[dnsdist] EDNSOptionRule not triggering?

Mon Aug 5 07:51:54 UTC 2019

Hi,

For the record, I managed to reproduce the issue thanks to Brian's help,
and a fix is available [1]. It only happens when the code of the EDNS
option is set to a very large value, which is why I failed to reproduce
it previously. It will be fixed in the next release.

[1]: https://github.com/PowerDNS/pdns/pull/8158

Best regards,

Remi

On 7/31/19 10:03 PM, Remi Gacogne wrote:
> On 7/31/19 9:47 PM, Brian Sullivan wrote:
>> Sure let me put something together with some generic data and send you the
>> trace. By the way, could you send me the rule you used? I tried a few known
>> EDNS Options and those did not work for me either. There isn't anything
>> that I need to enable for this to work?
> 
> I tested with:
> 
> addAction(EDNSOptionRule(10), DropAction())
> 
> and confirmed with dig that a query with a cookie is blocked, while a
> query without any cookie is allowed. I also tested a query with no
> cookie but with an EDNS Client Subnet option and this one was allowed as
> well.
> Note that we also have a regression test that checks that a query with
> an EDNS Client Subnet option is dropped instead:
> 
> https://github.com/PowerDNS/pdns/blob/master/regression-tests.dnsdist/test_Advanced.py#L1536
> 
>> Depending on timing I may not get to this before Friday my time.
> 
> Understood, thank you!
> 
> Remi
> 
>> On Wed, Jul 31, 2019 at 3:36 PM Remi Gacogne <remi.gacogne at powerdns.com>
>> wrote:
>>
>>> Hi Brian,
>>>
>>> On 7/31/19 6:57 PM, Brian Sullivan wrote:
>>>> I am using dnsdist 1.4.0-beta1 and am trying to detect queries that are
>>>> using a local/experimental optcode. For example, I have the following in
>>>> the dnsdist.conf file.
>>>>
>>>> addAction(EDNSOptionRule(65002), DropAction())
>>>>
>>>> and I see the rule in the webserver.
>>>>
>>>> [image: Screen Shot 2019-07-31 at 12.47.10 PM.png]
>>>>
>>>> and I sent a query with the ENDS Option and it doesn't get dropped. I
>>> know
>>>> this because I have a Lua script associated with the pdns recursor that
>>> is
>>>> processing that specific option.
>>>>
>>>> lua snippit
>>>>       -- Special Code is in EDNS Option 65002
>>>>       local specialcode = dq:getEDNSOption(65002)
>>>>       if (specialcode) then
>>>>         pdnslog("*************************** Special Code =
>>> "..specialcode)
>>>>       end
>>>>
>>>> Log file Output
>>>> *************************** Special Code = BLAH
>>>>
>>>> Any idea on what is going on?
>>>
>>> Would you be able to share a capture of the query, or at least some way
>>> we can reproduce the issue? I did a quick test -albeit with a different
>>> option- and it worked correctly so I'm assuming I'm not exercising the
>>> same code path that you are.
>>>
>>> Best regards,
>>> --
>>> Remi Gacogne
>>> PowerDNS.COM BV - https://www.powerdns.com/
>>>
>>> _______________________________________________
>>> dnsdist mailing list
>>> dnsdist at mailman.powerdns.com
>>> https://mailman.powerdns.com/mailman/listinfo/dnsdist
>>>
>>
>>
> 
> 
> 
> _______________________________________________
> dnsdist mailing list
> dnsdist at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/dnsdist
> 

-- 
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20190805/7457c34a/attachment.sig>