Re: [dnsdist] eBPF filtering

Hello Aleš, On 31/10/2024 10:11, Aleš Rygl via dnsdist wrote: Would it be possible that the entry for ePBF block somehow persisted in the kernel and was not deleted for some reason? It is likely that eBPF blocks sometimes linger a bit longer than you might expect: for performance reasons we a

[dnsdist] PowerDNS DNSdist 1.9.7 released

Hello! We released PowerDNS DNSdist 1.9.7 today, fixing several issues: - A race condition in the processing of incoming DNS over TLS connections could cause a crash if TLS certificates were reloaded from the console while processing a TLS handshake - Processing a proxy protocol payload presen

Re: [dnsdist] How get ECS in DnsDist logs ?

Hi David, On 30/09/2024 15:28, david n via dnsdist wrote: I’m trying to log the client subnet with DnsDist, actually I only have the IP of the DNS server requesting : [1727699139.669387387] Packet from 192.29.141.4:38506 for foo.bar. A with id 51444 We don't currently have the ability to lo

Re: [dnsdist] How get ECS in DnsDist logs ?

On 01/10/2024 13:36, david n via dnsdist wrote: My goal was to have a clear view of the percentage of EDNS requests versus no EDNS. EDNS, or ECS? If you only want to look at percentages, you could create custom metrics [1] and increase them from Lua when a rule matches ([2] for EDNS, [3] for

Re: [dnsdist] Is it possible to add an EDE to DNSAction.SpoofRaw ?

Hi, On 27/09/2024 16:52, Remi Gacogne via dnsdist wrote: On 26/09/2024 18:09, Marco Davids (SIDN) via dnsdist wrote: It seems that the combination of EDE and SpoofRaw (which is what I want) is suboptimal. Right, it looks like this specific use of SpoofRaw does not add EDNS to the response

Re: [dnsdist] Is it possible to add an EDE to DNSAction.SpoofRaw ?

Hi, On 26/09/2024 18:09, Marco Davids (SIDN) via dnsdist wrote: It seems that the combination of EDE and SpoofRaw (which is what I want) is suboptimal. Right, it looks like this specific use of SpoofRaw does not add EDNS to the response, and thus we later refuse to add EDE because there is no

[dnsdist] PowerDNS DNSdist 1.8.4 released

Hello! We released PowerDNS DNSdist 1.8.4 today, fixing a race condition in the handling of incoming DNS over TLS connections that can lead to a crash. We also fixed two minor incompatibility issues preventing DNSdist from being built with newer versions of clang and the Boost library. Plea

Re: [dnsdist] [EXT] Re: Re: How to list all entries in cache?

Hi, On 30/08/2024 03:22, jiang...@139.com wrote: I've tested PacketCache:dump, but can not find response infomation. Right, there is indeed only a summary of the cached entries, and the whole content is not dumped. I'm afraid there is currently no way to retrieve the content. It might be a b

Re: [dnsdist] How to list all entries in cache?

Hi On 25/08/2024 06:31, jiangwendong via dnsdist wrote: How to list all entries in cache? I can not foud a usable command in documentation You can use the dump() [1] method on a PacketCache object to dump a summary of the cache content to a file. [1]: https://dnsdist.org/reference/config.ht

Re: [dnsdist] Is it possible to add an EDE to DNSAction.SpoofRaw ?

Hi Marco, On 05/08/2024 19:34, Marco Davids (SIDN) via dnsdist wrote: I have this: function luarule(dq)   local reply = 'hello'   local strlen = string.char(#result)   return DNSAction.SpoofRaw, strlen .. result end And would like to add and Extended DNS Error to the response. Is that poss

[dnsdist] PowerDNS DNSdist 1.9.6 released

Hello! We released PowerDNS DNSdist 1.9.6 today, fixing minor bugs: - Fix a race in the XSK/AF_XDP backend handling code - De-duplicate Prometheus help and type lines for custom metrics with labels - dns.cc: use pdns::views::UnsignedCharView to fix a compilation error with recent versions of lib

[dnsdist] PowerDNS DNSdist 1.9.5 released

Hello! We released PowerDNS DNSdist 1.9.5 today, fixing minor bugs: - Reply to HTTP/2 PING frames immediately - Use the correct source IP for outgoing QUIC datagrams - Two race conditions with custom Lua web handlers - Syslog logging should be enabled by default - Log the correct amount of bytes

Re: [dnsdist] dnsdist 1.9.4 segfault

Hi, On 03/06/2024 09:39, Remi Gacogne wrote: On 02/06/2024 22:43, Nicolas Baumgarten via dnsdist wrote: we started testing 1.9.4 on centos 7 before upgrading, and it segfaults, after 20 seconds of running. Thanks a lot for reporting this issue! I'll try to reproduce this on CentOS 7 later to

Re: [dnsdist] dnsdist 1.9.4 segfault

Hi! On 02/06/2024 22:43, Nicolas Baumgarten via dnsdist wrote: we started testing 1.9.4 on centos 7 before upgrading, and it segfaults, after 20 seconds of running. Thanks a lot for reporting this issue! I'll try to reproduce this on CentOS 7 later today, as it doesn't happen in my developmen

Re: [dnsdist] Matching DNS server IP in request

Hi Aleš, On 17/05/2024 18:17, Aleš Rygl via dnsdist wrote:     I would need to virtualy split a single dnsdist instance in the the way, that clients sendig request to a particular IP od DNS dnsdist (listening on multiple IPs) are sent to a dedicated pool. I could start another dnsdist process

[dnsdist] PowerDNS DNSdist 1.9.4 released

Hello! We released PowerDNS DNSdist 1.9.4 today. This release fixes CVE-2024-25581, a denial of service security issue affecting versions 1.9.0, 1.9.1, 1.9.2 and 1.9.3 only. Earlier versions are not affected. When incoming DNS over HTTPS support is enabled using the nghttp2 provider, and que

Re: [dnsdist] dnsdist tuning for high qps on nxdomain ddos

Hi! On 03/05/2024 22:20, Jasper Aikema via dnsdist wrote: Currently we are stuck at a max of +/- 200k qps for nxdomain requests and want to be able to serve +/- 300k qps per server. 200k QPS is fairly low based on what you describe. Would you mind sharing the whole configuration (redacting pa

[dnsdist] PowerDNS DNSdist 1.9.3 released

Hello! Less than an hour after the release of PowerDNS DNSdist 1.9.2 today, we received reports of DNSdist crashing in some setups. This 1.9.3 release fixes the issue that was introduced in 1.9.2, for now by reverting the related change. Please see the DNSdist website [1] for the changelog [

Re: [dnsdist] 1.9.2 crashing in tcpClient

Hi Holger, Thanks for reaching out. We have had another report already and are looking into it. We have already confirmed that reverting a recent change fixes it [1], and we will release 1.9.3 in a couple hours. [1]: https://github.com/PowerDNS/pdns/pull/14040/files Best regards, -- Remi Gac

[dnsdist] PowerDNS DNSdist 1.9.2 released

Hello! We released PowerDNS DNSdist 1.9.2 today. This release fixes several issues: - HTTP/1.1 was wrongly selected over HTTP/2 when a DNS over HTTPS client advertised both HTTP versions in ALPN and listed HTTP/1.1 first, and the nghttp2 provider was used - The first connection to the DNSdist

Re: [dnsdist] [EXT] Re: PowerDNS DNSdist 1.9.1 released

Hi, On 19/03/2024 16:05, Markus Ueberall wrote: would it be possible to also provide arm64 binaries (and, maybe within a year, riscv64 binaries as well)? IMHO, this would save a growing number of people the hassle of rebuilding/repackaging the binaries themselves locally (and also help in case

Re: [dnsdist] DoH issues after 1.8.3 -> 1.9.0 upgrade

Hi, On 18/03/2024 22:00, Christoph via dnsdist wrote: This might be related:https://github.com/PowerDNS/pdns/issues/13850, not backported yet thanks for the pointer, really looking forward to the dnsdist version that has this solved. Sure, I expect to release 1.9.2 including this fix in the

Re: [dnsdist] DoH issues after 1.8.3 -> 1.9.0 upgrade

Hi Christoph, In addition to the issue mentioned by Otto, it might also be that the monitoring does not support HTTP/2. The new nghttp2 provider for incoming DNS over HTTPS does not support HTTP/1.1. In 1.9.x it's still possible to switch back to the legacy h2o provider but note that it will

[dnsdist] PowerDNS DNSdist 1.9.1 released

Hello! We released PowerDNS DNSdist 1.9.1 today. This version brings no functional changes, and only bumps the version of the Quiche library we use, to incorporate a recent security update [1], fixing CVE-2024-1410 [2] and CVE-2024-1765 [3]. This applies only if you configured incoming DoQ or

[dnsdist] PowerDNS DNSdist 1.9.0

Hello! We are very happy to release PowerDNS DNSdist 1.9.0 today! This new version brings a fair number of new features since 1.8.3: - DNS over QUIC [1] - DNS over HTTP3 - AF_XDP [2] support - the ability to set Extended DNS Error [3] statuses - a cache-miss ratio dynamic block rule - getAddre

Re: [dnsdist] Empty NOERROR being sent when backend times out

Hi, On 09/02/2024 11:05, Adam Bishop via dnsdist wrote: I'm seeing an issue where caching resolvers outside of our network are occasionally storing empty responses to queries. I think what's happening is that when a query is made and there's a backend timeout, dnsdist is responding to the use

[dnsdist] PowerDNS DNSdist 1.9.0-rc1 released

Hello! We are excited to release the first release candidate of what will become PowerDNS DNSdist 1.9.0! The latest addition to DNSdist is AF_XDP[1] support. AF_XDP is a Linux feature optimized for high performance packet processing, allowing DNSdist to process UDP datagrams even faster than

Re: [dnsdist] [EXT] AW: Suggestions for rules to block abusive traffic

On 09/01/2024 09:50, Klaus Darilion wrote: I fully agree, and we are working on having smarter mitigations in dnsdist to only drops/truncate/route to a different pool queries that are very likely to be part of a PRSD/enumeration attack. Do you already have ideas how to implement that? I have th

Re: [dnsdist] [EXT] AW: Suggestions for rules to block abusive traffic

Hi! On 08/01/2024 23:08, Klaus Darilion wrote: This is unfortunately a common issue indeed these days. It is possible to use dnsdist to detect and mitigate these attacks to a certain extent, using the StatNode API along with DynBlockRulesGroup:setSuffixMatchRule [1] or the FFI equivalent for bet

Re: [dnsdist] Suggestions for rules to block abusive traffic

Hi Dan, On 08/01/2024 17:28, Dan McCombs via dnsdist wrote:  In our case we are affected as we use Pdns + DB backend as backend. Yep, that's exactly our case as well - our legacy Pdns + mysql backends don't handle this very well. Longer term we intend to move away from that, but finding

[dnsdist] PowerDNS DNSdist 1.8.3 released

Hello! We are very happy to release PowerDNS DNSdist 1.8.3 today, a maintenance release fixing a few bugs reported since 1.8.2: - The exponential back-off timer used when a carbon server is unreachable had a bug that could lead to a busy-loop, consuming CPU time until the carbon server becam

[dnsdist] PowerDNS DNSdist 1.9.0-alpha4 released

Hello! We are thrilled to release the fourth alpha release of what will become PowerDNS DNSdist 1.9.0! The most exciting new feature in this latest alpha is support for DNS over HTTP/3! Like DNS over QUIC for which we announced support in the previous alpha, DNS over HTTP/3 uses QUIC to prov

Re: [dnsdist] [EXT] Re: Question about implementing dynBlockRulesGroup

Hi, On 04/12/2023 14:37, CamZie wrote: I tried testing "MaxQPSIPRule" by setting it to "3" but the drop connection only occurs on every 4th request. We would like to be able to block all requests from the source IP after they reach a certain limit. Right, it allows 3 queries per second, so th

Re: [dnsdist] Compiling with DNS-over-QUIC on OpenSUSE - quiche not found

Hi! On 21/11/2023 13:37, Oto Šťáva via dnsdist wrote: Hi, sorry about the delay. This seems to work, big thanks! Thanks for reporting back, much appreciated! One thing I noticed is that if I add '--enable-dns-over-quic' but not '--enable-dns-over-tls', it successfully configures, but fails t

Re: [dnsdist] addAction OpCode Iquery

Hi, On 16/11/2023 04:37, Nicolas Baumgarten via dnsdist wrote: Queries with opcode 1 (DNSOpcode.IQuery) are being ignored (droped?) on 1.4 But 1.6.1 answers NOT implemented. My guess is that these queries have a query records count (qdcount) of 0 and you are seeing the effect of [1], implemen

Re: [dnsdist] rmResponseRule("name") not working

Hi! On 13/11/2023 22:59, Holger Hoffstätte via dnsdist wrote: I'm running 1.8.2 and have a response rule: showResponseRules() #   Name  Matches Rule   Action 0   myRule    501 All    Lua response script Now I try to remove it

Re: [dnsdist] Compiling with DNS-over-QUIC on OpenSUSE - quiche not found

Hi Oto! On 30/10/2023 14:06, Oto Šťáva via dnsdist wrote: I wanted to do some testing with the new DNS-over-QUIC implementation in dnsdist on my OpenSUSE machine. Quite understandably, OpenSUSE does not ship alpha versions of dnsdist, so I opted to compile the new version from source. I look

Re: [dnsdist] Question about implementing dynBlockRulesGroup

Hi, On 30/10/2023 11:08, CamZie via dnsdist wrote: We would like to use DNSdist to block traffics that exceeds a QPS limit and we have configured the following as test: local dbr = dynBlockRulesGroup() dbr:setQueryRate(5, 1, "Exceeded query rate", 60) dbr:setQTypeRate(DNSQType.ANY, 2, 1, "Exc

[dnsdist] PowerDNS DNSdist 1.9.0-alpha3 released

Hello! We are thrilled to release the third alpha release of what will become PowerDNS DNSdist 1.9.0! Let's first address the elephant in the room: the second alpha was never released due to a last-minute issue discovered in RPM packaging after the tag was pushed, so we went to alpha3 right

Re: [dnsdist] Is it possible to setup a SpoofAction/SpoofCNAME action for a listening address?

Hi Frank, On 11/10/2023 07:01, F Even via dnsdist wrote: Hello. I was wondering if it was possible to do something like setting up a netmask group for a QNameRule/SpoofAction, but instead of tying it to requesting IP subnets, tie it to a specific set of listening addresses. If you want to mat

[dnsdist] PowerDNS DNSdist 1.7.5 and 1.8.2 released

Hi, Today we have released DNSdist 1.7.5 and 1.8.2, with absolutely no changes with, respectively, 1.7.4 and 1.8.1, apart from the fact that our DNSdist packages have been rebuilt against our own fork [1] of libh2o in order to mitigate CVE-2023-44487 [2], also known as HTTP/2 rapid reset [3].

Re: [dnsdist] dnsdist 1.7.4 Debian Bullseye vs 1.8.4 Bullseye

Hi! On 05/10/2023 10:41, Aleš Rygl via dnsdist wrote:     Thanks for your response. After some deep documentation reading and config tweaking I am nearly on the previous values regarding CPU load, apart from latency, which is still higher (1.3ms -> 2.3ms). I suspect a different way the latenc

Re: [dnsdist] greqp() output columns

On 02/10/2023 19:17, Christoph via dnsdist wrote: I don't think we have a way to log only these, unfortunately :-/ If you have the dnsdist console set up, you can use grepq('1000ms') to look at all queries that took more than 1 second, which is usually indicative of a problem, or even grepq('20

Re: [dnsdist] backend drops metrics for TCP

Hi Christoph, On 13/09/2023 07:30, Christoph via dnsdist wrote: I've switched back to using UDP. Is there an easy way to log queries that timeout (2s) - and not log any others? To investigate some examples further? I don't think we have a way to log only these, unfortunately :-/ If you have

Re: [dnsdist] dnsdist latency bucket metric still broken in 1.8.0?

Hi! On 03/09/2023 11:08, Christoph via dnsdist wrote: latency-doh-avg100 contains only a single avg value compared to latency-bucket. Was there a specific reason, for not having a latency-bucket for DoH/DoT queries as well? I do not recall whether this was an explicit decision, but my guess i

Re: [dnsdist] dnsdist 1.7.4 Debian Bullseye vs 1.8.4 Bullseye

Hi Ales, On 25/09/2023 16:09, Aleš Rygl via dnsdist wrote:     I would to kindly ask for help or and advice. I have just upgraded one of our dnsdist instances from 1.7.4 do 1.8.4 together with OS upgrade (Debian 11.7 to 12.1). Everything works fine, no issues observed apart some deprecated con

Re: [dnsdist] Does dnsdist try the next server inside a pool, when the first does not answer?

Hi Tobias, On 25/09/2023 06:18, Schnurrenberger Tobias (ID) via dnsdist wrote: We are using multiple resolvers in the same pool and we set the setServFailWhenNoServer option. There is also an overflow configured, which allows only 1 qps to this pool. What happens when the first server in

[dnsdist] PowerDNS DNSdist 1.9.0-alpha1 released

Hello! We are very happy to be releasing the first alpha release of what will become DNSdist 1.9.0! The most important change since 1.8.1 is that incoming DNS over HTTPS requests are now handled by the nghttp2 library, instead of the h2o one. This change should be transparent for most users,

Re: [dnsdist] backend drops metrics for TCP

Hello! On 11/09/2023 22:34, Christoph via dnsdist wrote: when playing around with things to reduce the drop rate I noticed that TCP based backends always have 0 drops in showServers() output and these metrics: dnsdist_server_drops dnsdist_downstream_timeouts Is that always the case and that c

Re: [dnsdist] Dnsdist as high availability mode

Hi! On 10/09/2023 16:31, Affan Basalamah via dnsdist wrote: I want to know if it’s  possible to setup  dnsdist as two server and configured with first hop redundancy protocol such as VRRP (Keepalived on Linux, CARP on FreeBSD), so dnsdist can operate as highly available as possible, at least i

[dnsdist] PowerDNS DNSdist 1.8.1 released

Hello! We are very happy to release DNSdist 1.8.1 today, a maintenance release fixing a few bugs reported since 1.8.0: - Several bugs have been fixed in the health-check code, including one issue that could have resulted in some health-check responses to be lost - A crash has been fixed when

Re: [dnsdist] Matching corrupt DNS queries?

Hi Jacob, On 13/08/2023 13:07, Jacob Bunk Nielsen via dnsdist wrote: We are sometimes seeing UDP DNS queries that come in with the TC flag set to true. That doesn't make sense to send such queries as the client should of course just make that query over TCP. But how do I match those queries in

Re: [dnsdist] dnsdist 1.8.0 thread spinning

On 15/07/2023 09:42, Otto Moerbeek via dnsdist wrote: This is likely https://github.com/PowerDNS/pdns/pull/12726 ATM this is not marked for backporting to 1.8.x. Don't know if that is an omission. It was, I added the 'backport to dnsdist-1.8.x' flag in the meantime. Thanks! -- Remi Gacogne

Re: [dnsdist] Exclude domains with dynBlockRulesGroup ?

Hi Denis, On 12/07/2023 12:24, Denis MACHARD via dnsdist wrote: How to exclude some domains with the dynamic block feature (dynBlockRulesGroup), Is it possible ? The documentation is not clear on this, if anyone has an example. We should document this more clearly, there are two types of rule

Re: [dnsdist] [EXT] Re: Some statistics I would like to have

On 13/06/2023 10:34, Stephane Bortzmeyer wrote: Ah, yes, thanks. But the numbers are disconcerting. I see twice as much queries per connection with IPv4 than IPv6, but only for DoT. For DoH, it is the opposite. This may be simply because it is a small resolver so the numbers are not statistically

Re: [dnsdist] Some statistics I would like to have

Hi Stéphane, On 12/06/2023 14:44, Stephane Bortzmeyer via dnsdist wrote: I'm wondering about the average number of DNS queries per DoT/DoH connection (to see if the setup "cost" is amortized over enough requests). I do not find something like that in the output of dumpStats (I have the number of

Re: [dnsdist] dnsdist restrict udp source port

Hi Mahdi, On 11/05/2023 10:47, Mahdi Adnan via dnsdist wrote:  Is it possible to restrict dnsdist to a certain port range, something similar to what pdns have "udp-source-port-min, udp-source-port-max, or udp-source-port-avoid"? I couldn't find such an option on the man page or in the documen

Re: [dnsdist] dnsdist 1.8, change of behavior for dynamic blocks

Hi Jacob, On 14/04/2023 08:25, Jacob Bunk Nielsen via dnsdist wrote: Just a heads up, we run an auth DNS service and I noticed after we upgraded to dnsdist 1.8 that we have started blocking a lot more based on a dynamic block rule defined as: dbr:setRCodeRate(DNSRCode.REFUSED, N, X, 'Exceeded

Re: [dnsdist] dnsdist latency bucket metric still broken in 1.8.0?

Hi Christoph, On 14/04/2023 17:04, Christoph via dnsdist wrote: here is our dnsdist.conf, maybe it helps to reproduce the issue. If I'm not mistaken, you are mostly dealing with DoT and DoH queries, not UDP ones? I'm asking because since 1.8 these latency metrics are now only updated for UDP

Re: [dnsdist] dnsdist latency bucket metric still broken in 1.8.0?

Hi Christoph, On 13/04/2023 19:55, Christoph via dnsdist wrote: ever since [1] got the  dnsdist-1.8.0 milestone we were looking forward to the 1.8.0 release and were also a bit surprised that this regression will not be in a 1.7.x bugfix release. The fix not being backported is an oversight, I

Re: [dnsdist] Managing opened consoles in dnsdist.

Hi, On 21/03/2023 18:07, IHI IHI via dnsdist wrote: Is it possible to view connected admins to dnsdist -c "opened console", then manage them, for example view their activities logs, disconnect them or set some limitations by a superadmin? I'm afraid this is not possible. Best regards, -- Rem

Re: [dnsdist] dnsdist 1.7 : allow only A request

Hi, On 17/03/2023 16:23, david n via dnsdist wrote: BUT : for the "any" request I have this result, and I don't know if it can produce something bad, have you any idea ? [root@node ~]# dig any www.toto.com @X.X.X.X ;; communications error to X.X.X.X#53: end of file ;; communications error to X

[dnsdist] Third Release Candidate of PowerDNS DNSdist 1.8.0

Hello! We are very happy to release the third candidate of what will become dnsdist 1.8.0! This release contains fixes for several issues that were found in the second release candidate. - #12641: Use the correct source address when harvesting failed - #12639: Fix a race when a cross-protoc

[dnsdist] Second Release Candidate of PowerDNS DNSdist 1.8.0

Hi! We are very happy to release the second candidate of what will become dnsdist 1.8.0! This release contains fixes for a few issues that were found in the first release candidate, the most important one being that dnsdist was responding from the wrong source IP address in some setups, whic

Re: [dnsdist] Define from which source dnsdist is sending a reply

Hi Sandro, On 03/03/2023 16:28, Sandro Bolliger via dnsdist wrote: Is it possible to send a reply from a specific IP as source in dnsdist? I use multiple different IPs on the Loopback interface of my dnsdist machine. The IPs are routed to that server. Now dnsdist is replying with the interface

Re: [dnsdist] First release candidate of dnsdist 1.8.0

Hi Vincent, On 01/03/2023 11:42, Vincent Schönau via dnsdist wrote: As of 1.7, dnsdist would respond from the IP address it received the query on when configured to listen on multiple IP addresses with addLocal(). My install of 1.8 (from the Ubuntu repo, 1.8.0~rc1+master.35.g8243d1786-1pdns.ja

[dnsdist] First release candidate of dnsdist 1.8.0

Hello! We are very happy to release the first candidate of what will become dnsdist 1.8.0! This release contains a significant amount of changes since the last major release, 1.7.0, which was released a bit over a year ago. We try to stick to a major release every six months, but this one to

Re: [dnsdist] [EXT] Re: Performance/tuning sanity check

On 03/01/2023 17:07, Dan McCombs wrote: I spent some time looking through the thread Nicolas shared at https://mailman.powerdns.com/pipermail/dnsdist/2017-April/000281.html of his performance tuning experience. Do you know

Re: [dnsdist] Performance/tuning sanity check

Hi Dan, Klaus, I just noticed I messed up with my previous response and it never made it to the list, so I'm re-posting it now. I don't see anything wrong with your configuration, Dan. You could look at the metrics to see if you are experiencing contention in the packet-cache and ring-buffer

Re: [dnsdist] Handling lack of caching of TC responses

Hi Dan, On 18/11/2022 02:51, Dan McCombs via dnsdist wrote: Is that something that's expected to happen once the full response has been returned from a downstream over TCP? Is there some way to force TC responses to have at least some minimal TTL? Or some way to have dnsdist use its cached res

Re: [dnsdist] Responding from cache when all pool servers are down?

Hi Aaron, On 01/11/2022 23:03, Aaron de Bruyn via dnsdist wrote: Is there a way to specifically respond to cached items and return SERVFAIL if it's not in the cache? I'm afraid there is no way to do exactly that. I guess we would need a selector with the ability to look into the packet-cache

Re: [dnsdist] Client query id in the dq-object?

Hi Tom, On 04/11/2022 08:02, Tom via dnsdist wrote: So the idea was to set a dnsdist rule on which I can set the AllowedDebugSRC (the admin's IP, to prevent, that anybody else could trigger the debug), check the QueryID and then send this kind of requests to a debug-enabled BIND, which then wr

Re: [dnsdist] expungeByName from ALL pools

Hi Christof, On 05/10/2022 12:06, Chen, Christof via dnsdist wrote: I use separate caches for various pools. Now I want to delete a given FQDN from the cache, but I don't know immediately in which cache it is - so I would like to simpy expungeByName it from all caches. Is there a straightforw

Re: [dnsdist] Backend Questions

Hello Klaus, On 07/10/2022 10:53, Klaus Darilion via dnsdist wrote: We use dnsdist with 1 single backend server (PDNS). So if this backend is overloaded, dnsdist will detect the backend as DOWN. Hence, the only server for this backend pool down. How will dnsdist behave if all servers for a ba

Re: [dnsdist] Whitelisting IP addresses with XDP filtering

Hi, On 05/10/2022 09:30, Pierre Grié via dnsdist wrote: In the meantime you could exclude the range using [1] to make sure that this is really the root cause of your issue. We already identified that dnsdist was the root cause by restarting dnsdist after it inserted the IP in the DynBlock and

Re: [dnsdist] Whitelisting IP addresses with XDP filtering

Hi Pierre, On 04/10/2022 17:59, Pierre Grié via dnsdist wrote: I am currently working on a XDP BPF filter to work with dnsdist BPF maps which put the TC bit on packet from incoming IPs flagged by dnsdist, and I am trying to implement a whitelist system with an additional map that would contain

Re: [dnsdist] "Timeout from remote TCP client" with dnsdist + PDNS Recursor

Hi, On 30/09/2022 17:56, Christian Joffre Calva Urrego via dnsdist wrote: We currently use dnsdist 1.4 and have a PowerDNS Recursor configured as downstream server. Everything has a standard minimum configuration, with .. client-tcp-timeout=60 .. configured on the PDNS Recursor. The point is

Re: [dnsdist] TCP / UDP backend queries

Hi Thibaud, On 30/09/2022 15:18, Thib D via dnsdist wrote: Use case here is for authoritative DNS, not DoH. As far as my understanding goes (and backed up by a tcpdump test), a UDP query on the frontend will result on a UDP query to the backend server, and a TCP query on the frontend will resu

[dnsdist] dnsdist 1.7.2 released

Hello! We are very happy to release dnsdist 1.7.2 today, a maintenance release fixing a few bugs reported since 1.7.1: - An unhandled exception could happen when an invalid protocol was used in an incoming DNS over HTTPS forwarded-for header and passed to the backend via the proxy protocol,

[dnsdist] dnsdist 1.7.1 released

Hello! We are very happy to release dnsdist 1.7.1 today, a maintenance release fixing a few bugs reported since 1.7.0: - A use-after-free error could happen if a network error occurred in the middle of a XFR query, for a proxy-protocol-enabled backend, leading to a crash - The TLS Server Nam

Re: [dnsdist] [EXT] Re: How to best handle DNS floods

Hi, On 06/04/2022 11:02, me aharen wrote: Can you explain the "minimum of 10 answers during that time to reduce the risk of false-positive" part? Does it mean a minimum of 10 queries within that window, should be SERVFAIL? It means that we need to have seen at least 10 answers, SERVFAIL or no

Re: [dnsdist] Best practice to handle massive DNS-JSON requests on DoH frontend

Hi Pascal, On 10/04/2022 19:15, Pascal K via dnsdist wrote: We see massive DNS-JSON style requests on our DoH resolver which are correctly answered with HTTP 400 Bad Request [0] by dnsdist. Here an example: GET /dns-query?name=asia1.ethermine.org Every request comes in a new TCP connection fo

Re: [dnsdist] [EXT] Re: How to best handle DNS floods

Hi, On 03/04/2022 10:42, me aharen wrote: Thanks for the input. Yes, we have legit customers participating in the PRSD floods. Understood. Setting the DynBlockRulesGroup:setRCodeRatio is interesting, can you share a sample config of this rule? I cannot find any example in the documentation

Re: [dnsdist] Proxy protocol question

Hi Adrian, On 02/04/2022 14:36, Adrian Kägi via dnsdist wrote: Theese are my "newServer" statements: newServer({address="pdns_auth_IPv4:5353", name="nsa-1_v4", pool="sec", useProxyProtocol=True}) newServer({address="[pdns_auth_IPv6]:5353", name="nsa-sec1_v6", pool="sec", useProxyProtocol=True

Re: [dnsdist] How to best handle DNS floods

Hi, On 31/03/2022 10:59, me aharen via dnsdist wrote: And added the action "addAction(RCodeRule(DNSRCode.SERVFAIL), DropAction())" - although I am uncertain if this works as I think it would. This will not work as expected, as this rule is going to drop queries with a response code set to Ser

Re: [dnsdist] [EXT] Is there some simple issue that needs to be done?

Hi! On 29/03/2022 14:52, Y7n05h wrote: I'm interested in improving the performance of dnsdist with AF_XDP in GSoC, I've spent a lot of time learning XDP and AF_XDP. I hope there are some simple issues waiting to be done to help me get familiar with the architecture of dnsdist. It would be better

Re: [dnsdist] dnsdist[29321]: Marking downstream IP:53 as 'down'

Hi, > We have configured dnsdist instance to handle around 500k QPS, but we > are seeing downstream down frequently once QPS reached above 25k. below > are the logs which we found to relative issue. > > dnsdist[29321]: Marking downstream server1 IP:53 as 'down' > > dnsdist[29321]: Marking downstr

Re: [dnsdist] [EXT] Re: How to apply dynamic rules with pools?

On 23/02/2022 17:20, Willis, Michael wrote: I changed the to rule to: dbr:setQTypeRate(DNSQType.ANY, 1, 10, "Exceeded ANY rate", 600) After testing It looks like the entire 10 seconds needed to elapse before the rule is evaluated. I was not expecting this logic, and that was tripping me up. I wa

Re: [dnsdist] How to apply dynamic rules with pools?

Hi Mike, On 23/02/2022 16:49, Willis, Michael via dnsdist wrote: I have intentionally set the trigger for "ANY" to 1 ever 100 seconds, so it will trigger and stay triggered. This is so I can verify the correct rule is applying. dbr:setQTypeRate(DNSQType.ANY, 1, 100, "Exceeded ANY rate", 600)

Re: [dnsdist] dnsdist and powerdns on same machine

Hi Stephan, On 04/02/2022 10:47, De Webmakers (Stephan) via dnsdist wrote: I’ve been struggling with this for far to long now… Is it possible to run dnsdist and pdns on the same server and accept dns request from everyone (just as it would be without dnsdist). The problem is that I just can

Re: [dnsdist] dnsdist and PROXYv2 testing - accepting TCP connections when an upstream server is available

Hi Oto, On 31/01/2022 16:50, Oto Šťáva via dnsdist wrote: firstly, I want to thank everyone involved for making dnsdist available, it has helped me greatly these past few weeks with implementing and testing support for the PROXYv2 protocol in Knot Resolver [1] here at CZ.NIC. That's very goo

Re: [dnsdist] forwarding domains to special servers

Hi Thomas, On 21/01/2022 13:55, Thomas Mieslinger via dnsdist wrote: I'm completely new to dnsdist. I'd like to use it for DNS split horizon setup. Goal: send queries which end with 'internal.domain' to Pool "int". According to the documentation there are two ways to do so: -- setup default p

Re: [dnsdist] [EXT] XDP/eBPF blocking (was dnsdist 1.7.0 released)

Hi Klaus, On 17/01/2022 21:05, Klaus Darilion wrote: Pierre Grié from Nameshield contributed an XDP program to reply to blocked UDP queries with a truncated response directly from the kernel, in a similar way to what we were already doing using eBPF socket filters. This version adds support for

[dnsdist] dnsdist 1.7.0 released

Hi everyone! We are proud to announce the release of dnsdist 1.7.0. This release contains several new exciting features since 1.6.1, as well as improvements and bug fixes. It contains one single change from the first release candidate, a fix for DynBlockRatioRule::warningRatioExceeded provide

Re: [dnsdist] frontend responses for resolver timeouts

Hi David, On 07/01/2022 18:03, David Bader via dnsdist wrote: Ok, so in case of a timeout, dnsdist does not send anything to the client and the client will also timeout (and retry). Does that mean, it would make sense to increase the dnsdist configuration to use the same timeout as the client

Re: [dnsdist] frontend responses for resolver timeouts

Hi David, On 07/01/2022 12:06, David Bader via dnsdist wrote: Hello, is my understanding correct, that dnsdist sends the client a ServFail answer after 2 seconds when the backend resolver does not respond within the timeout (2 seconds by default): https://www.dnsdist.org/reference/tuning.html

Re: [dnsdist] no ipv6 connectivity

Hi Larry, On 06/01/2022 18:16, Larry Wapnitsky via dnsdist wrote: I've set up dnsdist in my lab to forward to my dns servers, running powerdns If I do nslookup directly to the ipv6 addresses on the name servers, I can resolve. If I try to resolve via dnsdist, I get no connection. Here is my

[dnsdist] First release release of dnsdist 1.7.0

Hi everyone! We are happy to announce the first release candidate of what will become dnsdist 1.7.0, with only one fix and one improvement since the second beta. We fixed a crash introduced in 1.7.0-alpha1 that could occur when a DoH query was forwarded to a backend over TCP, DoT or DoH and t

Re: [dnsdist] Large domain list blocking via DNS

Hi Jahanzeb, On 13/12/2021 08:00, Jahanzeb Arshad via dnsdist wrote: We want to implement blocking of large number (3M+) of undesirable domains (adult/malware) via DNS. We have tested using PowerDNS recursor and it is working in test environment. For blocking we have use LUA dns script with do

Re: [dnsdist] Dynamic Rule for abusive SERVFAIL queries from bots

Hi, On 11/12/2021 08:44, me aharen via dnsdist wrote: I am running  dnsdist 1.6.1 and I am unable to figure out the safest method of handling large amounts of SERVFAIL queries to random domains. Right now I manually check SERVFAIL responses via 'topResponses(50, dnsdist.SERVFAIL)', and pick a

  1   2   >