[dnsdist] (DNSDist udptotcp with browser)

bert hubert bert.hubert at powerdns.com
Fri Aug 28 06:34:24 UTC 2015 

On Fri, Aug 28, 2015 at 09:31:46AM +0300, Burak Ozalp wrote:
> I tested with the master branch and the steps at http://dnsdist.org/
> main page with my PC with Ubuntu 14.04 LTS . I tested with the
> following config lua script.
> addLocal("0.0.0.0:53")
> newServer("192.168.0.1")
> 
> function blockFilter(remote, qname, qtype, dh)
>          dh:setTC(true)
>          dh:setQR(true)
>          return false
> end

Hi Burak,

Can you check if the problem goes away if you disable the blockFilter?

Can you try with the latest head branch,
0570f37c272f7c468ae5d9fe302cd6109e77fab8 ?

	Bert

> 
> 
> 
> 
> 
> 
> Alinti bert hubert <bert.hubert at powerdns.com>
> 
> On Thu, Aug 27, 2015 at 02:14:46PM +0300, Burak Ozalp wrote:
> Hi everyone,
> 
> when i run dnsdist with the config file, and change to
> /etc/resolv.conf nameserver with 127.0.0.1, i can use dig command
> and it works perfectly.
> Which exact version do you run? I think you tried a version from an old RPM,
> and one from git?
> 
> However, after applying these configurations, when a connect a new
> web-site ( not in cached one) with chrome browser, in first 2 or 3
> tries it didn't work then it connect the web-site.
> Is this with your "reply TC=1" or "TCP for everything" configuration? Can
> you retest with that off if it is?
> 
>         Bert
> 
> 
> 
> What did cause these problem?
> 
> Best Regards
> Burak Özalp
> 
> Alinti Burak Ozalp <burak.ozalp at metu.edu.tr>
> 
> It works! Thank you for all. I did when i want finally.
> 
> Best Regards
> Burak Ozalp
> 
> Alinti bert hubert <bert.hubert at powerdns.com>
> 
> Hi Burak,
> 
> I just tested this:
> 
> addLocal("0.0.0.0:5200")
> newServer("192.168.1.2")
> 
> function blockFilter(remote, qname, qtype, dh)
>        dh:setTC(true)
>        dh:setQR(true)
>        return false
> end
> 
> And I get this output:
> 
> $ dig ds9a.nl @127.0.0.1 -p 5200
> ;; Truncated, retrying in TCP mode.
> 
> ; <<>> DiG 9.9.5-3ubuntu0.4-Ubuntu <<>> ds9a.nl @127.0.0.1 -p 5200
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64932
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;ds9a.nl.                       IN      A
> 
> ;; ANSWER SECTION:
> ds9a.nl.                349     IN      A       82.94.213.34
> 
> ;; Query time: 1 msec
> ;; SERVER: 127.0.0.1#5200(127.0.0.1)
> ;; WHEN: Wed Aug 26 14:14:31 CEST 2015
> ;; MSG SIZE  rcvd: 41
> 
> Can you try as well?
> 
>         Bert
> 
> On Wed, Aug 26, 2015 at 09:16:33AM +0300, Burak Ozalp wrote:
> I did not run " sudo service pdns start", so i didn't bind
> 0.0.0.0:53 on same host. Also i can run addAnyTCRule() perfectly,
> and it rejects ANY queries well
> (i.e;root at burak-desktop:/home/burak# dig any google.com @127.0.0.1
> ;; Truncated, retrying in TCP mode.
> ;; communications error: end of file).
> 
> My main problem is that i couldn't manage to work dnsdistconf.lua as
> I want even if with the command ( dnsdist --local 0.0.0.0:53
> 192.168.0.1 --config dnsdistconf.lua ).
> 
> 
> Alinti Aki Tuomi <cmouse at youzen.ext.b2.fi>
> 
> Well, technically if you are already listening on 192.168.0.1:53
> you cannot bind on 0.0.0.0:53 on *same* host.
> 
> Aki
> 
> On Wed, Aug 26, 2015 at 08:50:47AM +0300, Burak Ozalp wrote:
> In another terminal i run the following command;
> 
> dnsdist --local 0.0.0.0:53 192.168.0.1
> 
> Is it wrong ?
> 
> Alinti Aki Tuomi <cmouse at youzen.ext.b2.fi>
> 
> Did you put dnsdist in front of powerdns instance? Is it listening on
> 127.0.0.1:53?
> 
> Aki
> 
> On Tue, Aug 25, 2015 at 04:39:55PM +0300, Burak Ozalp wrote:
> This is my dig output;
> dig google.com @127.0.0.1
> ; <<>> DiG 9.9.5-3ubuntu0.4-Ubuntu <<>> google.com @127.0.0.1
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2143
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 5
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;google.com.                    IN      A
> 
> ;; ANSWER SECTION:
> google.com.             167     IN      A       216.58.209.14
> 
> ;; AUTHORITY SECTION:
> google.com.             30662   IN      NS      ns4.google.com.
> google.com.             30662   IN      NS      ns1.google.com.
> google.com.             30662   IN      NS      ns2.google.com.
> google.com.             30662   IN      NS      ns3.google.com.
> 
> ;; ADDITIONAL SECTION:
> ns1.google.com.         30944   IN      A       216.239.32.10
> ns2.google.com.         10757   IN      A       216.239.34.10
> ns3.google.com.         12219   IN      A       216.239.36.10
> ns4.google.com.         40489   IN      A       216.239.38.10
> 
> ;; Query time: 17 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Tue Aug 25 16:16:23 EEST 2015
> ;; MSG SIZE  rcvd: 191
> 
> 
> Alinti bert hubert <bert.hubert at powerdns.com>
> 
> Does it print out anything at all?
> 
> Can you show a 'dig' command that shows TC:0
> response and no fallback to
> TCP/IP?
> 
> Thanks!
> 
> On Tue, Aug 25, 2015 at 02:52:33PM +0300, Burak Ozalp wrote:
> Dear Bert;
> 
> Firstly, thanks a lot for fast and illustrative
> replies. i learned a
> lot of things. But i have a problem again :(
> I change the dnsdistconf.lua file blockfilter() function as:
> function blockFilter(remote, qname, qtype, dh)
> 
>     print("any query, tc=1")
>     dh:setTC(true)
>          dh:setQR(true)
> 
>          if(qname:isPartOf(block))
>          then
>                 print("Blocking *.powerdns.org")
>                 return true
>          end
>          return false
> end
> 
> then i did re-installation and run dnsdist. However, nothing
> is changed..
> 
> 
> 
> 
> Alinti bert hubert <bert.hubert at powerdns.com>
> 
> sent from the wrong account first, sorry.
> 
> Begin forwarded message:
> 
> Subject: Re: [Pdns-dev] How to set PowerDNS Server with
> option any-to-tcp
> From: bert hubert <bert.hubert at netherlabs.nl>
> Date: 25 Aug 2015 12:39:05 CEST
> Cc: Aki Tuomi <cmouse at youzen.ext.b2.fi>,
> pdns-dev at mailman.powerdns.com
> To: Burak Ozalp <burak.ozalp at metu.edu.tr>
> 
> 
> On 25 Aug 2015, at 12:24, Burak Ozalp
> <burak.ozalp at metu.edu.tr> wrote:
> 
> Thanks Bert,
> 
> I installed dnsdist. with addAnyTCRule() i can easily do pdns
> any-to-tcp(). However, i couldn't manage to do for all types
> of queries. Should I patch the conf file ?
> 
> Hi Burak,
> 
> Try:
> 
> "The blockFilter() also gets passed read/writable copy of the
> DNS Header. If you invoke setQR(1) on that, dnsdist knows you
> turned the packet into a response, and will send the answer
> directly to the original client.
> 
> If you also called setTC(1), this will tell the remote client to
> move to TCP/IP, and in this way you can implement ANY-to-TCP
> even for downstream servers that lack this feature.?
> 
> See: https://github.com/PowerDNS/pdns/blob/master/pdns/README-dnsdist.md#any-or-whatever-to-tc
> 
> 
> just call setQR(1) and setTC(1) on the header field of
> blockFilter() and you are done.
> 
> Good luck!
> 
> 
> 
> 
> Best Regards
> Burak Ozalp
> 
> Alinti bert hubert <bert.hubert at powerdns.com>
> 
> Hi Burak,
> 
> dnsdist can do this easily, please see http://dnsdist.org/
> for more details.
> It can set TC on any criterium.
> 
> Good luck!
> 
>         Bert
> 
> On Tue, Aug 25, 2015 at 09:59:12AM +0300, Burak Ozalp wrote:
> Dear Tuomi,
> 
> Yes it works.Does it possible to force all UDP request with
> truncated packet, and force all to use TCP ?
> 
> Best Regards
> Burak Ozalp
> 
> 
> 
> Alinti Aki Tuomi <cmouse at youzen.ext.b2.fi>
> 
> On Mon, Aug 24, 2015 at 03:36:02PM +0300, Burak Ozalp wrote:
> I install PowerDNS with MySql backend from here.I
> would like to set
> any-to-tcp=yes for PowerDNS Server. I tried to configure
> /etc/powerdns/pdns.conf file and add a line
> "any-to-tcp=yes". This
> option should reject UDP request from client and
> force to use tcp.
> But when i run dig @127.0.0.1 it
> doesn't set the truncated bit in
> response, so it doesn't work.
> 
> How to set correctly any-to-tcp option ?
> 
> It only truncates ANY query, try dig any
> domain.com @localhost
> 
> 
> _______________________________________________
> Pdns-dev mailing list
> Pdns-dev at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-dev
> 
> 
> 
> 
> _______________________________________________
> Pdns-dev mailing list
> Pdns-dev at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-dev
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Pdns-dev mailing list
> Pdns-dev at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-dev
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Pdns-dev mailing list
> Pdns-dev at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-dev
> 
> 
> _______________________________________________
> dnsdist mailing list
> dnsdist at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/dnsdist
>

More information about the dnsdist mailing list