Re: [dnsdist] Whitelisting IP addresses with XDP filtering
Hi, On 05/10/2022 09:30, Pierre Grié via dnsdist wrote: In the meantime you could exclude the range using [1] to make sure that this is really the root cause of your issue. We already identified that dnsdist was the root cause by restarting dnsdist after it inserted the IP in the DynBlock and checking it was truncating new queries event after whitelisting. This lead to the BPF map remaining unchagned (the IP was still in it, so queries were supposed to be TC but were whitelisted), and the new queries were not truncated anymore, as the DynBlock was empty on userspace side. Great. We might be able to get rid of that now, or at the very least we should make it optional. That would really be a time-saver for us ! I opened a feature request ticket to track this at [1]. I tentatively set the milestone to 1.8.0 but I'm not sure I will have the time to look into this quickly. If you, or someone else, wants to tackle it and open a pull request I think the second option I listed in the ticket should be fairly straight-forward to implement. [1]: https://github.com/PowerDNS/pdns/issues/12061 Cheers, -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/ OpenPGP_signature Description: OpenPGP digital signature ___ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
Re: [dnsdist] Whitelisting IP addresses with XDP filtering
Hi Rémi, In the meantime you could exclude the range using [1] to make sure that this is really the root cause of your issue. We already identified that dnsdist was the root cause by restarting dnsdist after it inserted the IP in the DynBlock and checking it was truncating new queries event after whitelisting. This lead to the BPF map remaining unchagned (the IP was still in it, so queries were supposed to be TC but were whitelisted), and the new queries were not truncated anymore, as the DynBlock was empty on userspace side. We might be able to get rid of that now, or at the very least we should make it optional. That would really be a time-saver for us ! Best, Pierre Grié ___ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
Re: [dnsdist] Whitelisting IP addresses with XDP filtering
Hi Pierre, On 04/10/2022 17:59, Pierre Grié via dnsdist wrote: I am currently working on a XDP BPF filter to work with dnsdist BPF maps which put the TC bit on packet from incoming IPs flagged by dnsdist, and I am trying to implement a whitelist system with an additional map that would contain IPs we would like to "whitelist" (i.e which would be allowed to perform UDP queries even when flagged by dnsdist and put in the BPF map with the DNSAction.Truncate action). Sounds great! The whitelisting mechanism work fine by itself, but it seems that when the whitelisted UDP query hits dnsdist after passing through the XDP filter, it is resend with the TC bit, thus forcing the client the retry with TCP. Is the DNSAction also enforced in userspace ? Yes, the current behaviour is to add the rule to the userspace dynamic block even when eBPF filtering is enabled. It was initially done to prevent the dynamic blocks being bypassed on some distributions where the kernel was pretending that eBPF was working even though it was not. We might be able to get rid of that now, or at the very least we should make it optional. In the meantime you could exclude the range using [1] to make sure that this is really the root cause of your issue. [1]: https://dnsdist.org/reference/config.html#DynBlockRulesGroup:excludeRange Best, -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/ OpenPGP_signature Description: OpenPGP digital signature ___ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
[dnsdist] Whitelisting IP addresses with XDP filtering
Hi, I am currently working on a XDP BPF filter to work with dnsdist BPF maps which put the TC bit on packet from incoming IPs flagged by dnsdist, and I am trying to implement a whitelist system with an additional map that would contain IPs we would like to "whitelist" (i.e which would be allowed to perform UDP queries even when flagged by dnsdist and put in the BPF map with the DNSAction.Truncate action). The whitelisting mechanism work fine by itself, but it seems that when the whitelisted UDP query hits dnsdist after passing through the XDP filter, it is resend with the TC bit, thus forcing the client the retry with TCP. Is the DNSAction also enforced in userspace ? Regards ___ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
