[dnsdist] manipulate dynBlockRulesGroup() at runtime?

Remi Gacogne remi.gacogne at powerdns.com
Thu Apr 16 09:25:40 UTC 2020


Hi Fredrik,

On 4/15/20 6:05 PM, Fredrik Pettai via dnsdist wrote:
> Is there a way to manipulate dynBlockRulesGroup():excludeRange at runtime, 
> for instance add networks to the excludeRange ? 
> And how to I look/print what current object holds with :toString() ?
> 
>> dynBlockRulesGroup():toString()
> Query rate rule:
> Response rate rule:
> SuffixMatch rule:
> RCode rules:
> QType rules:
> Excluded Subnets:
> Excluded Domains:
> 
> certainly looks like it should be doable (but perhaps this is just counters?
> https://mailman.powerdns.com/pipermail/dnsdist/2019-June/000561.html), 
>  I can’t figure out the syntax for printing a created object…

Remember that the configuration is in the Lua language, as is the
console. So the way it's usually done is to assign the object created by
dynBlockRulesGroup() to a variable and to use that variable either in
the configuration or later via the console. For example, you could set
this in your configuration file:

dbrg = dynBlockRulesGroup()
dbrg:setQueryRate(1, 10, "Exceeded query rate", 60)
dbrg:setQTypeRate(DNSQType.ANY, 5, 10, "Exceeded ANY rate", 60)
dbrg:setResponseByteRate(10000, 10, "Exceeded resp BW rate", 60)

and then later connect to the console and do:

> dbrg:toString()
Query rate rule: Apply the global DynBlock action for 60 seconds when
over 1 during the last 10 seconds, reason: 'Exceeded query rate'
Response rate rule: Apply the global DynBlock action for 60 seconds when
over 10000 during the last 10 seconds, reason: 'Exceeded resp BW rate'
SuffixMatch rule:
RCode rules:
QType rules:
- ANY: Apply the global DynBlock action for 60 seconds when over 5
during the last 10 seconds, reason: 'Exceeded ANY rate'
Excluded Subnets:
Excluded Domains:

> dbrg:includeRange("192.0.2.1/32")
> dbrg:excludeRange({"192.0.2.0/24", "2001:db8::/32" })
> dbrg:toString()
Query rate rule: Apply the global DynBlock action for 60 seconds when
over 1 during the last 10 seconds, reason: 'Exceeded query rate'
Response rate rule: Apply the global DynBlock action for 60 seconds when
over 10000 during the last 10 seconds, reason: 'Exceeded resp BW rate'
SuffixMatch rule:
RCode rules:
QType rules:
- ANY: Apply the global DynBlock action for 60 seconds when over 5
during the last 10 seconds, reason: 'Exceeded ANY rate'
Excluded Subnets: !192.0.2.1/32, 192.0.2.0/24, 2001:db8::/32
Excluded Domains:

Remember that, for that configuration to actually do something, you need
to call the apply() method of the dbrg object from the maintenance()
function:

function maintenance()
  dbrg:apply()
end

We have a few more words in the documentation [1].

[1]: https://dnsdist.org/guides/dynblocks.html

Best regards,
-- 
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20200416/2399db1c/attachment.sig>


More information about the dnsdist mailing list