[dnsdist] dnsdist, addAnyTCRule() matches for both UDP, and TCP

gregc at olypensupport.com gregc at olypensupport.com
Wed Jan 13 03:29:32 UTC 2016


The default addAnyTCRule() seems to add a match on qtype==ANY, informing dnsdist to truncate, and have client come back on TCP.
When the client does return on TCP(with dnsdist also listening on TCP), it again matches the rule, and the well behaving client does not get a response.

Removing the rule works as expected in TCP or UDP mode.

I don’t really see a way to add “PROTO == udp” with existing rulesets.  I am missing something?

It may be nice to add received interface, and protocol maybe?

That way if qtype==ANY && PROTO ==udp then action: tc=1 answer

Would also be nice to AddPoolRule based on destination interface.


Example:

DNSDIST:
> addAnyTCRule()
> showRules()
#     Matches Rule                                               Action
0           0 qtype==ANY                                         tc=1 answer


# dig @192.168.1.67 ANY google.com
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.7.1-P2 <<>> @192.168.1.67 ANY google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5037
;; flags: qr tc rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;google.com.                    IN      ANY


DNSDIST:
> showRules()
#     Matches Rule                                               Action
0           2 qtype==ANY                                         tc=1 answer


TCPDUMP:
19:12:31.373860 IP 192.168.1.48.51291 > 192.168.1.67.53: 30517+ ANY? google.com. (28)
19:12:31.373966 IP 192.168.1.67.53 > 192.168.1.48.51291: 30517-| 0/0/0 (28)
19:12:31.375826 IP 192.168.1.48.35744 > 192.168.1.67.53: Flags [S], seq 2895826786, win 14600, options [mss 1460,sackOK,TS val 2755684127 ecr 0,nop,wscale 4], length 0
19:12:31.375892 IP 192.168.1.67.53 > 192.168.1.48.35744: Flags [S.], seq 3796982548, ack 2895826787, win 28960, options [mss 1460,sackOK,TS val 325515277 ecr 2755684127,nop,wscale 7], length 0
19:12:31.376091 IP 192.168.1.48.35744 > 192.168.1.67.53: Flags [.], ack 1, win 913, options [nop,nop,TS val 2755684127 ecr 325515277], length 0
19:12:31.376396 IP 192.168.1.48.35744 > 192.168.1.67.53: Flags [P.], seq 1:31, ack 1, win 913, options [nop,nop,TS val 2755684127 ecr 325515277], length 305037+ ANY? google.com. (28)
19:12:31.376413 IP 192.168.1.67.53 > 192.168.1.48.35744: Flags [.], ack 31, win 227, options [nop,nop,TS val 325515277 ecr 2755684127], length 0
19:12:31.376457 IP 192.168.1.67.53 > 192.168.1.48.35744: Flags [P.], seq 1:3, ack 31, win 227, options [nop,nop,TS val 325515277 ecr 2755684127], length 2
19:12:31.376469 IP 192.168.1.67.53 > 192.168.1.48.35744: Flags [FP.], seq 3:31, ack 31, win 227, options [nop,nop,TS val 325515277 ecr 2755684127], length 2833536 [b2&3=0x1] [0q] [1639au] (26)
19:12:31.376562 IP 192.168.1.48.35744 > 192.168.1.67.53: Flags [.], ack 3, win 913, options [nop,nop,TS val 2755684127 ecr 325515277], length 0
19:12:31.386644 IP 192.168.1.48.35744 > 192.168.1.67.53: Flags [F.], seq 31, ack 32, win 913, options [nop,nop,TS val 2755684129 ecr 325515277], length 0
19:12:31.386654 IP 192.168.1.67.53 > 192.168.1.48.35744: Flags [.], ack 32, win 227, options [nop,nop,TS val 325515280 ecr 2755684129], length 0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20160112/be8fffca/attachment.html>


More information about the dnsdist mailing list