[dnsdist] manipulate dynBlockRulesGroup() at runtime?

Fredrik Pettai pettai at sunet.se
Thu Apr 16 14:21:46 UTC 2020 

> On 16 Apr 2020, at 16:19, Fredrik Pettai via dnsdist <dnsdist at mailman.powerdns.com> wrote:
> 
> Signed PGP part
> 
>> On 16 Apr 2020, at 11:25, Remi Gacogne via dnsdist <dnsdist at mailman.powerdns.com> wrote:
>> 
>> Signed PGP part
>> Hi Fredrik,
>> 
>> On 4/15/20 6:05 PM, Fredrik Pettai via dnsdist wrote:
>>> Is there a way to manipulate dynBlockRulesGroup():excludeRange at runtime,
>>> for instance add networks to the excludeRange ?
>>> And how to I look/print what current object holds with :toString() ?
>>> 
>>>> dynBlockRulesGroup():toString()
>>> Query rate rule:
>>> Response rate rule:
>>> SuffixMatch rule:
>>> RCode rules:
>>> QType rules:
>>> Excluded Subnets:
>>> Excluded Domains:
>>> 
>>> certainly looks like it should be doable (but perhaps this is just counters?
>>> https://mailman.powerdns.com/pipermail/dnsdist/2019-June/000561.html),
>>> I can’t figure out the syntax for printing a created object…
>> 
>> Remember that the configuration is in the Lua language, as is the
>> console. So the way it's usually done is to assign the object created by
>> dynBlockRulesGroup() to a variable and to use that variable either in
>> the configuration or later via the console. For example, you could set
>> this in your configuration file:
>> 
>> dbrg = dynBlockRulesGroup()
>> dbrg:setQueryRate(1, 10, "Exceeded query rate", 60)
>> dbrg:setQTypeRate(DNSQType.ANY, 5, 10, "Exceeded ANY rate", 60)
>> dbrg:setResponseByteRate(10000, 10, "Exceeded resp BW rate", 60)
>> 
>> and then later connect to the console and do:
>> 
>>> dbrg:toString()
>> Query rate rule: Apply the global DynBlock action for 60 seconds when
>> over 1 during the last 10 seconds, reason: 'Exceeded query rate'
>> Response rate rule: Apply the global DynBlock action for 60 seconds when
>> over 10000 during the last 10 seconds, reason: 'Exceeded resp BW rate'
>> SuffixMatch rule:
>> RCode rules:
>> QType rules:
>> - ANY: Apply the global DynBlock action for 60 seconds when over 5
>> during the last 10 seconds, reason: 'Exceeded ANY rate'
>> Excluded Subnets:
>> Excluded Domains:
>> 
>>> dbrg:includeRange("192.0.2.1/32")
>>> dbrg:excludeRange({"192.0.2.0/24", "2001:db8::/32" })
>>> dbrg:toString()
>> Query rate rule: Apply the global DynBlock action for 60 seconds when
>> over 1 during the last 10 seconds, reason: 'Exceeded query rate'
>> Response rate rule: Apply the global DynBlock action for 60 seconds when
>> over 10000 during the last 10 seconds, reason: 'Exceeded resp BW rate'
>> SuffixMatch rule:
>> RCode rules:
>> QType rules:
>> - ANY: Apply the global DynBlock action for 60 seconds when over 5
>> during the last 10 seconds, reason: 'Exceeded ANY rate'
>> Excluded Subnets: !192.0.2.1/32, 192.0.2.0/24, 2001:db8::/32
>> Excluded Domains:
>> 
>> Remember that, for that configuration to actually do something, you need
>> to call the apply() method of the dbrg object from the maintenance()
>> function:
>> 
>> function maintenance()
>> dbrg:apply()
>> end
>> 
>> We have a few more words in the documentation [1].
>> 
>> [1]: https://dnsdist.org/guides/dynblocks.html
> 
> Thanks for the clarification,
> I guess these questions where more of LUA-questions.
> 
> Anyway, given the examples in the webpage above, it suggest to configure:
> 
> local dbr = …
> 
> (I guess this is for a good reason to keep it local?)
> 
> and then you can’t do dbr:toString() on the console:
> 
>> dbr:toString()
> Error: [string "return dbr:toString()"]:1: attempt to index global 'dbr' (a nil value)>
> 
> How do I look at that local variable?
> 
> Also, then I want to :apply() in the maintenance() function from the console, I get an error:
> 
>> function maintenance()
> Error: [string "function maintenance()"]:1: 'end' expected near '<eof>': >
> 
> I’m not able to find the help then searching for this…

Btw. I forgot to mention that I’m running the 1.5 alpha, but I will upgrade to rc now and see if that help?

Re,
/P
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20200416/67dfedc8/attachment.sig>

More information about the dnsdist mailing list