[dnsdist] DnsDist Firefox Issue

Burak Ozalp burak.ozalp at metu.edu.tr
Tue Sep 29 08:18:15 UTC 2015 

Hi Bert,

Actually, i solved the whole issue! The point is that i checked the  
pcap files and understand that RA bit (RA, Recursion Available bit )  
differs.

Then i changed the dnsdist-lua.cc first and add the following lines to  
add setRA functionality to dnsdist;

   g_lua.registerFunction<void(dnsheader::*)(bool)>("setRA",  
[](dnsheader& dh, bool v) {
       dh.ra=v;
     });

then i add a single line to dnsdistconf.lua ( 	dh:setRA(true) )

Finally, it worked for all browsers(Chrome,Firefox,Opera etc.) without  
any problems.

I think if you add setRA function to master branch and create repos  
for rpm, it would be great!

Thanks.

Best Regards
Burak Ozalp

Alinti bert hubert <bert.hubert at netherlabs.nl>

> On Fri, Sep 04, 2015 at 01:25:42PM +0300, Burak Ozalp wrote:
>> I actually test in nearly all browsers, including
>> Vivaldi-Opera-Firefox version 38, and all reject TCP connections. Is
>> it possible that we do something wrong in lua script?
>
> I checked your PCAP, everything is perfect there. I think the browsers are
> just not cooperating, or perhaps a firewall is preventing them from reaching
> your server on TCP?
>
> 	Bert
>
>>
>> addLocal("0.0.0.0:53")
>> newServer{address="8.8.8.8"}
>>
>> addAction(MaxQPSIPRule(5000), DropAction())
>>
>> function blockFilter(remote, qname, qtype, dh)
>>         dh:setTC(true)
>>         dh:setQR(true)
>>         return false
>> end
>>
>> Thanks!
>>
>> Best Regards
>>
>> Burak Özalp
>>
>> Alinti bert hubert <bert.hubert at netherlabs.nl>
>>
>> >Burak,
>> >
>> >Thank you, but this is the place to report your issues:
>> >
>> >https://bugzilla.mozilla.org/enter_bug.cgi
>> >and
>> >https://support.google.com/chrome/answer/95315?hl=en
>> >
>> >We sadly can't support all software products on the planet from dnsdist ;-)
>> >
>> >	Bert
>> >
>> >
>> >On Fri, Sep 04, 2015 at 09:23:38AM +0300, Burak Ozalp wrote:
>> >>Hi Bert
>> >>
>> >>Thank you for your interest. Firefox and Chrome DNS operations's
>> >>pcap files are attached.
>> >>
>> >>Best Regards
>> >>Burak Ozalp
>> >>
>> >>Alinti bert hubert <bert.hubert at netherlabs.nl>
>> >>
>> >>>On Thu, Sep 03, 2015 at 02:24:28PM +0300, Burak Ozalp wrote:
>> >>>>Actually, it only works for Ubuntu-Chrome.. In Windows neither
>> >>>>Chrome nor Internet Explorer works with these configuration. What
>> >>>>could be the reason of this situation ?
>> >>>
>> >>>Hi Burak,
>> >>>
>> >>>We estimate that this is an issue that Mozilla and Google might
>> >>need to take
>> >>>a look at.
>> >>>
>> >>>We asked a friend at Mozilla and he suggests you file a very detailed bug
>> >>>with them, including a tcpdump that shows what happens (UDP query, TC=1
>> >>>response, no followup).
>> >>>
>> >>>On the dns-operations list we also discussed this issue you reported,
>> >>>https://lists.dns-oarc.net/pipermail/dns-operations/2015-September/013637.html
>> >>>where we learned that Firedox 38 at least on one platform does the right
>> >>>thing.
>> >>>
>> >>>	Bert
>> >>>
>> >>>
>> >>>
>> >>>>
>> >>>>Best Regards
>> >>>>Burak Özalp
>> >>>>
>> >>>>Alinti Burak Ozalp <burak.ozalp at metu.edu.tr>
>> >>>>
>> >>>>>
>> >>>>>
>> >>>>>Yes! It works. When we try with the Chrome Browser it responds
>> >>>>>with the TC-bit set and then it automatically retries TCP(looks
>> >>>>>great) . However, when we try with Firefox Browser, it only
>> >>>>>returns the response and not try with TCP.
>> >>>>>
>> >>>>>This is our related configurations;
>> >>>>>
>> >>>>>glibc vesion : 2.13-1
>> >>>>>Kernel version : 3.2.0-68-generic
>> >>>>>Firefox version: 40.0.3
>> >>>>>Chrome version: 43.0.2357.65
>> >>>>>--
>> >>>>>
>> >>>>>Best Regards
>> >>>>>Burak Ozalp
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>Alinti bert hubert <bert.hubert at netherlabs.nl>
>> >>>>>
>> >>>>>>On Wed, Sep 02, 2015 at 03:52:11PM +0300, Burak Ozalp wrote:
>> >>>>>>>Our problem is that we don't know the source address. Our aim is the
>> >>>>>>>defence against DDos Attacks, we should limit for all different
>> >>>>>>>IP's. As a result, when an attacker attacks our server, we need to
>> >>>>>>>not drop innocent requests.
>> >>>>>>
>> >>>>>>Ok, then do:
>> >>>>>>
>> >>>>>>addAction(MaxQPSIPRule(5), DropAction())
>> >>>>>>
>> >>>>>>On the latest packages. Limits each individual IP to 5 QPS,  
>> drops beyond
>> >>>>>>that.
>> >>>>>>
>> >>>>>>	Bert
>> >>>>>>
>> >>>>>>>
>> >>>>>>>Best Regards
>> >>>>>>>Burak Ozalp
>> >>>>>>>
>> >>>>>>>Alinti bert hubert <bert.hubert at netherlabs.nl>
>> >>>>>>>
>> >>>>>>>>On Wed, Sep 02, 2015 at 02:31:33PM +0300, Burak Ozalp wrote:
>> >>>>>>>>>Hi Bert;
>> >>>>>>>>>
>> >>>>>>>>>AddQPS is the best option for us. Is it possible to apply
>> >>>>>>>>>addQPSLimit for individual IP's ?
>> >>>>>>>>
>> >>>>>>>>Yes, as outlined in the documentation ->
>> >>>>>>>>https://github.com/PowerDNS/pdns/blob/master/pdns/README-dnsdist.md#per-domain-or-subnet-qps-limiting
>> >>>>>>>>
>> >>>>>>>>You can add as many subnets as you want, or individual IPs etc.
>> >>>>>>>>
>> >>>>>>>>Good luck!
>> >>>>>>>>
>> >>>>>>>>	Bert
>> >>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>>Best Regards
>> >>>>>>>>>Burak Ozalp
>> >>>>>>>>>
>> >>>>>>>>>Alinti bert hubert <bert.hubert at netherlabs.nl>
>> >>>>>>>>>
>> >>>>>>>>>>On Wed, Sep 02, 2015 at 02:08:38PM +0300, Burak Ozalp wrote:
>> >>>>>>>>>>>With the current version of RPM i get no error. However,
>> >>>>>>>>>>>addAction(MaxQPSIPRule(5), NoRecurseAction()) , didn't  
>> do its job.
>> >>>>>>>>>>>Should we use both addQPSLimit and addAction together  
>> for limiting
>> >>>>>>>>>>>indivual IP to 5 qps?
>> >>>>>>>>>>
>> >>>>>>>>>>No, addQPSLimit alone is fine. The addAction is only if you
>> >>>>>>>>>want to drop the
>> >>>>>>>>>>RD-bit for traffic that exceeds the QPS limit.
>> >>>>>>>>>>
>> >>>>>>>>>>	Bert
>> >>>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>>_______________________________________________
>> >>>>>>>>>dnsdist mailing list
>> >>>>>>>>>dnsdist at mailman.powerdns.com
>> >>>>>>>>>http://mailman.powerdns.com/mailman/listinfo/dnsdist
>> >>>>>>>>>
>> >>>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>_______________________________________________
>> >>>>>>>dnsdist mailing list
>> >>>>>>>dnsdist at mailman.powerdns.com
>> >>>>>>>http://mailman.powerdns.com/mailman/listinfo/dnsdist
>> >>>>>>>
>> >>>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>_______________________________________________
>> >>>>>dnsdist mailing list
>> >>>>>dnsdist at mailman.powerdns.com
>> >>>>>http://mailman.powerdns.com/mailman/listinfo/dnsdist
>> >>>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>>_______________________________________________
>> >>>>dnsdist mailing list
>> >>>>dnsdist at mailman.powerdns.com
>> >>>>http://mailman.powerdns.com/mailman/listinfo/dnsdist
>> >>>>
>> >>>
>> >>
>> >
>> >
>> >
>> >>_______________________________________________
>> >>dnsdist mailing list
>> >>dnsdist at mailman.powerdns.com
>> >>http://mailman.powerdns.com/mailman/listinfo/dnsdist
>> >
>> >
>>
>>
>>
>> _______________________________________________
>> dnsdist mailing list
>> dnsdist at mailman.powerdns.com
>> http://mailman.powerdns.com/mailman/listinfo/dnsdist
>

More information about the dnsdist mailing list