[dnsdist] DnsDist Firefox Issue

Burak Ozalp burak.ozalp at metu.edu.tr
Fri Sep 4 10:25:42 UTC 2015


Hi Bert,

I actually test in nearly all browsers, including  
Vivaldi-Opera-Firefox version 38, and all reject TCP connections. Is  
it possible that we do something wrong in lua script?

addLocal("0.0.0.0:53")
newServer{address="8.8.8.8"}

addAction(MaxQPSIPRule(5000), DropAction())

function blockFilter(remote, qname, qtype, dh)
         dh:setTC(true)
         dh:setQR(true)
         return false
end

Thanks!

Best Regards

Burak Özalp

Alinti bert hubert <bert.hubert at netherlabs.nl>

> Burak,
>
> Thank you, but this is the place to report your issues:
>
> https://bugzilla.mozilla.org/enter_bug.cgi
> and
> https://support.google.com/chrome/answer/95315?hl=en
>
> We sadly can't support all software products on the planet from dnsdist ;-)
>
> 	Bert
>
>
> On Fri, Sep 04, 2015 at 09:23:38AM +0300, Burak Ozalp wrote:
>> Hi Bert
>>
>> Thank you for your interest. Firefox and Chrome DNS operations's
>> pcap files are attached.
>>
>> Best Regards
>> Burak Ozalp
>>
>> Alinti bert hubert <bert.hubert at netherlabs.nl>
>>
>> >On Thu, Sep 03, 2015 at 02:24:28PM +0300, Burak Ozalp wrote:
>> >>Actually, it only works for Ubuntu-Chrome.. In Windows neither
>> >>Chrome nor Internet Explorer works with these configuration. What
>> >>could be the reason of this situation ?
>> >
>> >Hi Burak,
>> >
>> >We estimate that this is an issue that Mozilla and Google might  
>> need to take
>> >a look at.
>> >
>> >We asked a friend at Mozilla and he suggests you file a very detailed bug
>> >with them, including a tcpdump that shows what happens (UDP query, TC=1
>> >response, no followup).
>> >
>> >On the dns-operations list we also discussed this issue you reported,
>> >https://lists.dns-oarc.net/pipermail/dns-operations/2015-September/013637.html
>> >where we learned that Firedox 38 at least on one platform does the right
>> >thing.
>> >
>> >	Bert
>> >
>> >
>> >
>> >>
>> >>Best Regards
>> >>Burak Özalp
>> >>
>> >>Alinti Burak Ozalp <burak.ozalp at metu.edu.tr>
>> >>
>> >>>
>> >>>
>> >>>Yes! It works. When we try with the Chrome Browser it responds
>> >>>with the TC-bit set and then it automatically retries TCP(looks
>> >>>great) . However, when we try with Firefox Browser, it only
>> >>>returns the response and not try with TCP.
>> >>>
>> >>>This is our related configurations;
>> >>>
>> >>>glibc vesion : 2.13-1
>> >>>Kernel version : 3.2.0-68-generic
>> >>>Firefox version: 40.0.3
>> >>>Chrome version: 43.0.2357.65
>> >>>--
>> >>>
>> >>>Best Regards
>> >>>Burak Ozalp
>> >>>
>> >>>
>> >>>
>> >>>Alinti bert hubert <bert.hubert at netherlabs.nl>
>> >>>
>> >>>>On Wed, Sep 02, 2015 at 03:52:11PM +0300, Burak Ozalp wrote:
>> >>>>>Our problem is that we don't know the source address. Our aim is the
>> >>>>>defence against DDos Attacks, we should limit for all different
>> >>>>>IP's. As a result, when an attacker attacks our server, we need to
>> >>>>>not drop innocent requests.
>> >>>>
>> >>>>Ok, then do:
>> >>>>
>> >>>>addAction(MaxQPSIPRule(5), DropAction())
>> >>>>
>> >>>>On the latest packages. Limits each individual IP to 5 QPS, drops beyond
>> >>>>that.
>> >>>>
>> >>>>	Bert
>> >>>>
>> >>>>>
>> >>>>>Best Regards
>> >>>>>Burak Ozalp
>> >>>>>
>> >>>>>Alinti bert hubert <bert.hubert at netherlabs.nl>
>> >>>>>
>> >>>>>>On Wed, Sep 02, 2015 at 02:31:33PM +0300, Burak Ozalp wrote:
>> >>>>>>>Hi Bert;
>> >>>>>>>
>> >>>>>>>AddQPS is the best option for us. Is it possible to apply
>> >>>>>>>addQPSLimit for individual IP's ?
>> >>>>>>
>> >>>>>>Yes, as outlined in the documentation ->
>> >>>>>>https://github.com/PowerDNS/pdns/blob/master/pdns/README-dnsdist.md#per-domain-or-subnet-qps-limiting
>> >>>>>>
>> >>>>>>You can add as many subnets as you want, or individual IPs etc.
>> >>>>>>
>> >>>>>>Good luck!
>> >>>>>>
>> >>>>>>	Bert
>> >>>>>>
>> >>>>>>>
>> >>>>>>>Best Regards
>> >>>>>>>Burak Ozalp
>> >>>>>>>
>> >>>>>>>Alinti bert hubert <bert.hubert at netherlabs.nl>
>> >>>>>>>
>> >>>>>>>>On Wed, Sep 02, 2015 at 02:08:38PM +0300, Burak Ozalp wrote:
>> >>>>>>>>>With the current version of RPM i get no error. However,
>> >>>>>>>>>addAction(MaxQPSIPRule(5), NoRecurseAction()) , didn't do its job.
>> >>>>>>>>>Should we use both addQPSLimit and addAction together for limiting
>> >>>>>>>>>indivual IP to 5 qps?
>> >>>>>>>>
>> >>>>>>>>No, addQPSLimit alone is fine. The addAction is only if you
>> >>>>>>>want to drop the
>> >>>>>>>>RD-bit for traffic that exceeds the QPS limit.
>> >>>>>>>>
>> >>>>>>>>	Bert
>> >>>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>_______________________________________________
>> >>>>>>>dnsdist mailing list
>> >>>>>>>dnsdist at mailman.powerdns.com
>> >>>>>>>http://mailman.powerdns.com/mailman/listinfo/dnsdist
>> >>>>>>>
>> >>>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>_______________________________________________
>> >>>>>dnsdist mailing list
>> >>>>>dnsdist at mailman.powerdns.com
>> >>>>>http://mailman.powerdns.com/mailman/listinfo/dnsdist
>> >>>>>
>> >>>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>_______________________________________________
>> >>>dnsdist mailing list
>> >>>dnsdist at mailman.powerdns.com
>> >>>http://mailman.powerdns.com/mailman/listinfo/dnsdist
>> >>>
>> >>
>> >>
>> >>
>> >>_______________________________________________
>> >>dnsdist mailing list
>> >>dnsdist at mailman.powerdns.com
>> >>http://mailman.powerdns.com/mailman/listinfo/dnsdist
>> >>
>> >
>>
>
>
>
>> _______________________________________________
>> dnsdist mailing list
>> dnsdist at mailman.powerdns.com
>> http://mailman.powerdns.com/mailman/listinfo/dnsdist
>
>






More information about the dnsdist mailing list