[dnsdist] documentation for "showDOHFrontends()" output

Christoph cm at appliedprivacy.net
Wed Jun 12 21:18:00 UTC 2019 

Remi Gacogne wrote:
> On 6/12/19 12:05 AM, Christoph wrote:
>> We saw 400 Bad Request responses but the counter in the "Bad" column did
>> not increase but I'll rerun the tests to make sure this was not caused
>> by looking at the IPv4 counter stats while hitting the IPv6 frontend
>> or vice versa.
> 
> Note that invalid HTTP queries will get a 400 before our DNS code even
> get called, so you might indeed get 400 errors without the "Bad" counter
> increasing.

good point and it would be great if the counters in #7898 will include
all actual "400 Bad Request" responses.


>>> The "Errors" counters refers to invalid or rejected DNS queries:
>>> - smaller than a minimal DNS header or the QR bit is set, or QDCOUNT is
>>> equal to zero (noncompliant-queries in the regular stats should increase
>>> accordingly);
>>> - blocked by the ACL (acl-drops should increase) ;
>>> - query is dropped by a rule (the counter of the corresponding rule
>>> should increase) ;
>>> - we encountered an error when sending the query to the selected backend
>>> (downstream-send-errors should increase, as well the 'sendErrors'
>>> counter of the corresponding backend).
>>
>> Thanks for writing this down. Are you implying that you currently
>> respond with
>> 500 Internal Server Error
>> in all these "Error" cases? (which would be surprising, at least to me)
> 
> Yes, that's indeed the case with our current code and I agree we need to
> handle that differently. I just opened [1] which I hope is a step in the
> right direction. Comments welcome!
> 
> [1]: https://github.com/PowerDNS/pdns/pull/7917

If I understood the description correctly you are aiming at closing the
connection instead of returning an actual HTTP response code to safe
cycles, but in environments with load balancers this will actually
increase unnecessary processing. We made that experience already with
other DoH server software and we successfully convinced them that
closing the connection instead of providing actual response codes is a
bad idea.

We will add a commend and references to the PR.

thanks,
Christoph

More information about the dnsdist mailing list