
minTLSVersion='tls1.2', tcpFastOpenQueueSize=1000, maxInFlight=1000 })
addDOHLocal("0.0.0.0:444",
"/usr/local/etc/ssl/lego/certificates/doh.applied-privacy.net.crt",
"/usr/local/etc/ssl/lego/certificates/doh.applied-privacy.net.key",
"/query", {minTLSVersion='tls1.3', serverTokens='doh',
tcpFastOpenQueueSize=1000, tcpListenQueueSize=4096 })
addDOHLocal("[::]:444",
"/usr/local/etc/ssl/lego/certificates/doh.applied-privacy.net.crt",
"/usr/local/etc/ssl/lego/certificates/doh.applied-privacy.net.key",
"/query", {minTLSVersion='tls1.3', serverTokens='doh',
tcpFastOpenQueueSize=1000, tcpListenQueueSize=4096 })
setACL({'0.0.0.0/0', '::/0'})
controlSocket('127.0.0.1:5199')
setConsoleACL('127.0.0.1/8')
setKey()
pc = newPacketCache(5, {maxTTL=86400, minTTL=3,
temporaryFailureTTL=60, staleTTL=60, dontAge=false})
getPool(""):setCache(pc)
webserver("127.0.0.1:8083")
setWebserverConfig({...})
setVerboseHealthChecks(true)
addAction(QTypeRule(65535), RCodeAction(DNSRCode.NOTIMP))
___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist
