[dnsdist] DnsDist Firefox Issue

bert hubert bert.hubert at netherlabs.nl
Wed Sep 30 11:31:24 UTC 2015 

Can you check https://repo.powerdns.com/ and the repos there? I see the RPMs
ready.

	Bert

On Wed, Sep 30, 2015 at 02:18:27PM +0300, Burak Ozalp wrote:
> Great!
> 
> Thank you Bert, it works on Ubuntu, could you please build the new
> rpm package?
> 
> Best Regards
> Burak Ozalp
> Alinti bert hubert <bert.hubert at netherlabs.nl>
> 
> >https://github.com/PowerDNS/pdns/commit/bde3ab9654b1a33a6a250bf053c8f8ba044f67e8
> >has the fix, thank you!
> >
> >	Bert
> >
> >On Wed, Sep 30, 2015 at 01:31:55PM +0300, Burak Ozalp wrote:
> >>Dear Bert;
> >>
> >>I double-check pcap's and you are right. When dnsdist is closed, RA
> >>bit equals 1. However, when i start dnsdist service, RA bit equals
> >>0.
> >>
> >>Probably there is some bug about this issue.
> >>
> >>Your welcome, thank you for your interest :)
> >>
> >>Best Regards
> >>Burak Özalp
> >>
> >>Alinti bert hubert <bert.hubert at netherlabs.nl>
> >>
> >>>On Tue, Sep 29, 2015 at 11:18:15AM +0300, Burak Ozalp wrote:
> >>>>Hi Bert,
> >>>>
> >>>>Actually, i solved the whole issue! The point is that i checked the
> >>>>pcap files and understand that RA bit (RA, Recursion Available bit )
> >>>>differs.
> >>>
> >>>Burak, thank you for investigating this!
> >>>
> >>>I'm very confused now, the RA bit should've been set already!
> >>>
> >>>Does your pcap show that dnsdist *dropped* the RA bit perhaps? Or we forgot
> >>>to set it on the TC=1 response? That might well be it.
> >>>
> >>>Can you verify that assumption?
> >>>
> >>>Thanks!
> >>>
> >>>	Bert
> >>>
> >>>
> >>>>
> >>>>Then i changed the dnsdist-lua.cc first and add the following lines
> >>>>to add setRA functionality to dnsdist;
> >>>>
> >>>>  g_lua.registerFunction<void(dnsheader::*)(bool)>("setRA",
> >>>>[](dnsheader& dh, bool v) {
> >>>>      dh.ra=v;
> >>>>    });
> >>>>
> >>>>then i add a single line to dnsdistconf.lua ( 	dh:setRA(true) )
> >>>>
> >>>>Finally, it worked for all browsers(Chrome,Firefox,Opera etc.)
> >>>>without any problems.
> >>>>
> >>>>I think if you add setRA function to master branch and create repos
> >>>>for rpm, it would be great!
> >>>>
> >>>>Thanks.
> >>>>
> >>>>Best Regards
> >>>>Burak Ozalp
> >>>>
> >>>>Alinti bert hubert <bert.hubert at netherlabs.nl>
> >>>>
> >>>>>On Fri, Sep 04, 2015 at 01:25:42PM +0300, Burak Ozalp wrote:
> >>>>>>I actually test in nearly all browsers, including
> >>>>>>Vivaldi-Opera-Firefox version 38, and all reject TCP connections. Is
> >>>>>>it possible that we do something wrong in lua script?
> >>>>>
> >>>>>I checked your PCAP, everything is perfect there. I think the
> >>browsers are
> >>>>>just not cooperating, or perhaps a firewall is preventing them
> >>>>from reaching
> >>>>>your server on TCP?
> >>>>>
> >>>>>	Bert
> >>>>>
> >>>>>>
> >>>>>>addLocal("0.0.0.0:53")
> >>>>>>newServer{address="8.8.8.8"}
> >>>>>>
> >>>>>>addAction(MaxQPSIPRule(5000), DropAction())
> >>>>>>
> >>>>>>function blockFilter(remote, qname, qtype, dh)
> >>>>>>        dh:setTC(true)
> >>>>>>        dh:setQR(true)
> >>>>>>        return false
> >>>>>>end
> >>>>>>
> >>>>>>Thanks!
> >>>>>>
> >>>>>>Best Regards
> >>>>>>
> >>>>>>Burak Özalp
> >>>>>>
> >>>>>>Alinti bert hubert <bert.hubert at netherlabs.nl>
> >>>>>>
> >>>>>>>Burak,
> >>>>>>>
> >>>>>>>Thank you, but this is the place to report your issues:
> >>>>>>>
> >>>>>>>https://bugzilla.mozilla.org/enter_bug.cgi
> >>>>>>>and
> >>>>>>>https://support.google.com/chrome/answer/95315?hl=en
> >>>>>>>
> >>>>>>>We sadly can't support all software products on the planet
> >>>>from dnsdist ;-)
> >>>>>>>
> >>>>>>>	Bert
> >>>>>>>
> >>>>>>>
> >>>>>>>On Fri, Sep 04, 2015 at 09:23:38AM +0300, Burak Ozalp wrote:
> >>>>>>>>Hi Bert
> >>>>>>>>
> >>>>>>>>Thank you for your interest. Firefox and Chrome DNS operations's
> >>>>>>>>pcap files are attached.
> >>>>>>>>
> >>>>>>>>Best Regards
> >>>>>>>>Burak Ozalp
> >>>>>>>>
> >>>>>>>>Alinti bert hubert <bert.hubert at netherlabs.nl>
> >>>>>>>>
> >>>>>>>>>On Thu, Sep 03, 2015 at 02:24:28PM +0300, Burak Ozalp wrote:
> >>>>>>>>>>Actually, it only works for Ubuntu-Chrome.. In Windows neither
> >>>>>>>>>>Chrome nor Internet Explorer works with these configuration. What
> >>>>>>>>>>could be the reason of this situation ?
> >>>>>>>>>
> >>>>>>>>>Hi Burak,
> >>>>>>>>>
> >>>>>>>>>We estimate that this is an issue that Mozilla and Google might
> >>>>>>>>need to take
> >>>>>>>>>a look at.
> >>>>>>>>>
> >>>>>>>>>We asked a friend at Mozilla and he suggests you file a
> >>>>very detailed bug
> >>>>>>>>>with them, including a tcpdump that shows what happens
> >>(UDP query, TC=1
> >>>>>>>>>response, no followup).
> >>>>>>>>>
> >>>>>>>>>On the dns-operations list we also discussed this issue you reported,
> >>>>>>>>>https://lists.dns-oarc.net/pipermail/dns-operations/2015-September/013637.html
> >>>>>>>>>where we learned that Firedox 38 at least on one platform
> >>>>does the right
> >>>>>>>>>thing.
> >>>>>>>>>
> >>>>>>>>>	Bert
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>Best Regards
> >>>>>>>>>>Burak Özalp
> >>>>>>>>>>
> >>>>>>>>>>Alinti Burak Ozalp <burak.ozalp at metu.edu.tr>
> >>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>Yes! It works. When we try with the Chrome Browser it responds
> >>>>>>>>>>>with the TC-bit set and then it automatically retries TCP(looks
> >>>>>>>>>>>great) . However, when we try with Firefox Browser, it only
> >>>>>>>>>>>returns the response and not try with TCP.
> >>>>>>>>>>>
> >>>>>>>>>>>This is our related configurations;
> >>>>>>>>>>>
> >>>>>>>>>>>glibc vesion : 2.13-1
> >>>>>>>>>>>Kernel version : 3.2.0-68-generic
> >>>>>>>>>>>Firefox version: 40.0.3
> >>>>>>>>>>>Chrome version: 43.0.2357.65
> >>>>>>>>>>>--
> >>>>>>>>>>>
> >>>>>>>>>>>Best Regards
> >>>>>>>>>>>Burak Ozalp
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>Alinti bert hubert <bert.hubert at netherlabs.nl>
> >>>>>>>>>>>
> >>>>>>>>>>>>On Wed, Sep 02, 2015 at 03:52:11PM +0300, Burak Ozalp wrote:
> >>>>>>>>>>>>>Our problem is that we don't know the source address.
> >>>>Our aim is the
> >>>>>>>>>>>>>defence against DDos Attacks, we should limit for all different
> >>>>>>>>>>>>>IP's. As a result, when an attacker attacks our
> >>server, we need to
> >>>>>>>>>>>>>not drop innocent requests.
> >>>>>>>>>>>>
> >>>>>>>>>>>>Ok, then do:
> >>>>>>>>>>>>
> >>>>>>>>>>>>addAction(MaxQPSIPRule(5), DropAction())
> >>>>>>>>>>>>
> >>>>>>>>>>>>On the latest packages. Limits each individual IP to 5
> >>>>>>QPS, drops beyond
> >>>>>>>>>>>>that.
> >>>>>>>>>>>>
> >>>>>>>>>>>>	Bert
> >>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>Best Regards
> >>>>>>>>>>>>>Burak Ozalp
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>Alinti bert hubert <bert.hubert at netherlabs.nl>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>>On Wed, Sep 02, 2015 at 02:31:33PM +0300, Burak Ozalp wrote:
> >>>>>>>>>>>>>>>Hi Bert;
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>AddQPS is the best option for us. Is it possible to apply
> >>>>>>>>>>>>>>>addQPSLimit for individual IP's ?
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>Yes, as outlined in the documentation ->
> >>>>>>>>>>>>>>https://github.com/PowerDNS/pdns/blob/master/pdns/README-dnsdist.md#per-domain-or-subnet-qps-limiting
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>You can add as many subnets as you want, or individual IPs etc.
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>Good luck!
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>	Bert
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>Best Regards
> >>>>>>>>>>>>>>>Burak Ozalp
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>Alinti bert hubert <bert.hubert at netherlabs.nl>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>On Wed, Sep 02, 2015 at 02:08:38PM +0300, Burak Ozalp wrote:
> >>>>>>>>>>>>>>>>>With the current version of RPM i get no error. However,
> >>>>>>>>>>>>>>>>>addAction(MaxQPSIPRule(5), NoRecurseAction()) ,
> >>>>>>didn't do its job.
> >>>>>>>>>>>>>>>>>Should we use both addQPSLimit and addAction together
> >>>>>>for limiting
> >>>>>>>>>>>>>>>>>indivual IP to 5 qps?
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>No, addQPSLimit alone is fine. The addAction is only if you
> >>>>>>>>>>>>>>>want to drop the
> >>>>>>>>>>>>>>>>RD-bit for traffic that exceeds the QPS limit.
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>	Bert
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>_______________________________________________
> >>>>>>>>>>>>>>>dnsdist mailing list
> >>>>>>>>>>>>>>>dnsdist at mailman.powerdns.com
> >>>>>>>>>>>>>>>http://mailman.powerdns.com/mailman/listinfo/dnsdist
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>_______________________________________________
> >>>>>>>>>>>>>dnsdist mailing list
> >>>>>>>>>>>>>dnsdist at mailman.powerdns.com
> >>>>>>>>>>>>>http://mailman.powerdns.com/mailman/listinfo/dnsdist
> >>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>_______________________________________________
> >>>>>>>>>>>dnsdist mailing list
> >>>>>>>>>>>dnsdist at mailman.powerdns.com
> >>>>>>>>>>>http://mailman.powerdns.com/mailman/listinfo/dnsdist
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>_______________________________________________
> >>>>>>>>>>dnsdist mailing list
> >>>>>>>>>>dnsdist at mailman.powerdns.com
> >>>>>>>>>>http://mailman.powerdns.com/mailman/listinfo/dnsdist
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>>_______________________________________________
> >>>>>>>>dnsdist mailing list
> >>>>>>>>dnsdist at mailman.powerdns.com
> >>>>>>>>http://mailman.powerdns.com/mailman/listinfo/dnsdist
> >>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>_______________________________________________
> >>>>>>dnsdist mailing list
> >>>>>>dnsdist at mailman.powerdns.com
> >>>>>>http://mailman.powerdns.com/mailman/listinfo/dnsdist
> >>>>>
> >>>>
> >>>>
> >>>>
> >>>>_______________________________________________
> >>>>dnsdist mailing list
> >>>>dnsdist at mailman.powerdns.com
> >>>>http://mailman.powerdns.com/mailman/listinfo/dnsdist
> >>>
> >>
> >>
> >>
> >>_______________________________________________
> >>dnsdist mailing list
> >>dnsdist at mailman.powerdns.com
> >>http://mailman.powerdns.com/mailman/listinfo/dnsdist
> >
> 
> 
> 
> _______________________________________________
> dnsdist mailing list
> dnsdist at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/dnsdist

More information about the dnsdist mailing list