[dnsdist] DnsDist Firefox Issue

Burak Ozalp burak.ozalp at metu.edu.tr
Wed Sep 30 10:31:55 UTC 2015


Dear Bert;

I double-check pcap's and you are right. When dnsdist is closed, RA  
bit equals 1. However, when i start dnsdist service, RA bit equals 0.

Probably there is some bug about this issue.

Your welcome, thank you for your interest :)

Best Regards
Burak Özalp

Alinti bert hubert <bert.hubert at netherlabs.nl>

> On Tue, Sep 29, 2015 at 11:18:15AM +0300, Burak Ozalp wrote:
>> Hi Bert,
>>
>> Actually, i solved the whole issue! The point is that i checked the
>> pcap files and understand that RA bit (RA, Recursion Available bit )
>> differs.
>
> Burak, thank you for investigating this!
>
> I'm very confused now, the RA bit should've been set already!
>
> Does your pcap show that dnsdist *dropped* the RA bit perhaps? Or we forgot
> to set it on the TC=1 response? That might well be it.
>
> Can you verify that assumption?
>
> Thanks!
>
> 	Bert
>
>
>>
>> Then i changed the dnsdist-lua.cc first and add the following lines
>> to add setRA functionality to dnsdist;
>>
>>   g_lua.registerFunction<void(dnsheader::*)(bool)>("setRA",
>> [](dnsheader& dh, bool v) {
>>       dh.ra=v;
>>     });
>>
>> then i add a single line to dnsdistconf.lua ( 	dh:setRA(true) )
>>
>> Finally, it worked for all browsers(Chrome,Firefox,Opera etc.)
>> without any problems.
>>
>> I think if you add setRA function to master branch and create repos
>> for rpm, it would be great!
>>
>> Thanks.
>>
>> Best Regards
>> Burak Ozalp
>>
>> Alinti bert hubert <bert.hubert at netherlabs.nl>
>>
>> >On Fri, Sep 04, 2015 at 01:25:42PM +0300, Burak Ozalp wrote:
>> >>I actually test in nearly all browsers, including
>> >>Vivaldi-Opera-Firefox version 38, and all reject TCP connections. Is
>> >>it possible that we do something wrong in lua script?
>> >
>> >I checked your PCAP, everything is perfect there. I think the browsers are
>> >just not cooperating, or perhaps a firewall is preventing them  
>> from reaching
>> >your server on TCP?
>> >
>> >	Bert
>> >
>> >>
>> >>addLocal("0.0.0.0:53")
>> >>newServer{address="8.8.8.8"}
>> >>
>> >>addAction(MaxQPSIPRule(5000), DropAction())
>> >>
>> >>function blockFilter(remote, qname, qtype, dh)
>> >>        dh:setTC(true)
>> >>        dh:setQR(true)
>> >>        return false
>> >>end
>> >>
>> >>Thanks!
>> >>
>> >>Best Regards
>> >>
>> >>Burak Özalp
>> >>
>> >>Alinti bert hubert <bert.hubert at netherlabs.nl>
>> >>
>> >>>Burak,
>> >>>
>> >>>Thank you, but this is the place to report your issues:
>> >>>
>> >>>https://bugzilla.mozilla.org/enter_bug.cgi
>> >>>and
>> >>>https://support.google.com/chrome/answer/95315?hl=en
>> >>>
>> >>>We sadly can't support all software products on the planet from  
>> dnsdist ;-)
>> >>>
>> >>>	Bert
>> >>>
>> >>>
>> >>>On Fri, Sep 04, 2015 at 09:23:38AM +0300, Burak Ozalp wrote:
>> >>>>Hi Bert
>> >>>>
>> >>>>Thank you for your interest. Firefox and Chrome DNS operations's
>> >>>>pcap files are attached.
>> >>>>
>> >>>>Best Regards
>> >>>>Burak Ozalp
>> >>>>
>> >>>>Alinti bert hubert <bert.hubert at netherlabs.nl>
>> >>>>
>> >>>>>On Thu, Sep 03, 2015 at 02:24:28PM +0300, Burak Ozalp wrote:
>> >>>>>>Actually, it only works for Ubuntu-Chrome.. In Windows neither
>> >>>>>>Chrome nor Internet Explorer works with these configuration. What
>> >>>>>>could be the reason of this situation ?
>> >>>>>
>> >>>>>Hi Burak,
>> >>>>>
>> >>>>>We estimate that this is an issue that Mozilla and Google might
>> >>>>need to take
>> >>>>>a look at.
>> >>>>>
>> >>>>>We asked a friend at Mozilla and he suggests you file a very  
>> detailed bug
>> >>>>>with them, including a tcpdump that shows what happens (UDP query, TC=1
>> >>>>>response, no followup).
>> >>>>>
>> >>>>>On the dns-operations list we also discussed this issue you reported,
>> >>>>>https://lists.dns-oarc.net/pipermail/dns-operations/2015-September/013637.html
>> >>>>>where we learned that Firedox 38 at least on one platform does  
>> the right
>> >>>>>thing.
>> >>>>>
>> >>>>>	Bert
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>>
>> >>>>>>Best Regards
>> >>>>>>Burak Özalp
>> >>>>>>
>> >>>>>>Alinti Burak Ozalp <burak.ozalp at metu.edu.tr>
>> >>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>Yes! It works. When we try with the Chrome Browser it responds
>> >>>>>>>with the TC-bit set and then it automatically retries TCP(looks
>> >>>>>>>great) . However, when we try with Firefox Browser, it only
>> >>>>>>>returns the response and not try with TCP.
>> >>>>>>>
>> >>>>>>>This is our related configurations;
>> >>>>>>>
>> >>>>>>>glibc vesion : 2.13-1
>> >>>>>>>Kernel version : 3.2.0-68-generic
>> >>>>>>>Firefox version: 40.0.3
>> >>>>>>>Chrome version: 43.0.2357.65
>> >>>>>>>--
>> >>>>>>>
>> >>>>>>>Best Regards
>> >>>>>>>Burak Ozalp
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>Alinti bert hubert <bert.hubert at netherlabs.nl>
>> >>>>>>>
>> >>>>>>>>On Wed, Sep 02, 2015 at 03:52:11PM +0300, Burak Ozalp wrote:
>> >>>>>>>>>Our problem is that we don't know the source address. Our  
>> aim is the
>> >>>>>>>>>defence against DDos Attacks, we should limit for all different
>> >>>>>>>>>IP's. As a result, when an attacker attacks our server, we need to
>> >>>>>>>>>not drop innocent requests.
>> >>>>>>>>
>> >>>>>>>>Ok, then do:
>> >>>>>>>>
>> >>>>>>>>addAction(MaxQPSIPRule(5), DropAction())
>> >>>>>>>>
>> >>>>>>>>On the latest packages. Limits each individual IP to 5
>> >>QPS, drops beyond
>> >>>>>>>>that.
>> >>>>>>>>
>> >>>>>>>>	Bert
>> >>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>>Best Regards
>> >>>>>>>>>Burak Ozalp
>> >>>>>>>>>
>> >>>>>>>>>Alinti bert hubert <bert.hubert at netherlabs.nl>
>> >>>>>>>>>
>> >>>>>>>>>>On Wed, Sep 02, 2015 at 02:31:33PM +0300, Burak Ozalp wrote:
>> >>>>>>>>>>>Hi Bert;
>> >>>>>>>>>>>
>> >>>>>>>>>>>AddQPS is the best option for us. Is it possible to apply
>> >>>>>>>>>>>addQPSLimit for individual IP's ?
>> >>>>>>>>>>
>> >>>>>>>>>>Yes, as outlined in the documentation ->
>> >>>>>>>>>>https://github.com/PowerDNS/pdns/blob/master/pdns/README-dnsdist.md#per-domain-or-subnet-qps-limiting
>> >>>>>>>>>>
>> >>>>>>>>>>You can add as many subnets as you want, or individual IPs etc.
>> >>>>>>>>>>
>> >>>>>>>>>>Good luck!
>> >>>>>>>>>>
>> >>>>>>>>>>	Bert
>> >>>>>>>>>>
>> >>>>>>>>>>>
>> >>>>>>>>>>>Best Regards
>> >>>>>>>>>>>Burak Ozalp
>> >>>>>>>>>>>
>> >>>>>>>>>>>Alinti bert hubert <bert.hubert at netherlabs.nl>
>> >>>>>>>>>>>
>> >>>>>>>>>>>>On Wed, Sep 02, 2015 at 02:08:38PM +0300, Burak Ozalp wrote:
>> >>>>>>>>>>>>>With the current version of RPM i get no error. However,
>> >>>>>>>>>>>>>addAction(MaxQPSIPRule(5), NoRecurseAction()) ,
>> >>didn't do its job.
>> >>>>>>>>>>>>>Should we use both addQPSLimit and addAction together
>> >>for limiting
>> >>>>>>>>>>>>>indivual IP to 5 qps?
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>No, addQPSLimit alone is fine. The addAction is only if you
>> >>>>>>>>>>>want to drop the
>> >>>>>>>>>>>>RD-bit for traffic that exceeds the QPS limit.
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>	Bert
>> >>>>>>>>>>>>
>> >>>>>>>>>>>
>> >>>>>>>>>>>
>> >>>>>>>>>>>
>> >>>>>>>>>>>
>> >>>>>>>>>>>_______________________________________________
>> >>>>>>>>>>>dnsdist mailing list
>> >>>>>>>>>>>dnsdist at mailman.powerdns.com
>> >>>>>>>>>>>http://mailman.powerdns.com/mailman/listinfo/dnsdist
>> >>>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>>_______________________________________________
>> >>>>>>>>>dnsdist mailing list
>> >>>>>>>>>dnsdist at mailman.powerdns.com
>> >>>>>>>>>http://mailman.powerdns.com/mailman/listinfo/dnsdist
>> >>>>>>>>>
>> >>>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>_______________________________________________
>> >>>>>>>dnsdist mailing list
>> >>>>>>>dnsdist at mailman.powerdns.com
>> >>>>>>>http://mailman.powerdns.com/mailman/listinfo/dnsdist
>> >>>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>>_______________________________________________
>> >>>>>>dnsdist mailing list
>> >>>>>>dnsdist at mailman.powerdns.com
>> >>>>>>http://mailman.powerdns.com/mailman/listinfo/dnsdist
>> >>>>>>
>> >>>>>
>> >>>>
>> >>>
>> >>>
>> >>>
>> >>>>_______________________________________________
>> >>>>dnsdist mailing list
>> >>>>dnsdist at mailman.powerdns.com
>> >>>>http://mailman.powerdns.com/mailman/listinfo/dnsdist
>> >>>
>> >>>
>> >>
>> >>
>> >>
>> >>_______________________________________________
>> >>dnsdist mailing list
>> >>dnsdist at mailman.powerdns.com
>> >>http://mailman.powerdns.com/mailman/listinfo/dnsdist
>> >
>>
>>
>>
>> _______________________________________________
>> dnsdist mailing list
>> dnsdist at mailman.powerdns.com
>> http://mailman.powerdns.com/mailman/listinfo/dnsdist
>






More information about the dnsdist mailing list