[dnsdist] DnsDist Firefox Issue

bert hubert bert.hubert at netherlabs.nl
Wed Sep 30 09:59:59 UTC 2015 

On Tue, Sep 29, 2015 at 11:18:15AM +0300, Burak Ozalp wrote:
> Hi Bert,
> 
> Actually, i solved the whole issue! The point is that i checked the
> pcap files and understand that RA bit (RA, Recursion Available bit )
> differs.

Burak, thank you for investigating this!

I'm very confused now, the RA bit should've been set already!

Does your pcap show that dnsdist *dropped* the RA bit perhaps? Or we forgot
to set it on the TC=1 response? That might well be it.

Can you verify that assumption?

Thanks!

	Bert


> 
> Then i changed the dnsdist-lua.cc first and add the following lines
> to add setRA functionality to dnsdist;
> 
>   g_lua.registerFunction<void(dnsheader::*)(bool)>("setRA",
> [](dnsheader& dh, bool v) {
>       dh.ra=v;
>     });
> 
> then i add a single line to dnsdistconf.lua ( 	dh:setRA(true) )
> 
> Finally, it worked for all browsers(Chrome,Firefox,Opera etc.)
> without any problems.
> 
> I think if you add setRA function to master branch and create repos
> for rpm, it would be great!
> 
> Thanks.
> 
> Best Regards
> Burak Ozalp
> 
> Alinti bert hubert <bert.hubert at netherlabs.nl>
> 
> >On Fri, Sep 04, 2015 at 01:25:42PM +0300, Burak Ozalp wrote:
> >>I actually test in nearly all browsers, including
> >>Vivaldi-Opera-Firefox version 38, and all reject TCP connections. Is
> >>it possible that we do something wrong in lua script?
> >
> >I checked your PCAP, everything is perfect there. I think the browsers are
> >just not cooperating, or perhaps a firewall is preventing them from reaching
> >your server on TCP?
> >
> >	Bert
> >
> >>
> >>addLocal("0.0.0.0:53")
> >>newServer{address="8.8.8.8"}
> >>
> >>addAction(MaxQPSIPRule(5000), DropAction())
> >>
> >>function blockFilter(remote, qname, qtype, dh)
> >>        dh:setTC(true)
> >>        dh:setQR(true)
> >>        return false
> >>end
> >>
> >>Thanks!
> >>
> >>Best Regards
> >>
> >>Burak Özalp
> >>
> >>Alinti bert hubert <bert.hubert at netherlabs.nl>
> >>
> >>>Burak,
> >>>
> >>>Thank you, but this is the place to report your issues:
> >>>
> >>>https://bugzilla.mozilla.org/enter_bug.cgi
> >>>and
> >>>https://support.google.com/chrome/answer/95315?hl=en
> >>>
> >>>We sadly can't support all software products on the planet from dnsdist ;-)
> >>>
> >>>	Bert
> >>>
> >>>
> >>>On Fri, Sep 04, 2015 at 09:23:38AM +0300, Burak Ozalp wrote:
> >>>>Hi Bert
> >>>>
> >>>>Thank you for your interest. Firefox and Chrome DNS operations's
> >>>>pcap files are attached.
> >>>>
> >>>>Best Regards
> >>>>Burak Ozalp
> >>>>
> >>>>Alinti bert hubert <bert.hubert at netherlabs.nl>
> >>>>
> >>>>>On Thu, Sep 03, 2015 at 02:24:28PM +0300, Burak Ozalp wrote:
> >>>>>>Actually, it only works for Ubuntu-Chrome.. In Windows neither
> >>>>>>Chrome nor Internet Explorer works with these configuration. What
> >>>>>>could be the reason of this situation ?
> >>>>>
> >>>>>Hi Burak,
> >>>>>
> >>>>>We estimate that this is an issue that Mozilla and Google might
> >>>>need to take
> >>>>>a look at.
> >>>>>
> >>>>>We asked a friend at Mozilla and he suggests you file a very detailed bug
> >>>>>with them, including a tcpdump that shows what happens (UDP query, TC=1
> >>>>>response, no followup).
> >>>>>
> >>>>>On the dns-operations list we also discussed this issue you reported,
> >>>>>https://lists.dns-oarc.net/pipermail/dns-operations/2015-September/013637.html
> >>>>>where we learned that Firedox 38 at least on one platform does the right
> >>>>>thing.
> >>>>>
> >>>>>	Bert
> >>>>>
> >>>>>
> >>>>>
> >>>>>>
> >>>>>>Best Regards
> >>>>>>Burak Özalp
> >>>>>>
> >>>>>>Alinti Burak Ozalp <burak.ozalp at metu.edu.tr>
> >>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>Yes! It works. When we try with the Chrome Browser it responds
> >>>>>>>with the TC-bit set and then it automatically retries TCP(looks
> >>>>>>>great) . However, when we try with Firefox Browser, it only
> >>>>>>>returns the response and not try with TCP.
> >>>>>>>
> >>>>>>>This is our related configurations;
> >>>>>>>
> >>>>>>>glibc vesion : 2.13-1
> >>>>>>>Kernel version : 3.2.0-68-generic
> >>>>>>>Firefox version: 40.0.3
> >>>>>>>Chrome version: 43.0.2357.65
> >>>>>>>--
> >>>>>>>
> >>>>>>>Best Regards
> >>>>>>>Burak Ozalp
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>Alinti bert hubert <bert.hubert at netherlabs.nl>
> >>>>>>>
> >>>>>>>>On Wed, Sep 02, 2015 at 03:52:11PM +0300, Burak Ozalp wrote:
> >>>>>>>>>Our problem is that we don't know the source address. Our aim is the
> >>>>>>>>>defence against DDos Attacks, we should limit for all different
> >>>>>>>>>IP's. As a result, when an attacker attacks our server, we need to
> >>>>>>>>>not drop innocent requests.
> >>>>>>>>
> >>>>>>>>Ok, then do:
> >>>>>>>>
> >>>>>>>>addAction(MaxQPSIPRule(5), DropAction())
> >>>>>>>>
> >>>>>>>>On the latest packages. Limits each individual IP to 5
> >>QPS, drops beyond
> >>>>>>>>that.
> >>>>>>>>
> >>>>>>>>	Bert
> >>>>>>>>
> >>>>>>>>>
> >>>>>>>>>Best Regards
> >>>>>>>>>Burak Ozalp
> >>>>>>>>>
> >>>>>>>>>Alinti bert hubert <bert.hubert at netherlabs.nl>
> >>>>>>>>>
> >>>>>>>>>>On Wed, Sep 02, 2015 at 02:31:33PM +0300, Burak Ozalp wrote:
> >>>>>>>>>>>Hi Bert;
> >>>>>>>>>>>
> >>>>>>>>>>>AddQPS is the best option for us. Is it possible to apply
> >>>>>>>>>>>addQPSLimit for individual IP's ?
> >>>>>>>>>>
> >>>>>>>>>>Yes, as outlined in the documentation ->
> >>>>>>>>>>https://github.com/PowerDNS/pdns/blob/master/pdns/README-dnsdist.md#per-domain-or-subnet-qps-limiting
> >>>>>>>>>>
> >>>>>>>>>>You can add as many subnets as you want, or individual IPs etc.
> >>>>>>>>>>
> >>>>>>>>>>Good luck!
> >>>>>>>>>>
> >>>>>>>>>>	Bert
> >>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>Best Regards
> >>>>>>>>>>>Burak Ozalp
> >>>>>>>>>>>
> >>>>>>>>>>>Alinti bert hubert <bert.hubert at netherlabs.nl>
> >>>>>>>>>>>
> >>>>>>>>>>>>On Wed, Sep 02, 2015 at 02:08:38PM +0300, Burak Ozalp wrote:
> >>>>>>>>>>>>>With the current version of RPM i get no error. However,
> >>>>>>>>>>>>>addAction(MaxQPSIPRule(5), NoRecurseAction()) ,
> >>didn't do its job.
> >>>>>>>>>>>>>Should we use both addQPSLimit and addAction together
> >>for limiting
> >>>>>>>>>>>>>indivual IP to 5 qps?
> >>>>>>>>>>>>
> >>>>>>>>>>>>No, addQPSLimit alone is fine. The addAction is only if you
> >>>>>>>>>>>want to drop the
> >>>>>>>>>>>>RD-bit for traffic that exceeds the QPS limit.
> >>>>>>>>>>>>
> >>>>>>>>>>>>	Bert
> >>>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>_______________________________________________
> >>>>>>>>>>>dnsdist mailing list
> >>>>>>>>>>>dnsdist at mailman.powerdns.com
> >>>>>>>>>>>http://mailman.powerdns.com/mailman/listinfo/dnsdist
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>_______________________________________________
> >>>>>>>>>dnsdist mailing list
> >>>>>>>>>dnsdist at mailman.powerdns.com
> >>>>>>>>>http://mailman.powerdns.com/mailman/listinfo/dnsdist
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>_______________________________________________
> >>>>>>>dnsdist mailing list
> >>>>>>>dnsdist at mailman.powerdns.com
> >>>>>>>http://mailman.powerdns.com/mailman/listinfo/dnsdist
> >>>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>_______________________________________________
> >>>>>>dnsdist mailing list
> >>>>>>dnsdist at mailman.powerdns.com
> >>>>>>http://mailman.powerdns.com/mailman/listinfo/dnsdist
> >>>>>>
> >>>>>
> >>>>
> >>>
> >>>
> >>>
> >>>>_______________________________________________
> >>>>dnsdist mailing list
> >>>>dnsdist at mailman.powerdns.com
> >>>>http://mailman.powerdns.com/mailman/listinfo/dnsdist
> >>>
> >>>
> >>
> >>
> >>
> >>_______________________________________________
> >>dnsdist mailing list
> >>dnsdist at mailman.powerdns.com
> >>http://mailman.powerdns.com/mailman/listinfo/dnsdist
> >
> 
> 
> 
> _______________________________________________
> dnsdist mailing list
> dnsdist at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/dnsdist

More information about the dnsdist mailing list