[dnsdist] DnsDist Firefox Issue

Burak Ozalp burak.ozalp at metu.edu.tr
Wed Sep 30 11:52:51 UTC 2015


Yes, here it is now.
Thanks

Alinti bert hubert <bert.hubert at netherlabs.nl>

> Can you check https://repo.powerdns.com/ and the repos there? I see the RPMs
> ready.
>
> 	Bert
>
> On Wed, Sep 30, 2015 at 02:18:27PM +0300, Burak Ozalp wrote:
>> Great!
>>
>> Thank you Bert, it works on Ubuntu, could you please build the new
>> rpm package?
>>
>> Best Regards
>> Burak Ozalp
>> Alinti bert hubert <bert.hubert at netherlabs.nl>
>>
>> >https://github.com/PowerDNS/pdns/commit/bde3ab9654b1a33a6a250bf053c8f8ba044f67e8
>> >has the fix, thank you!
>> >
>> >	Bert
>> >
>> >On Wed, Sep 30, 2015 at 01:31:55PM +0300, Burak Ozalp wrote:
>> >>Dear Bert;
>> >>
>> >>I double-check pcap's and you are right. When dnsdist is closed, RA
>> >>bit equals 1. However, when i start dnsdist service, RA bit equals
>> >>0.
>> >>
>> >>Probably there is some bug about this issue.
>> >>
>> >>Your welcome, thank you for your interest :)
>> >>
>> >>Best Regards
>> >>Burak Özalp
>> >>
>> >>Alinti bert hubert <bert.hubert at netherlabs.nl>
>> >>
>> >>>On Tue, Sep 29, 2015 at 11:18:15AM +0300, Burak Ozalp wrote:
>> >>>>Hi Bert,
>> >>>>
>> >>>>Actually, i solved the whole issue! The point is that i checked the
>> >>>>pcap files and understand that RA bit (RA, Recursion Available bit )
>> >>>>differs.
>> >>>
>> >>>Burak, thank you for investigating this!
>> >>>
>> >>>I'm very confused now, the RA bit should've been set already!
>> >>>
>> >>>Does your pcap show that dnsdist *dropped* the RA bit perhaps?  
>> Or we forgot
>> >>>to set it on the TC=1 response? That might well be it.
>> >>>
>> >>>Can you verify that assumption?
>> >>>
>> >>>Thanks!
>> >>>
>> >>>	Bert
>> >>>
>> >>>
>> >>>>
>> >>>>Then i changed the dnsdist-lua.cc first and add the following lines
>> >>>>to add setRA functionality to dnsdist;
>> >>>>
>> >>>>  g_lua.registerFunction<void(dnsheader::*)(bool)>("setRA",
>> >>>>[](dnsheader& dh, bool v) {
>> >>>>      dh.ra=v;
>> >>>>    });
>> >>>>
>> >>>>then i add a single line to dnsdistconf.lua ( 	dh:setRA(true) )
>> >>>>
>> >>>>Finally, it worked for all browsers(Chrome,Firefox,Opera etc.)
>> >>>>without any problems.
>> >>>>
>> >>>>I think if you add setRA function to master branch and create repos
>> >>>>for rpm, it would be great!
>> >>>>
>> >>>>Thanks.
>> >>>>
>> >>>>Best Regards
>> >>>>Burak Ozalp
>> >>>>
>> >>>>Alinti bert hubert <bert.hubert at netherlabs.nl>
>> >>>>
>> >>>>>On Fri, Sep 04, 2015 at 01:25:42PM +0300, Burak Ozalp wrote:
>> >>>>>>I actually test in nearly all browsers, including
>> >>>>>>Vivaldi-Opera-Firefox version 38, and all reject TCP connections. Is
>> >>>>>>it possible that we do something wrong in lua script?
>> >>>>>
>> >>>>>I checked your PCAP, everything is perfect there. I think the
>> >>browsers are
>> >>>>>just not cooperating, or perhaps a firewall is preventing them
>> >>>>from reaching
>> >>>>>your server on TCP?
>> >>>>>
>> >>>>>	Bert
>> >>>>>
>> >>>>>>
>> >>>>>>addLocal("0.0.0.0:53")
>> >>>>>>newServer{address="8.8.8.8"}
>> >>>>>>
>> >>>>>>addAction(MaxQPSIPRule(5000), DropAction())
>> >>>>>>
>> >>>>>>function blockFilter(remote, qname, qtype, dh)
>> >>>>>>        dh:setTC(true)
>> >>>>>>        dh:setQR(true)
>> >>>>>>        return false
>> >>>>>>end
>> >>>>>>
>> >>>>>>Thanks!
>> >>>>>>
>> >>>>>>Best Regards
>> >>>>>>
>> >>>>>>Burak Özalp
>> >>>>>>
>> >>>>>>Alinti bert hubert <bert.hubert at netherlabs.nl>
>> >>>>>>
>> >>>>>>>Burak,
>> >>>>>>>
>> >>>>>>>Thank you, but this is the place to report your issues:
>> >>>>>>>
>> >>>>>>>https://bugzilla.mozilla.org/enter_bug.cgi
>> >>>>>>>and
>> >>>>>>>https://support.google.com/chrome/answer/95315?hl=en
>> >>>>>>>
>> >>>>>>>We sadly can't support all software products on the planet
>> >>>>from dnsdist ;-)
>> >>>>>>>
>> >>>>>>>	Bert
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>On Fri, Sep 04, 2015 at 09:23:38AM +0300, Burak Ozalp wrote:
>> >>>>>>>>Hi Bert
>> >>>>>>>>
>> >>>>>>>>Thank you for your interest. Firefox and Chrome DNS operations's
>> >>>>>>>>pcap files are attached.
>> >>>>>>>>
>> >>>>>>>>Best Regards
>> >>>>>>>>Burak Ozalp
>> >>>>>>>>
>> >>>>>>>>Alinti bert hubert <bert.hubert at netherlabs.nl>
>> >>>>>>>>
>> >>>>>>>>>On Thu, Sep 03, 2015 at 02:24:28PM +0300, Burak Ozalp wrote:
>> >>>>>>>>>>Actually, it only works for Ubuntu-Chrome.. In Windows neither
>> >>>>>>>>>>Chrome nor Internet Explorer works with these configuration. What
>> >>>>>>>>>>could be the reason of this situation ?
>> >>>>>>>>>
>> >>>>>>>>>Hi Burak,
>> >>>>>>>>>
>> >>>>>>>>>We estimate that this is an issue that Mozilla and Google might
>> >>>>>>>>need to take
>> >>>>>>>>>a look at.
>> >>>>>>>>>
>> >>>>>>>>>We asked a friend at Mozilla and he suggests you file a
>> >>>>very detailed bug
>> >>>>>>>>>with them, including a tcpdump that shows what happens
>> >>(UDP query, TC=1
>> >>>>>>>>>response, no followup).
>> >>>>>>>>>
>> >>>>>>>>>On the dns-operations list we also discussed this issue  
>> you reported,
>> >>>>>>>>>https://lists.dns-oarc.net/pipermail/dns-operations/2015-September/013637.html
>> >>>>>>>>>where we learned that Firedox 38 at least on one platform
>> >>>>does the right
>> >>>>>>>>>thing.
>> >>>>>>>>>
>> >>>>>>>>>	Bert
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>>Best Regards
>> >>>>>>>>>>Burak Özalp
>> >>>>>>>>>>
>> >>>>>>>>>>Alinti Burak Ozalp <burak.ozalp at metu.edu.tr>
>> >>>>>>>>>>
>> >>>>>>>>>>>
>> >>>>>>>>>>>
>> >>>>>>>>>>>Yes! It works. When we try with the Chrome Browser it responds
>> >>>>>>>>>>>with the TC-bit set and then it automatically retries TCP(looks
>> >>>>>>>>>>>great) . However, when we try with Firefox Browser, it only
>> >>>>>>>>>>>returns the response and not try with TCP.
>> >>>>>>>>>>>
>> >>>>>>>>>>>This is our related configurations;
>> >>>>>>>>>>>
>> >>>>>>>>>>>glibc vesion : 2.13-1
>> >>>>>>>>>>>Kernel version : 3.2.0-68-generic
>> >>>>>>>>>>>Firefox version: 40.0.3
>> >>>>>>>>>>>Chrome version: 43.0.2357.65
>> >>>>>>>>>>>--
>> >>>>>>>>>>>
>> >>>>>>>>>>>Best Regards
>> >>>>>>>>>>>Burak Ozalp
>> >>>>>>>>>>>
>> >>>>>>>>>>>
>> >>>>>>>>>>>
>> >>>>>>>>>>>Alinti bert hubert <bert.hubert at netherlabs.nl>
>> >>>>>>>>>>>
>> >>>>>>>>>>>>On Wed, Sep 02, 2015 at 03:52:11PM +0300, Burak Ozalp wrote:
>> >>>>>>>>>>>>>Our problem is that we don't know the source address.
>> >>>>Our aim is the
>> >>>>>>>>>>>>>defence against DDos Attacks, we should limit for all different
>> >>>>>>>>>>>>>IP's. As a result, when an attacker attacks our
>> >>server, we need to
>> >>>>>>>>>>>>>not drop innocent requests.
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>Ok, then do:
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>addAction(MaxQPSIPRule(5), DropAction())
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>On the latest packages. Limits each individual IP to 5
>> >>>>>>QPS, drops beyond
>> >>>>>>>>>>>>that.
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>	Bert
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>>
>> >>>>>>>>>>>>>Best Regards
>> >>>>>>>>>>>>>Burak Ozalp
>> >>>>>>>>>>>>>
>> >>>>>>>>>>>>>Alinti bert hubert <bert.hubert at netherlabs.nl>
>> >>>>>>>>>>>>>
>> >>>>>>>>>>>>>>On Wed, Sep 02, 2015 at 02:31:33PM +0300, Burak Ozalp wrote:
>> >>>>>>>>>>>>>>>Hi Bert;
>> >>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>AddQPS is the best option for us. Is it possible to apply
>> >>>>>>>>>>>>>>>addQPSLimit for individual IP's ?
>> >>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>Yes, as outlined in the documentation ->
>> >>>>>>>>>>>>>>https://github.com/PowerDNS/pdns/blob/master/pdns/README-dnsdist.md#per-domain-or-subnet-qps-limiting
>> >>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>You can add as many subnets as you want, or  
>> individual IPs etc.
>> >>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>Good luck!
>> >>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>	Bert
>> >>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>Best Regards
>> >>>>>>>>>>>>>>>Burak Ozalp
>> >>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>Alinti bert hubert <bert.hubert at netherlabs.nl>
>> >>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>>On Wed, Sep 02, 2015 at 02:08:38PM +0300, Burak Ozalp wrote:
>> >>>>>>>>>>>>>>>>>With the current version of RPM i get no error. However,
>> >>>>>>>>>>>>>>>>>addAction(MaxQPSIPRule(5), NoRecurseAction()) ,
>> >>>>>>didn't do its job.
>> >>>>>>>>>>>>>>>>>Should we use both addQPSLimit and addAction together
>> >>>>>>for limiting
>> >>>>>>>>>>>>>>>>>indivual IP to 5 qps?
>> >>>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>>No, addQPSLimit alone is fine. The addAction is only if you
>> >>>>>>>>>>>>>>>want to drop the
>> >>>>>>>>>>>>>>>>RD-bit for traffic that exceeds the QPS limit.
>> >>>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>>	Bert
>> >>>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>_______________________________________________
>> >>>>>>>>>>>>>>>dnsdist mailing list
>> >>>>>>>>>>>>>>>dnsdist at mailman.powerdns.com
>> >>>>>>>>>>>>>>>http://mailman.powerdns.com/mailman/listinfo/dnsdist
>> >>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>
>> >>>>>>>>>>>>>
>> >>>>>>>>>>>>>
>> >>>>>>>>>>>>>
>> >>>>>>>>>>>>>
>> >>>>>>>>>>>>>_______________________________________________
>> >>>>>>>>>>>>>dnsdist mailing list
>> >>>>>>>>>>>>>dnsdist at mailman.powerdns.com
>> >>>>>>>>>>>>>http://mailman.powerdns.com/mailman/listinfo/dnsdist
>> >>>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>
>> >>>>>>>>>>>
>> >>>>>>>>>>>
>> >>>>>>>>>>>
>> >>>>>>>>>>>_______________________________________________
>> >>>>>>>>>>>dnsdist mailing list
>> >>>>>>>>>>>dnsdist at mailman.powerdns.com
>> >>>>>>>>>>>http://mailman.powerdns.com/mailman/listinfo/dnsdist
>> >>>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>>_______________________________________________
>> >>>>>>>>>>dnsdist mailing list
>> >>>>>>>>>>dnsdist at mailman.powerdns.com
>> >>>>>>>>>>http://mailman.powerdns.com/mailman/listinfo/dnsdist
>> >>>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>>_______________________________________________
>> >>>>>>>>dnsdist mailing list
>> >>>>>>>>dnsdist at mailman.powerdns.com
>> >>>>>>>>http://mailman.powerdns.com/mailman/listinfo/dnsdist
>> >>>>>>>
>> >>>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>>_______________________________________________
>> >>>>>>dnsdist mailing list
>> >>>>>>dnsdist at mailman.powerdns.com
>> >>>>>>http://mailman.powerdns.com/mailman/listinfo/dnsdist
>> >>>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>>_______________________________________________
>> >>>>dnsdist mailing list
>> >>>>dnsdist at mailman.powerdns.com
>> >>>>http://mailman.powerdns.com/mailman/listinfo/dnsdist
>> >>>
>> >>
>> >>
>> >>
>> >>_______________________________________________
>> >>dnsdist mailing list
>> >>dnsdist at mailman.powerdns.com
>> >>http://mailman.powerdns.com/mailman/listinfo/dnsdist
>> >
>>
>>
>>
>> _______________________________________________
>> dnsdist mailing list
>> dnsdist at mailman.powerdns.com
>> http://mailman.powerdns.com/mailman/listinfo/dnsdist
>






More information about the dnsdist mailing list