[dnsdist] cache dnsdist not working for my setup

SAMI RAHAL Sami.Rahal at topnetpro.tn
Wed Feb 10 13:17:01 UTC 2021


Hi Kai

here is my complete configuration:


-- listen for console connection with the given secret key
controlSocket("127.0.0.1")
setKey("BlM9FFCjk1QIij/LUxq+TQbsH9PUSe47KZiRIbeBdn8=")
setLocal('Server_ipadress:53')
setACL('0.0.0.0/0')
newServer({name="unbound",pool={"resolverT"},address="ipadress", qps=1000, order=1})
newServer({name="pdns-recursor",pool={"resolverT"},address="ipadress", order=2})
----------- config cache -------------------
cacheresolv = newPacketCache(100000)
getPool("resolverT"):setCache(cacheresolv)
setStaleCacheEntriesTTL(86400)
addAction(AllRule(), PoolAction("resolverT"))
--newServer({address="8.8.8.8", pool="abuse"})
-- set the TC-bit (truncate) on ANY queries received over UDP, forcing a retry over TCP.
addAction(AndRule({QTypeRule(dnsdist.ANY), TCPRule(false)}), TCAction())
-- DDos protection, block for 5 minutes. https://dnsdist.org/guides/dynblocks.html
local dbr = dynBlockRulesGroup()
dbr:setQueryRate(30, 10, "Exceeded query rate", 3000)
dbr:setRCodeRate(dnsdist.NXDOMAIN, 20, 10, "Exceeded NXD rate", 3000)
dbr:setRCodeRate(dnsdist.SERVFAIL, 20, 10, "Exceeded ServFail rate", 300)
dbr:setQTypeRate(dnsdist.ANY, 5, 10, "Exceeded ANY rate", 300)
dbr:setResponseByteRate(10000, 10, "Exceeded resp BW rate", 300)
-- send the queries for selected domain suffixes to the server
-- in the 'abuse' pool
addAction({"ezdns.it.", "xxx."}, PoolAction("abuse"))
-- send the queries from a selected subnet to the
-- abuse pool
addAction("192.168.1.0/24", PoolAction("abuse"))
-- pool, but only up to 100 qps
addAction("xxx.", QPSPoolAction(100, "abuse"))
-- to the abuse pool
function luarule(dq)
	if(dq.qtype==dnsdist.NAPTR)
	then
		return DNSAction.Pool, "abuse" -- send to abuse pool
	else
		return DNSAction.None, ""      -- no action
	end
end
-- and /64 for IPv6
addAction(MaxQPSIPRule(5, 24, 64), DropAction())
-- move the last rule to the first position
topRule()
-- drop queries for the following suffixes:
addAction("domain.org.", DropAction())
addAction("spectre.", DropAction())
-- called before we distribute a question
block=newDNSName("domains.org.")
truncateNMG = newNMG()
truncateNMG:addMask("213.244.0.0/16")
truncateNMG:addMask("2001:503:ba3e::2:30")
truncateNMG:addMask("fe80::/16")
print(string.format("Have %d entries in truncate NMG", truncateNMG:size()))
-- called to pick a downstream server, ignores 'up' status
counter=0
function luaroundrobin(servers, dq)
	 counter=counter+1;
	 return servers[1+(counter % #servers)]
end
-- split queries between the 'auth' pool and the regular one,
-- based on the RD flag
function splitSetup(servers, dq)
	 if(dq.dh:getRD() == false)
	 then
		return firstAvailable.policy(getPoolServers("auth"), dq)
	 else
		return firstAvailable.policy(servers, dq)
	 end
end
-- the 'maintenance' function is called every second
function maintenance()
	 -- block all hosts that exceeded 20 qps over the past 10s,
	 -- for 60s
	 addDynBlocks(exceedQRate(20, 10), "Exceeded query rate", 60)
end
--addAction(AllRule(), LogAction("/var/log/dnsdist.log", false, true, false,true))
addAction(AllRule(), LogAction("/var/log/dnsdist.log", false, true, false))

________________________________________
De : dnsdist <dnsdist-bounces at mailman.powerdns.com> de la part de dnsdist-request at mailman.powerdns.com <dnsdist-request at mailman.powerdns.com>
Envoyé : mercredi 10 février 2021 13:00
À : dnsdist at mailman.powerdns.com
Objet : dnsdist Digest, Vol 66, Issue 14

Send dnsdist mailing list submissions to
        dnsdist at mailman.powerdns.com

To subscribe or unsubscribe via the World Wide Web, visit
        https://mailman.powerdns.com/mailman/listinfo/dnsdist
or, via email, send a message with subject or body 'help' to
        dnsdist-request at mailman.powerdns.com

You can reach the person managing the list at
        dnsdist-owner at mailman.powerdns.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of dnsdist digest..."


Today's Topics:

   1. Re: cache dnsdist not working for my setup (Otto Moerbeek)
   2. Re: cache dnsdist not working for my setup (SAMI RAHAL)
   3. Re: cache dnsdist not working for my setup (Kai)


----------------------------------------------------------------------

Message: 1
Date: Wed, 10 Feb 2021 10:18:25 +0100
From: Otto Moerbeek <otto at drijf.net>
To: SAMI RAHAL <Sami.Rahal at topnetpro.tn>
Cc: "dnsdist at mailman.powerdns.com" <dnsdist at mailman.powerdns.com>
Subject: Re: [dnsdist] cache dnsdist not working for my setup
Message-ID: <YCOk4eGPhpekwJB6 at clue.drijf.net>
Content-Type: text/plain; charset=iso-8859-1

On Wed, Feb 10, 2021 at 07:04:34AM +0000, SAMI RAHAL via dnsdist wrote:

> Hi
> I proceeded as Markus said the permission problem is solved but the log file is empty and I have the following message when I want to consult the traffic in the console.
>
> showResponseLatency()
> No traffic yet.
>
> PS I don't have these problems with version 1.3!

When swicthing versions, it is very important to read the upgrade
guide (and other docs) first. Also read and understand
https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/

Only if you think for yourself first and give complete information to
the list we can maybe help you. At the moment, your messages only
cause noise on the list.

        -Otto


>
> Regards
>
> ________________________________________
> De : dnsdist <dnsdist-bounces at mailman.powerdns.com> de la part de dnsdist-request at mailman.powerdns.com <dnsdist-request at mailman.powerdns.com>
> Envoy? : mardi 9 f?vrier 2021 13:00
> ? : dnsdist at mailman.powerdns.com
> Objet : dnsdist Digest, Vol 66, Issue 12
>
> Send dnsdist mailing list submissions to
>         dnsdist at mailman.powerdns.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://mailman.powerdns.com/mailman/listinfo/dnsdist
> or, via email, send a message with subject or body 'help' to
>         dnsdist-request at mailman.powerdns.com
>
> You can reach the person managing the list at
>         dnsdist-owner at mailman.powerdns.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of dnsdist digest..."
>
>
> Today's Topics:
>
>    1. Re: cache dnsdist not working for my setup (Pieter Lexis)
>    2. Re: cache dnsdist not working for my setup (Markus Ehrlicher)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 9 Feb 2021 10:24:42 +0100
> From: Pieter Lexis <pieter.lexis at powerdns.com>
> To: dnsdist at mailman.powerdns.com
> Subject: Re: [dnsdist] cache dnsdist not working for my setup
> Message-ID: <1c384ba0-5146-4f21-bfff-801b4c66e1ba at powerdns.com>
> Content-Type: text/plain; charset=utf-8
>
> Hi,
>
> On 2/9/21 9:41 AM, SAMI RAHAL via dnsdist wrote:
> > I have adjusted access to the console, but now I have a problem with the dnsdist log file
> >
> > Fatal Lua error: [string "chunk"]:164: Caught exception: Unable to open file '/var/log/dnsdist.log' for logging: Permission denied
> >
> > ls -l /var/log/
> > -rw-------  1 dnsdist dnsdist        0 Feb  8 03:21 dnsdist.log
> > -rw-------  1 dnsdist dnsdist        0 Feb  7 19:59 dnsdist.log-20210208
> >
> >
> > the log files are empty, I didn't have this problem before installing version 1.5
>
> dnsdist runs as the dnsdist user. 2 things might be the case
>
> 1. the /var/lib directory is not accessable to all users
> 2. a protection setting in the systemd service file might prevent thist
> (most likely ProtectSystem=full)
>
> Have a look at what might be the culprit here.
>
> --
> Pieter Lexis
> PowerDNS.COM BV -- https://www.powerdns.com
>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 9 Feb 2021 10:03:41 +0000
> From: Markus Ehrlicher <Markus.Ehrlicher at komsa.de>
> To: "'dnsdist at mailman.powerdns.com'" <dnsdist at mailman.powerdns.com>
> Subject: Re: [dnsdist] cache dnsdist not working for my setup
> Message-ID: <7034235e27fa4916b300db5450ab55dc at komsa.de>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi,
>
> I think, I ran into the same problem ob Ubuntu 20.04. My solution was, to create an folder /var/log/dnsdist with write-permission to the _dnsdist-User and configured all logfiles for dnsdist to this location.
>
> Best regards,
> Markus
>
> -----Urspr?ngliche Nachricht-----
> Von: dnsdist <dnsdist-bounces at mailman.powerdns.com> Im Auftrag von Pieter Lexis via dnsdist
> Gesendet: Dienstag, 9. Februar 2021 10:25
> An: dnsdist at mailman.powerdns.com
> Betreff: Re: [dnsdist] cache dnsdist not working for my setup
>
> Hi,
>
> On 2/9/21 9:41 AM, SAMI RAHAL via dnsdist wrote:
> > I have adjusted access to the console, but now I have a problem with
> > the dnsdist log file
> >
> > Fatal Lua error: [string "chunk"]:164: Caught exception: Unable to
> > open file '/var/log/dnsdist.log' for logging: Permission denied
> >
> > ls -l /var/log/
> > -rw-------  1 dnsdist dnsdist        0 Feb  8 03:21 dnsdist.log
> > -rw-------  1 dnsdist dnsdist        0 Feb  7 19:59 dnsdist.log-20210208
> >
> >
> > the log files are empty, I didn't have this problem before installing
> > version 1.5
>
> dnsdist runs as the dnsdist user. 2 things might be the case
>
> 1. the /var/lib directory is not accessable to all users 2. a protection setting in the systemd service file might prevent thist (most likely ProtectSystem=full)
>
> Have a look at what might be the culprit here.
>
> --
> Pieter Lexis
> PowerDNS.COM BV -- https://www.powerdns.com _______________________________________________
> dnsdist mailing list
> dnsdist at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/dnsdist
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> dnsdist mailing list
> dnsdist at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/dnsdist
>
>
> ------------------------------
>
> End of dnsdist Digest, Vol 66, Issue 12
> ***************************************
> _______________________________________________
> dnsdist mailing list
> dnsdist at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/dnsdist


------------------------------

Message: 2
Date: Wed, 10 Feb 2021 10:12:17 +0000
From: SAMI RAHAL <Sami.Rahal at topnetpro.tn>
To: Otto Moerbeek <otto at drijf.net>
Cc: "dnsdist at mailman.powerdns.com" <dnsdist at mailman.powerdns.com>
Subject: Re: [dnsdist] cache dnsdist not working for my setup
Message-ID: <1612951969563.19881 at topnetpro.tn>
Content-Type: text/plain; charset="iso-8859-1"

Hello
I'm sorry OTTO, but I'm pressed for time as soon as I migrated to version 1.5 I encountered quite a few problems!
now I only have the problem of log (empty) and the cache which still does not work

----------Log config------------------------------
-- log all queries to a 'dndist.log' file, in text-mode (not binary) appending and unbuffered
addAction(AllRule(), LogAction("/var/log/dnsdist/dnsdist.log", false, true, false))

-------------------------Cache config-------------------------
ewServer({name="unbound",pool={"resolverT"},address="IP", qps=1000, order=1})
newServer({name="pdns-recursor",pool={"resolverT"},address="IP", order=2})
cacheresolv = newPacketCache(100000)
getPool("resolverT"):setCache(cacheresolv)
setStaleCacheEntriesTTL(86400)
addAction(AllRule(), PoolAction("resolverT"))


________________________________________
De : Otto Moerbeek <otto at drijf.net>
Envoy? : mercredi 10 f?vrier 2021 10:18
? : SAMI RAHAL
Cc : dnsdist at mailman.powerdns.com
Objet : Re: [dnsdist] cache dnsdist not working for my setup

On Wed, Feb 10, 2021 at 07:04:34AM +0000, SAMI RAHAL via dnsdist wrote:

> Hi
> I proceeded as Markus said the permission problem is solved but the log file is empty and I have the following message when I want to consult the traffic in the console.
>
> showResponseLatency()
> No traffic yet.
>
> PS I don't have these problems with version 1.3!

When swicthing versions, it is very important to read the upgrade
guide (and other docs) first. Also read and understand
https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/

Only if you think for yourself first and give complete information to
the list we can maybe help you. At the moment, your messages only
cause noise on the list.

        -Otto


>
> Regards
>
> ________________________________________
> De : dnsdist <dnsdist-bounces at mailman.powerdns.com> de la part de dnsdist-request at mailman.powerdns.com <dnsdist-request at mailman.powerdns.com>
> Envoy? : mardi 9 f?vrier 2021 13:00
> ? : dnsdist at mailman.powerdns.com
> Objet : dnsdist Digest, Vol 66, Issue 12
>
> Send dnsdist mailing list submissions to
>         dnsdist at mailman.powerdns.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://mailman.powerdns.com/mailman/listinfo/dnsdist
> or, via email, send a message with subject or body 'help' to
>         dnsdist-request at mailman.powerdns.com
>
> You can reach the person managing the list at
>         dnsdist-owner at mailman.powerdns.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of dnsdist digest..."
>
>
> Today's Topics:
>
>    1. Re: cache dnsdist not working for my setup (Pieter Lexis)
>    2. Re: cache dnsdist not working for my setup (Markus Ehrlicher)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 9 Feb 2021 10:24:42 +0100
> From: Pieter Lexis <pieter.lexis at powerdns.com>
> To: dnsdist at mailman.powerdns.com
> Subject: Re: [dnsdist] cache dnsdist not working for my setup
> Message-ID: <1c384ba0-5146-4f21-bfff-801b4c66e1ba at powerdns.com>
> Content-Type: text/plain; charset=utf-8
>
> Hi,
>
> On 2/9/21 9:41 AM, SAMI RAHAL via dnsdist wrote:
> > I have adjusted access to the console, but now I have a problem with the dnsdist log file
> >
> > Fatal Lua error: [string "chunk"]:164: Caught exception: Unable to open file '/var/log/dnsdist.log' for logging: Permission denied
> >
> > ls -l /var/log/
> > -rw-------  1 dnsdist dnsdist        0 Feb  8 03:21 dnsdist.log
> > -rw-------  1 dnsdist dnsdist        0 Feb  7 19:59 dnsdist.log-20210208
> >
> >
> > the log files are empty, I didn't have this problem before installing version 1.5
>
> dnsdist runs as the dnsdist user. 2 things might be the case
>
> 1. the /var/lib directory is not accessable to all users
> 2. a protection setting in the systemd service file might prevent thist
> (most likely ProtectSystem=full)
>
> Have a look at what might be the culprit here.
>
> --
> Pieter Lexis
> PowerDNS.COM BV -- https://www.powerdns.com
>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 9 Feb 2021 10:03:41 +0000
> From: Markus Ehrlicher <Markus.Ehrlicher at komsa.de>
> To: "'dnsdist at mailman.powerdns.com'" <dnsdist at mailman.powerdns.com>
> Subject: Re: [dnsdist] cache dnsdist not working for my setup
> Message-ID: <7034235e27fa4916b300db5450ab55dc at komsa.de>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi,
>
> I think, I ran into the same problem ob Ubuntu 20.04. My solution was, to create an folder /var/log/dnsdist with write-permission to the _dnsdist-User and configured all logfiles for dnsdist to this location.
>
> Best regards,
> Markus
>
> -----Urspr?ngliche Nachricht-----
> Von: dnsdist <dnsdist-bounces at mailman.powerdns.com> Im Auftrag von Pieter Lexis via dnsdist
> Gesendet: Dienstag, 9. Februar 2021 10:25
> An: dnsdist at mailman.powerdns.com
> Betreff: Re: [dnsdist] cache dnsdist not working for my setup
>
> Hi,
>
> On 2/9/21 9:41 AM, SAMI RAHAL via dnsdist wrote:
> > I have adjusted access to the console, but now I have a problem with
> > the dnsdist log file
> >
> > Fatal Lua error: [string "chunk"]:164: Caught exception: Unable to
> > open file '/var/log/dnsdist.log' for logging: Permission denied
> >
> > ls -l /var/log/
> > -rw-------  1 dnsdist dnsdist        0 Feb  8 03:21 dnsdist.log
> > -rw-------  1 dnsdist dnsdist        0 Feb  7 19:59 dnsdist.log-20210208
> >
> >
> > the log files are empty, I didn't have this problem before installing
> > version 1.5
>
> dnsdist runs as the dnsdist user. 2 things might be the case
>
> 1. the /var/lib directory is not accessable to all users 2. a protection setting in the systemd service file might prevent thist (most likely ProtectSystem=full)
>
> Have a look at what might be the culprit here.
>
> --
> Pieter Lexis
> PowerDNS.COM BV -- https://www.powerdns.com _______________________________________________
> dnsdist mailing list
> dnsdist at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/dnsdist
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> dnsdist mailing list
> dnsdist at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/dnsdist
>
>
> ------------------------------
>
> End of dnsdist Digest, Vol 66, Issue 12
> ***************************************
> _______________________________________________
> dnsdist mailing list
> dnsdist at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/dnsdist


------------------------------

Message: 3
Date: Wed, 10 Feb 2021 11:23:15 +0100
From: Kai <kai at xs4all.net>
To: dnsdist at mailman.powerdns.com
Subject: Re: [dnsdist] cache dnsdist not working for my setup
Message-ID: <57b09646-de11-2939-940b-305c4742d8d3 at xs4all.net>
Content-Type: text/plain; charset=utf-8; format=flowed

Sami,

On 10-02-2021 11:12, SAMI RAHAL via dnsdist wrote:
> Hello
> I'm sorry OTTO, but I'm pressed for time as soon as I migrated to version 1.5 I encountered quite a few problems!
> now I only have the problem of log (empty) and the cache which still does not work
>
> ----------Log config------------------------------
> -- log all queries to a 'dndist.log' file, in text-mode (not binary) appending and unbuffered
> addAction(AllRule(), LogAction("/var/log/dnsdist/dnsdist.log", false, true, false))
>
> -------------------------Cache config-------------------------
> ewServer({name="unbound",pool={"resolverT"},address="IP", qps=1000, order=1})
> newServer({name="pdns-recursor",pool={"resolverT"},address="IP", order=2})
> cacheresolv = newPacketCache(100000)
> getPool("resolverT"):setCache(cacheresolv)
> setStaleCacheEntriesTTL(86400)
> addAction(AllRule(), PoolAction("resolverT"))

IP is not an ipaddress
ewServer is not a valid statement.


How can we possibly test out your configuration if it is incomplete?



Kai



------------------------------

Subject: Digest Footer

_______________________________________________
dnsdist mailing list
dnsdist at mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist


------------------------------

End of dnsdist Digest, Vol 66, Issue 14
***************************************


More information about the dnsdist mailing list