[dnsdist] DnsDist Firefox Issue

Burak Ozalp burak.ozalp at metu.edu.tr
Fri Sep 4 06:23:38 UTC 2015


Hi Bert

Thank you for your interest. Firefox and Chrome DNS operations's pcap  
files are attached.

Best Regards
Burak Ozalp

Alinti bert hubert <bert.hubert at netherlabs.nl>

> On Thu, Sep 03, 2015 at 02:24:28PM +0300, Burak Ozalp wrote:
>> Actually, it only works for Ubuntu-Chrome.. In Windows neither
>> Chrome nor Internet Explorer works with these configuration. What
>> could be the reason of this situation ?
>
> Hi Burak,
>
> We estimate that this is an issue that Mozilla and Google might need to take
> a look at.
>
> We asked a friend at Mozilla and he suggests you file a very detailed bug
> with them, including a tcpdump that shows what happens (UDP query, TC=1
> response, no followup).
>
> On the dns-operations list we also discussed this issue you reported,
> https://lists.dns-oarc.net/pipermail/dns-operations/2015-September/013637.html
> where we learned that Firedox 38 at least on one platform does the right
> thing.
>
> 	Bert
>
>
>
>>
>> Best Regards
>> Burak Özalp
>>
>> Alinti Burak Ozalp <burak.ozalp at metu.edu.tr>
>>
>> >
>> >
>> >Yes! It works. When we try with the Chrome Browser it responds
>> >with the TC-bit set and then it automatically retries TCP(looks
>> >great) . However, when we try with Firefox Browser, it only
>> >returns the response and not try with TCP.
>> >
>> >This is our related configurations;
>> >
>> >glibc vesion : 2.13-1
>> >Kernel version : 3.2.0-68-generic
>> >Firefox version: 40.0.3
>> >Chrome version: 43.0.2357.65
>> >--
>> >
>> >Best Regards
>> >Burak Ozalp
>> >
>> >
>> >
>> >Alinti bert hubert <bert.hubert at netherlabs.nl>
>> >
>> >>On Wed, Sep 02, 2015 at 03:52:11PM +0300, Burak Ozalp wrote:
>> >>>Our problem is that we don't know the source address. Our aim is the
>> >>>defence against DDos Attacks, we should limit for all different
>> >>>IP's. As a result, when an attacker attacks our server, we need to
>> >>>not drop innocent requests.
>> >>
>> >>Ok, then do:
>> >>
>> >>addAction(MaxQPSIPRule(5), DropAction())
>> >>
>> >>On the latest packages. Limits each individual IP to 5 QPS, drops beyond
>> >>that.
>> >>
>> >>	Bert
>> >>
>> >>>
>> >>>Best Regards
>> >>>Burak Ozalp
>> >>>
>> >>>Alinti bert hubert <bert.hubert at netherlabs.nl>
>> >>>
>> >>>>On Wed, Sep 02, 2015 at 02:31:33PM +0300, Burak Ozalp wrote:
>> >>>>>Hi Bert;
>> >>>>>
>> >>>>>AddQPS is the best option for us. Is it possible to apply
>> >>>>>addQPSLimit for individual IP's ?
>> >>>>
>> >>>>Yes, as outlined in the documentation ->
>> >>>>https://github.com/PowerDNS/pdns/blob/master/pdns/README-dnsdist.md#per-domain-or-subnet-qps-limiting
>> >>>>
>> >>>>You can add as many subnets as you want, or individual IPs etc.
>> >>>>
>> >>>>Good luck!
>> >>>>
>> >>>>	Bert
>> >>>>
>> >>>>>
>> >>>>>Best Regards
>> >>>>>Burak Ozalp
>> >>>>>
>> >>>>>Alinti bert hubert <bert.hubert at netherlabs.nl>
>> >>>>>
>> >>>>>>On Wed, Sep 02, 2015 at 02:08:38PM +0300, Burak Ozalp wrote:
>> >>>>>>>With the current version of RPM i get no error. However,
>> >>>>>>>addAction(MaxQPSIPRule(5), NoRecurseAction()) , didn't do its job.
>> >>>>>>>Should we use both addQPSLimit and addAction together for limiting
>> >>>>>>>indivual IP to 5 qps?
>> >>>>>>
>> >>>>>>No, addQPSLimit alone is fine. The addAction is only if you
>> >>>>>want to drop the
>> >>>>>>RD-bit for traffic that exceeds the QPS limit.
>> >>>>>>
>> >>>>>>	Bert
>> >>>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>_______________________________________________
>> >>>>>dnsdist mailing list
>> >>>>>dnsdist at mailman.powerdns.com
>> >>>>>http://mailman.powerdns.com/mailman/listinfo/dnsdist
>> >>>>>
>> >>>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>_______________________________________________
>> >>>dnsdist mailing list
>> >>>dnsdist at mailman.powerdns.com
>> >>>http://mailman.powerdns.com/mailman/listinfo/dnsdist
>> >>>
>> >>
>> >
>> >
>> >
>> >
>> >_______________________________________________
>> >dnsdist mailing list
>> >dnsdist at mailman.powerdns.com
>> >http://mailman.powerdns.com/mailman/listinfo/dnsdist
>> >
>>
>>
>>
>> _______________________________________________
>> dnsdist mailing list
>> dnsdist at mailman.powerdns.com
>> http://mailman.powerdns.com/mailman/listinfo/dnsdist
>>
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: chrome.pcap
Type: application/vnd.tcpdump.pcap
Size: 117308 bytes
Desc: not available
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20150904/0e367212/attachment.pcap>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: firefox.pcap
Type: application/vnd.tcpdump.pcap
Size: 4616 bytes
Desc: not available
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20150904/0e367212/attachment-0001.pcap>


More information about the dnsdist mailing list