[dnsdist] manipulate dynBlockRulesGroup() at runtime?

Fredrik Pettai pettai at sunet.se
Thu Apr 16 14:19:42 UTC 2020


> On 16 Apr 2020, at 11:25, Remi Gacogne via dnsdist <dnsdist at mailman.powerdns.com> wrote:
> 
> Signed PGP part
> Hi Fredrik,
> 
> On 4/15/20 6:05 PM, Fredrik Pettai via dnsdist wrote:
>> Is there a way to manipulate dynBlockRulesGroup():excludeRange at runtime,
>> for instance add networks to the excludeRange ?
>> And how to I look/print what current object holds with :toString() ?
>> 
>>> dynBlockRulesGroup():toString()
>> Query rate rule:
>> Response rate rule:
>> SuffixMatch rule:
>> RCode rules:
>> QType rules:
>> Excluded Subnets:
>> Excluded Domains:
>> 
>> certainly looks like it should be doable (but perhaps this is just counters?
>> https://mailman.powerdns.com/pipermail/dnsdist/2019-June/000561.html),
>> I can’t figure out the syntax for printing a created object…
> 
> Remember that the configuration is in the Lua language, as is the
> console. So the way it's usually done is to assign the object created by
> dynBlockRulesGroup() to a variable and to use that variable either in
> the configuration or later via the console. For example, you could set
> this in your configuration file:
> 
> dbrg = dynBlockRulesGroup()
> dbrg:setQueryRate(1, 10, "Exceeded query rate", 60)
> dbrg:setQTypeRate(DNSQType.ANY, 5, 10, "Exceeded ANY rate", 60)
> dbrg:setResponseByteRate(10000, 10, "Exceeded resp BW rate", 60)
> 
> and then later connect to the console and do:
> 
>> dbrg:toString()
> Query rate rule: Apply the global DynBlock action for 60 seconds when
> over 1 during the last 10 seconds, reason: 'Exceeded query rate'
> Response rate rule: Apply the global DynBlock action for 60 seconds when
> over 10000 during the last 10 seconds, reason: 'Exceeded resp BW rate'
> SuffixMatch rule:
> RCode rules:
> QType rules:
> - ANY: Apply the global DynBlock action for 60 seconds when over 5
> during the last 10 seconds, reason: 'Exceeded ANY rate'
> Excluded Subnets:
> Excluded Domains:
> 
>> dbrg:includeRange("192.0.2.1/32")
>> dbrg:excludeRange({"192.0.2.0/24", "2001:db8::/32" })
>> dbrg:toString()
> Query rate rule: Apply the global DynBlock action for 60 seconds when
> over 1 during the last 10 seconds, reason: 'Exceeded query rate'
> Response rate rule: Apply the global DynBlock action for 60 seconds when
> over 10000 during the last 10 seconds, reason: 'Exceeded resp BW rate'
> SuffixMatch rule:
> RCode rules:
> QType rules:
> - ANY: Apply the global DynBlock action for 60 seconds when over 5
> during the last 10 seconds, reason: 'Exceeded ANY rate'
> Excluded Subnets: !192.0.2.1/32, 192.0.2.0/24, 2001:db8::/32
> Excluded Domains:
> 
> Remember that, for that configuration to actually do something, you need
> to call the apply() method of the dbrg object from the maintenance()
> function:
> 
> function maintenance()
>  dbrg:apply()
> end
> 
> We have a few more words in the documentation [1].
> 
> [1]: https://dnsdist.org/guides/dynblocks.html

Thanks for the clarification,
I guess these questions where more of LUA-questions.

Anyway, given the examples in the webpage above, it suggest to configure:

local dbr = …

(I guess this is for a good reason to keep it local?)

and then you can’t do dbr:toString() on the console:

> dbr:toString()
Error: [string "return dbr:toString()"]:1: attempt to index global 'dbr' (a nil value)>

How do I look at that local variable?

Also, then I want to :apply() in the maintenance() function from the console, I get an error:

> function maintenance()
Error: [string "function maintenance()"]:1: 'end' expected near '<eof>': >

I’m not able to find the help then searching for this…

Re,
/P
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20200416/3fdf340c/attachment.sig>


More information about the dnsdist mailing list