[dnsdist] Permission denied - SSL certificates
Mark Smith
Mark.Smith at dataip.co.uk
Fri May 15 09:03:28 UTC 2020
Hi guys,
first posting but have been subscribed for a while...
It sounds like a trivial problem, but I just can't get to the bottom of
it. I am getting errors as shown below when restarting dnsdist after
upgrading to the latest build (1.5rc2)
May 15 08:13:40 resolver dnsdist[871574]:
140035959995712:error:0200100D:system library:fopen:Permission
denied:../crypto/bio/bss_file.c:288:fopen('/etc/ssl/pri>
May 15 08:13:40 resolver dnsdist[871574]:
140035959995712:error:20074002:BIO routines:file_ctrl:system
lib:../crypto/bio/bss_file.c:290:
May 15 08:13:40 resolver dnsdist[871574]:
140035959995712:error:140B0002:SSL
routines:SSL_CTX_use_PrivateKey_file:system lib:../ssl/ssl_rsa.c:540:
May 15 08:13:40 resolver dnsdist[871574]: Fatal error: An error
occurred while trying to load the TLS server private key file:
/etc/ssl/private/server.key
May 15 08:13:40 resolver systemd[1]: dnsdist.service: Main process
exited, code=exited, status=1/FAILURE
The obvious would be that something is wrong with permissions of those
files, but I can't see the issue.
The system runs fine using build 1.4
All I did was to add the repo to the sources list and do a
update/upgrade.
On restart we get the above from journalctl -xe
extract of config file is
addTLSLocal("0.0.0.0", "/etc/ssl/certs/server.crt",
"/etc/ssl/private/server.key")
addTLSLocal("[::]", "/etc/ssl/certs/server.crt",
"/etc/ssl/private/server.key")
Looking at that private key;
ls -l /etc/ssl/private/
-rw-rw-rw- 1 root root 1679 Apr 26 23:35 server.key
Which looks fine.
Runs okay using the same config and version 1.4 (running on Ubuntu
20.04LTS)
Anyone have any ideas? Looks like the above errors are coming from the
code within dnsdist.
Note: If I uninstall 1.5rc2, and reinstall 1.40 it seems to run fine.
--
Mark Smith
dataIP Limited
tel. +44(0)1785 609520
smtp:Mark.Smith at dataIP.co.uk
http://www.dataIP.co.uk/
>>> <dnsdist-request at mailman.powerdns.com> 15/05/2020 09:13 >>>
Send dnsdist mailing list submissions to
dnsdist at mailman.powerdns.com
To subscribe or unsubscribe via the World Wide Web, visit
https://mailman.powerdns.com/mailman/listinfo/dnsdist
or, via email, send a message with subject or body 'help' to
dnsdist‑request at mailman.powerdns.com
You can reach the person managing the list at
dnsdist‑owner at mailman.powerdns.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of dnsdist digest..."
Today's Topics:
1. Re: A few questions about rate‑limiting (Remi Gacogne)
2. Re: A few questions about rate‑limiting (Thib D)
3. dbr:setRCodeRate ‑ DNSRCode.NXDOMAIN not working with
packetcache (Dave Strydom)
4. Re: dbr:setRCodeRate ‑ DNSRCode.NXDOMAIN not working with
packetcache (Remi Gacogne)
‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑
Message: 1
Date: Thu, 14 May 2020 14:04:47 +0200
From: Remi Gacogne <remi.gacogne at powerdns.com>
To: dnsdist at mailman.powerdns.com
Subject: Re: [dnsdist] A few questions about rate‑limiting
Message‑ID: <ecc580ce‑b6b8‑c181‑16c7‑70cfc67c2513 at powerdns.com>
Content‑Type: text/plain; charset="utf‑8"
Hi Thibaud,
On 5/13/20 9:50 AM, Thib D via dnsdist wrote:
> I am currently trying to set up a rate‑limiting config and I have a
few
> questions about how Dynblocks and Packet policies rules work :
>
> When an IP is inserted in a DynBlockRule, an action is automatically
> given to the query for some time.
> Instead of dropping/truncating every query, I would like to have the
> possibility to drop/truncate 50% for the queries coming from this
> abusive IP. Is this currently possible to do so?
I'm afraid there is currently no way to do that. At the moment only
the
following actions are supported for a dynamic block rule:
DNSAction.Drop (the default), DNSAction.NoOp, DNSAction.NXDomain,
DNSAction.Refused, DNSAction.Truncate and DNSAction.NoRecurse.
> It looks like it's possible to come close to this behavior using
> MaxQPSIPRule(10,24,48) and dropping the queries matching this rule.
> Here, the abusive source would still be able to query at a 10 qps
rate,
> and the rest of the queries would be dropped.
It's not exactly equivalent to what a dynamic block does but that
would
be closer to your expectations indeed. Please note that the second and
third parameters that you are currently using would group by /24 for
IPv4 and /48 for IPv6.
> I would also like to have the same behaviour for queries by RCODE[1]
and
> QNAMEs[2]:
> [1] : I would like to allow a source to have 10 NXDOmains/s, and
drop
> the rest of the NXDOmain queries from this source.
> [2] : I would like to allow 10 queries per second for a single source
on
> a same domain, then drop the rest.
>
> From what I understand, DynBlocks are the only way to count
responses
> with a specific RCodes, and I'm wondering if there is a way to have
> Dynblock not dropping/truncating every query (would LuaActions do
the
> trick ?), or setting up custom rules to have some sort of MaxQPSRule
> limiting subnets abusing NXDOmains/SERVFAIL/REFUSED.
Dynamic blocks have been designed to cut off the queries sent by an
abusive client so at the moment there is no way to select which
queries
to block and which to keep once a dynamic block has been inserted.
You could however mimic that behaviour with custom Lua rules and
actions.
> Last question : Will Dynblocks be able to deal with subnets instead
of
> IPs in the future?
Could you describe your use case a bit more so I understand why you
would like to be able to group dynamic blocks? It would be easy to
make
it possible to aggregate IPs into fixed‑size subnets, for example /64
or
/48 for IPv6, but doing dynamic aggregation would be more complicated.
Best regards,
‑‑
Remi Gacogne
PowerDNS.COM BV ‑ https://www.powerdns.com/
‑‑‑‑‑‑‑‑‑‑‑‑‑‑ next part ‑‑‑‑‑‑‑‑‑‑‑‑‑‑
A non‑text attachment was scrubbed...
Name: signature.asc
Type: application/pgp‑signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL:
<http://mailman.powerdns.com/pipermail/dnsdist/attachments/20200514/f4e2f625/attachment‑0001.sig>
‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑
Message: 2
Date: Thu, 14 May 2020 15:45:18 +0200
From: Thib D <thibmac0241 at gmail.com>
To: Remi Gacogne <remi.gacogne at powerdns.com>
Cc: dnsdist at mailman.powerdns.com
Subject: Re: [dnsdist] A few questions about rate‑limiting
Message‑ID:
<CABeTJ72hr4EJPEcB8N=mwedORnfND‑ea9CWRHFjudSV=QPe4=A at mail.gmail.com>
Content‑Type: text/plain; charset="utf‑8"
Hi Remi,
Thanks for your answer,
Could you describe your use case a bit more so I understand why you
> would like to be able to group dynamic blocks? It would be easy to
make
> it possible to aggregate IPs into fixed‑size subnets, for example /64
or
> /48 for IPv6, but doing dynamic aggregation would be more
complicated.
>
I found this issue. It sums up the need pretty well
https://github.com/PowerDNS/pdns/issues/4993
Instead of banning one particular IP, the goal would be to ban the /24
subnet this IP is in.
This is also why I have been trying to use QPS rules with these subnet
options.
While dnsdist seems to be pretty quick and efficient at creating a
massive
amount of blocks in case of a ddos, blocking /24 subnets can sometimes
be
the safest option.
You could however mimic that behaviour with custom Lua rules and
actions.
>
I will update this thread if I can make a custom rule that allow a
certain
percentage of queries to pass through the rule.
Best regards.
Thibaud
Le jeu. 14 mai 2020 ? 14:04, Remi Gacogne via dnsdist <
dnsdist at mailman.powerdns.com> a ?crit :
> Hi Thibaud,
>
> On 5/13/20 9:50 AM, Thib D via dnsdist wrote:
> > I am currently trying to set up a rate‑limiting config and I have a
few
> > questions about how Dynblocks and Packet policies rules work :
> >
> > When an IP is inserted in a DynBlockRule, an action is
automatically
> > given to the query for some time.
> > Instead of dropping/truncating every query, I would like to have
the
> > possibility to drop/truncate 50% for the queries coming from this
> > abusive IP. Is this currently possible to do so?
>
> I'm afraid there is currently no way to do that. At the moment only
the
> following actions are supported for a dynamic block rule:
>
> DNSAction.Drop (the default), DNSAction.NoOp, DNSAction.NXDomain,
> DNSAction.Refused, DNSAction.Truncate and DNSAction.NoRecurse.
>
> > It looks like it's possible to come close to this behavior using
> > MaxQPSIPRule(10,24,48) and dropping the queries matching this
rule.
> > Here, the abusive source would still be able to query at a 10 qps
rate,
> > and the rest of the queries would be dropped.
>
> It's not exactly equivalent to what a dynamic block does but that
would
> be closer to your expectations indeed. Please note that the second
and
> third parameters that you are currently using would group by /24 for
> IPv4 and /48 for IPv6.
>
> > I would also like to have the same behaviour for queries by
RCODE[1] and
> > QNAMEs[2]:
> > [1] : I would like to allow a source to have 10 NXDOmains/s, and
drop
> > the rest of the NXDOmain queries from this source.
> > [2] : I would like to allow 10 queries per second for a single
source on
> > a same domain, then drop the rest.
> >
> > From what I understand, DynBlocks are the only way to count
responses
> > with a specific RCodes, and I'm wondering if there is a way to
have
> > Dynblock not dropping/truncating every query (would LuaActions do
the
> > trick ?), or setting up custom rules to have some sort of
MaxQPSRule
> > limiting subnets abusing NXDOmains/SERVFAIL/REFUSED.
>
> Dynamic blocks have been designed to cut off the queries sent by an
> abusive client so at the moment there is no way to select which
queries
> to block and which to keep once a dynamic block has been inserted.
> You could however mimic that behaviour with custom Lua rules and
actions.
>
> > Last question : Will Dynblocks be able to deal with subnets instead
of
> > IPs in the future?
>
> Could you describe your use case a bit more so I understand why you
> would like to be able to group dynamic blocks? It would be easy to
make
> it possible to aggregate IPs into fixed‑size subnets, for example /64
or
> /48 for IPv6, but doing dynamic aggregation would be more
complicated.
>
>
> Best regards,
> ‑‑
> Remi Gacogne
> PowerDNS.COM BV ‑ https://www.powerdns.com/
>
> _______________________________________________
> dnsdist mailing list
> dnsdist at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/dnsdist
>
‑‑‑‑‑‑‑‑‑‑‑‑‑‑ next part ‑‑‑‑‑‑‑‑‑‑‑‑‑‑
An HTML attachment was scrubbed...
URL:
<http://mailman.powerdns.com/pipermail/dnsdist/attachments/20200514/e24eaee9/attachment‑0001.htm>
‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑
Message: 3
Date: Fri, 15 May 2020 09:31:39 +0200
From: Dave Strydom <strydom.dave at gmail.com>
To: dnsdist at mailman.powerdns.com
Subject: [dnsdist] dbr:setRCodeRate ‑ DNSRCode.NXDOMAIN not working
with packetcache
Message‑ID:
<CAHeyidN7XCXPaCYnLPJCd7W4ENkYGcAdcQGKX6yAwJ_kEehGng at mail.gmail.com>
Content‑Type: text/plain; charset="utf‑8"
Hi,
I've picked up a strange issue in 1.4 where the
dbr:setRCodeRate(DNSRCode.NXDOMAIN, 5, 10, "Exceeded NXD rate", 120)
rate limit seems to be ignored if the packet cache is enabled and only
the
dbr:setQueryRate triggers.
The moment I disable the packet cache, the NXDOMAIN rate limiting
works.
Here is my config (please excuse anything looking odd, I'm new to this
dnsdist)
‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑
addLocal('xxx.xxx.xxx.110:53')
newServer({address="10.10.216.112:5300", qps=5000})
setServerPolicy(firstAvailable)
setACL({'0.0.0.0/0', '::/0'})
whitelisted = newNMG()
whitelisted:addMask("xxx.xxx.xxx.0/22")
whitelisted:addMask("xx.xxx.xx.0/24")
addAction(NetmaskGroupRule(whitelisted), AllowAction())
addAction(AndRule({QTypeRule(DNSQType.ANY), TCPRule(false)}),
TCAction())
local dbr = dynBlockRulesGroup()
dbr:excludeRange({"xxx.xxx.xxx.0/22", "xx.xxx.xx.0/24",
"xxxx:xxxx:x::/48"
})
dbr:setQueryRate(30, 10, "Exceeded query rate", 120)
dbr:setRCodeRate(DNSRCode.NXDOMAIN, 5, 10, "Exceeded NXD rate", 120)
dbr:setRCodeRate(DNSRCode.SERVFAIL, 20, 10, "Exceeded ServFail rate",
120)
dbr:setQTypeRate(DNSQType.ANY, 5, 10, "Exceeded ANY rate", 120)
dbr:setResponseByteRate(10000, 10, "Exceeded resp BW rate", 120)
function maintenance()
dbr:apply()
end
addAction(MaxQPSIPRule(25, 32, 64), TCAction())
pc = newPacketCache(1000000, {maxTTL=120, minTTL=0,
temporaryFailureTTL=60,
staleTTL=60, maxNegativeTTL=60, dontAge=false})
getPool(""):setCache(pc)
‑‑‑‑‑‑‑‑‑‑‑‑‑
Is this an issue or is this by design?
thanks
Dave
‑‑‑‑‑‑‑‑‑‑‑‑‑‑ next part ‑‑‑‑‑‑‑‑‑‑‑‑‑‑
An HTML attachment was scrubbed...
URL:
<http://mailman.powerdns.com/pipermail/dnsdist/attachments/20200515/c3dcd1e1/attachment‑0001.htm>
‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑
Message: 4
Date: Fri, 15 May 2020 10:13:03 +0200
From: Remi Gacogne <remi.gacogne at powerdns.com>
To: dnsdist at mailman.powerdns.com
Subject: Re: [dnsdist] dbr:setRCodeRate ‑ DNSRCode.NXDOMAIN not
working with packetcache
Message‑ID: <5411e344‑8b31‑dc64‑08e0‑25cc43f6836e at powerdns.com>
Content‑Type: text/plain; charset="utf‑8"
Hi Dave,
On 5/15/20 9:31 AM, Dave Strydom via dnsdist wrote:
> I've picked up a strange issue in 1.4 where the?
>
> dbr:setRCodeRate(DNSRCode.NXDOMAIN, 5, 10, "Exceeded NXD rate", 120)
>
> rate limit seems to be ignored if the packet cache is enabled and
only
> the dbr:setQueryRate triggers.
> The moment I disable the packet cache, the NXDOMAIN rate limiting
works.
> [...]> Is this an issue or is this by design?
The short answer is that this is by design, as responses served from
the
cache are not hurting the backend.
The long answer is that the dynamic blocks are generated from the last
N
entries kept in our query and response ring buffers. While queries are
always inserted to the query ring buffer, answers served from the
packet
cache are not, because we mostly care about the answers received from
our backend but also because we wanted the packet cache hit path to be
as fast as possible. So these answers are not visible when determining
whether a client exceeded a trigger based on the content of responses.
I guess we could make it possible to add cache hit answers to the
response ring buffer at some cost, but we would have to check that it
does not have any unforeseen impact in other parts of the code.
Best regards,
‑‑
Remi Gacogne
PowerDNS.COM BV ‑ https://www.powerdns.com/
‑‑‑‑‑‑‑‑‑‑‑‑‑‑ next part ‑‑‑‑‑‑‑‑‑‑‑‑‑‑
A non‑text attachment was scrubbed...
Name: signature.asc
Type: application/pgp‑signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL:
<http://mailman.powerdns.com/pipermail/dnsdist/attachments/20200515/93795fd5/attachment.sig>
‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑
Subject: Digest Footer
_______________________________________________
dnsdist mailing list
dnsdist at mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist
‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑
End of dnsdist Digest, Vol 57, Issue 11
***************************************
More information about the dnsdist
mailing list