[dnsdist] (DNSDist udptotcp with browser)
Burak Ozalp
burak.ozalp at metu.edu.tr
Fri Aug 28 06:31:46 UTC 2015
I tested with the master branch and the steps at http://dnsdist.org/
main page with my PC with Ubuntu 14.04 LTS . I tested with the
following config lua script.
addLocal("0.0.0.0:53")
newServer("192.168.0.1")
function blockFilter(remote, qname, qtype, dh)
dh:setTC(true)
dh:setQR(true)
return false
end
Alinti bert hubert <bert.hubert at powerdns.com>
On Thu, Aug 27, 2015 at 02:14:46PM +0300, Burak Ozalp wrote:
Hi everyone,
when i run dnsdist with the config file, and change to
/etc/resolv.conf nameserver with 127.0.0.1, i can use dig command
and it works perfectly.
Which exact version do you run? I think you tried a version from an old RPM,
and one from git?
However, after applying these configurations, when a connect a new
web-site ( not in cached one) with chrome browser, in first 2 or 3
tries it didn't work then it connect the web-site.
Is this with your "reply TC=1" or "TCP for everything" configuration? Can
you retest with that off if it is?
Bert
What did cause these problem?
Best Regards
Burak Özalp
Alinti Burak Ozalp <burak.ozalp at metu.edu.tr>
It works! Thank you for all. I did when i want finally.
Best Regards
Burak Ozalp
Alinti bert hubert <bert.hubert at powerdns.com>
Hi Burak,
I just tested this:
addLocal("0.0.0.0:5200")
newServer("192.168.1.2")
function blockFilter(remote, qname, qtype, dh)
dh:setTC(true)
dh:setQR(true)
return false
end
And I get this output:
$ dig ds9a.nl @127.0.0.1 -p 5200
;; Truncated, retrying in TCP mode.
; <<>> DiG 9.9.5-3ubuntu0.4-Ubuntu <<>> ds9a.nl @127.0.0.1 -p 5200
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64932
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;ds9a.nl. IN A
;; ANSWER SECTION:
ds9a.nl. 349 IN A 82.94.213.34
;; Query time: 1 msec
;; SERVER: 127.0.0.1#5200(127.0.0.1)
;; WHEN: Wed Aug 26 14:14:31 CEST 2015
;; MSG SIZE rcvd: 41
Can you try as well?
Bert
On Wed, Aug 26, 2015 at 09:16:33AM +0300, Burak Ozalp wrote:
I did not run " sudo service pdns start", so i didn't bind
0.0.0.0:53 on same host. Also i can run addAnyTCRule() perfectly,
and it rejects ANY queries well
(i.e;root at burak-desktop:/home/burak# dig any google.com @127.0.0.1
;; Truncated, retrying in TCP mode.
;; communications error: end of file).
My main problem is that i couldn't manage to work dnsdistconf.lua as
I want even if with the command ( dnsdist --local 0.0.0.0:53
192.168.0.1 --config dnsdistconf.lua ).
Alinti Aki Tuomi <cmouse at youzen.ext.b2.fi>
Well, technically if you are already listening on 192.168.0.1:53
you cannot bind on 0.0.0.0:53 on *same* host.
Aki
On Wed, Aug 26, 2015 at 08:50:47AM +0300, Burak Ozalp wrote:
In another terminal i run the following command;
dnsdist --local 0.0.0.0:53 192.168.0.1
Is it wrong ?
Alinti Aki Tuomi <cmouse at youzen.ext.b2.fi>
Did you put dnsdist in front of powerdns instance? Is it listening on
127.0.0.1:53?
Aki
On Tue, Aug 25, 2015 at 04:39:55PM +0300, Burak Ozalp wrote:
This is my dig output;
dig google.com @127.0.0.1
; <<>> DiG 9.9.5-3ubuntu0.4-Ubuntu <<>> google.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2143
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 167 IN A 216.58.209.14
;; AUTHORITY SECTION:
google.com. 30662 IN NS ns4.google.com.
google.com. 30662 IN NS ns1.google.com.
google.com. 30662 IN NS ns2.google.com.
google.com. 30662 IN NS ns3.google.com.
;; ADDITIONAL SECTION:
ns1.google.com. 30944 IN A 216.239.32.10
ns2.google.com. 10757 IN A 216.239.34.10
ns3.google.com. 12219 IN A 216.239.36.10
ns4.google.com. 40489 IN A 216.239.38.10
;; Query time: 17 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Aug 25 16:16:23 EEST 2015
;; MSG SIZE rcvd: 191
Alinti bert hubert <bert.hubert at powerdns.com>
Does it print out anything at all?
Can you show a 'dig' command that shows TC:0
response and no fallback to
TCP/IP?
Thanks!
On Tue, Aug 25, 2015 at 02:52:33PM +0300, Burak Ozalp wrote:
Dear Bert;
Firstly, thanks a lot for fast and illustrative
replies. i learned a
lot of things. But i have a problem again :(
I change the dnsdistconf.lua file blockfilter() function as:
function blockFilter(remote, qname, qtype, dh)
print("any query, tc=1")
dh:setTC(true)
dh:setQR(true)
if(qname:isPartOf(block))
then
print("Blocking *.powerdns.org")
return true
end
return false
end
then i did re-installation and run dnsdist. However, nothing
is changed..
Alinti bert hubert <bert.hubert at powerdns.com>
sent from the wrong account first, sorry.
Begin forwarded message:
Subject: Re: [Pdns-dev] How to set PowerDNS Server with
option any-to-tcp
From: bert hubert <bert.hubert at netherlabs.nl>
Date: 25 Aug 2015 12:39:05 CEST
Cc: Aki Tuomi <cmouse at youzen.ext.b2.fi>,
pdns-dev at mailman.powerdns.com
To: Burak Ozalp <burak.ozalp at metu.edu.tr>
On 25 Aug 2015, at 12:24, Burak Ozalp
<burak.ozalp at metu.edu.tr> wrote:
Thanks Bert,
I installed dnsdist. with addAnyTCRule() i can easily do pdns
any-to-tcp(). However, i couldn't manage to do for all types
of queries. Should I patch the conf file ?
Hi Burak,
Try:
"The blockFilter() also gets passed read/writable copy of the
DNS Header. If you invoke setQR(1) on that, dnsdist knows you
turned the packet into a response, and will send the answer
directly to the original client.
If you also called setTC(1), this will tell the remote client to
move to TCP/IP, and in this way you can implement ANY-to-TCP
even for downstream servers that lack this feature.?
See:
https://github.com/PowerDNS/pdns/blob/master/pdns/README-dnsdist.md#any-or-whatever-to-tc
just call setQR(1) and setTC(1) on the header field of
blockFilter() and you are done.
Good luck!
Best Regards
Burak Ozalp
Alinti bert hubert <bert.hubert at powerdns.com>
Hi Burak,
dnsdist can do this easily, please see http://dnsdist.org/
for more details.
It can set TC on any criterium.
Good luck!
Bert
On Tue, Aug 25, 2015 at 09:59:12AM +0300, Burak Ozalp wrote:
Dear Tuomi,
Yes it works.Does it possible to force all UDP request with
truncated packet, and force all to use TCP ?
Best Regards
Burak Ozalp
Alinti Aki Tuomi <cmouse at youzen.ext.b2.fi>
On Mon, Aug 24, 2015 at 03:36:02PM +0300, Burak Ozalp wrote:
I install PowerDNS with MySql backend from here.I
would like to set
any-to-tcp=yes for PowerDNS Server. I tried to configure
/etc/powerdns/pdns.conf file and add a line
"any-to-tcp=yes". This
option should reject UDP request from client and
force to use tcp.
But when i run dig @127.0.0.1 it
doesn't set the truncated bit in
response, so it doesn't work.
How to set correctly any-to-tcp option ?
It only truncates ANY query, try dig any
domain.com @localhost
_______________________________________________
Pdns-dev mailing list
Pdns-dev at mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-dev
_______________________________________________
Pdns-dev mailing list
Pdns-dev at mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-dev
_______________________________________________
Pdns-dev mailing list
Pdns-dev at mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-dev
_______________________________________________
Pdns-dev mailing list
Pdns-dev at mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-dev
More information about the dnsdist
mailing list