[dnsdist] DnsDist Disable TCP
bert hubert
bert.hubert at netherlabs.nl
Thu Sep 3 20:15:15 UTC 2015
On Thu, Sep 03, 2015 at 02:24:28PM +0300, Burak Ozalp wrote:
> Actually, it only works for Ubuntu-Chrome.. In Windows neither
> Chrome nor Internet Explorer works with these configuration. What
> could be the reason of this situation ?
Hi Burak,
We estimate that this is an issue that Mozilla and Google might need to take
a look at.
We asked a friend at Mozilla and he suggests you file a very detailed bug
with them, including a tcpdump that shows what happens (UDP query, TC=1
response, no followup).
On the dns-operations list we also discussed this issue you reported,
https://lists.dns-oarc.net/pipermail/dns-operations/2015-September/013637.html
where we learned that Firedox 38 at least on one platform does the right
thing.
Bert
>
> Best Regards
> Burak Özalp
>
> Alinti Burak Ozalp <burak.ozalp at metu.edu.tr>
>
> >
> >
> >Yes! It works. When we try with the Chrome Browser it responds
> >with the TC-bit set and then it automatically retries TCP(looks
> >great) . However, when we try with Firefox Browser, it only
> >returns the response and not try with TCP.
> >
> >This is our related configurations;
> >
> >glibc vesion : 2.13-1
> >Kernel version : 3.2.0-68-generic
> >Firefox version: 40.0.3
> >Chrome version: 43.0.2357.65
> >--
> >
> >Best Regards
> >Burak Ozalp
> >
> >
> >
> >Alinti bert hubert <bert.hubert at netherlabs.nl>
> >
> >>On Wed, Sep 02, 2015 at 03:52:11PM +0300, Burak Ozalp wrote:
> >>>Our problem is that we don't know the source address. Our aim is the
> >>>defence against DDos Attacks, we should limit for all different
> >>>IP's. As a result, when an attacker attacks our server, we need to
> >>>not drop innocent requests.
> >>
> >>Ok, then do:
> >>
> >>addAction(MaxQPSIPRule(5), DropAction())
> >>
> >>On the latest packages. Limits each individual IP to 5 QPS, drops beyond
> >>that.
> >>
> >> Bert
> >>
> >>>
> >>>Best Regards
> >>>Burak Ozalp
> >>>
> >>>Alinti bert hubert <bert.hubert at netherlabs.nl>
> >>>
> >>>>On Wed, Sep 02, 2015 at 02:31:33PM +0300, Burak Ozalp wrote:
> >>>>>Hi Bert;
> >>>>>
> >>>>>AddQPS is the best option for us. Is it possible to apply
> >>>>>addQPSLimit for individual IP's ?
> >>>>
> >>>>Yes, as outlined in the documentation ->
> >>>>https://github.com/PowerDNS/pdns/blob/master/pdns/README-dnsdist.md#per-domain-or-subnet-qps-limiting
> >>>>
> >>>>You can add as many subnets as you want, or individual IPs etc.
> >>>>
> >>>>Good luck!
> >>>>
> >>>> Bert
> >>>>
> >>>>>
> >>>>>Best Regards
> >>>>>Burak Ozalp
> >>>>>
> >>>>>Alinti bert hubert <bert.hubert at netherlabs.nl>
> >>>>>
> >>>>>>On Wed, Sep 02, 2015 at 02:08:38PM +0300, Burak Ozalp wrote:
> >>>>>>>With the current version of RPM i get no error. However,
> >>>>>>>addAction(MaxQPSIPRule(5), NoRecurseAction()) , didn't do its job.
> >>>>>>>Should we use both addQPSLimit and addAction together for limiting
> >>>>>>>indivual IP to 5 qps?
> >>>>>>
> >>>>>>No, addQPSLimit alone is fine. The addAction is only if you
> >>>>>want to drop the
> >>>>>>RD-bit for traffic that exceeds the QPS limit.
> >>>>>>
> >>>>>> Bert
> >>>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>_______________________________________________
> >>>>>dnsdist mailing list
> >>>>>dnsdist at mailman.powerdns.com
> >>>>>http://mailman.powerdns.com/mailman/listinfo/dnsdist
> >>>>>
> >>>>
> >>>
> >>>
> >>>
> >>>
> >>>_______________________________________________
> >>>dnsdist mailing list
> >>>dnsdist at mailman.powerdns.com
> >>>http://mailman.powerdns.com/mailman/listinfo/dnsdist
> >>>
> >>
> >
> >
> >
> >
> >_______________________________________________
> >dnsdist mailing list
> >dnsdist at mailman.powerdns.com
> >http://mailman.powerdns.com/mailman/listinfo/dnsdist
> >
>
>
>
> _______________________________________________
> dnsdist mailing list
> dnsdist at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/dnsdist
>
More information about the dnsdist
mailing list