[dnsdist] addAction OpCode Iquery

Nicolas Baumgarten nicomail at gmail.com
Thu Nov 16 12:13:18 UTC 2023 

Hi Remy, thanks a lot!
As always, fast and efficient.

Yes you're right, I forgot to mention that qdcount is 0 also.

I'll open a request and by  now will try to manage it using iptables.

Saludos!
nico

On Thu, Nov 16, 2023 at 9:10 AM Remi Gacogne via dnsdist <
dnsdist at mailman.powerdns.com> wrote:

> Hi,
>
> On 16/11/2023 04:37, Nicolas Baumgarten via dnsdist wrote:
> > Queries with opcode 1 (DNSOpcode.IQuery) are being ignored (droped?) on
> 1.4
> > But 1.6.1 answers NOT implemented.
>
> My guess is that these queries have a query records count (qdcount) of 0
> and you are seeing the effect of [1], implemented in 1.6.0-alpha1,
> because it was needed to conform to rfc8906's tests.
>
> > We don't know which is the reason for this queries, but in the not
> > implemented scenario these queries are retried for a couple of minutes,
> > hundreds or thousands per second by some devices.
>
> That's awful, and of course the device should be fixed, but
> unfortunately not unheard of.
>
> > Trying  to stop this, we created a rule to drop them but it's not
> working:
> >   addAction(OpcodeRule(DNSOpcode.IQuery),DropAction())
> > the same with opcode Query works.
> >
> > #   Name                             Matches Rule
> >                                Action
> > 0                                          0 opcode==1
> >                               no op
> > 1                                     191722 opcode==0
> >                               no op
> >
> > There is some preprocessing before the rules which answers not
> implemented?
>
> Correct, this check occurs very early, if only because several rules
> assume that all queries have a qname which is not true when qdcount == 0.
> > There is any option to solve this? If not, we will try with iptables.
>
> Not at the moment, no. We could make the qdcount==0 behaviour
> configurable, to allow dropping or sending a custom response code
> (Refused? No Error?) instead of Not Implemented. Opening a feature
> request would go a long way to make it happen :)
>
> [1]: https://github.com/PowerDNS/pdns/pull/9991
>
> Best regards,
> --
> Remi Gacogne
> PowerDNS.COM BV - https://www.powerdns.com/
>
> _______________________________________________
> dnsdist mailing list
> dnsdist at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/dnsdist
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20231116/4ce617b0/attachment.htm>

More information about the dnsdist mailing list