[dnsdist] nsupdate passing through dnsdist gets dropped by pdns

Remi Gacogne remi.gacogne at powerdns.com
Wed Jan 6 16:43:26 UTC 2021

Hi Darac,

On 1/6/21 5:35 PM, Darac Marjal via dnsdist wrote:
> Watching messages on the webserver, I can see that the "DNSOpcode.Update
> -> auth" rule is applied, but then the number of "Drops" on the auth
> server increments. On the pdns webmonitor "Remote hosts sending corrupt
> packets" also increments. After a few seconds, the nsupdate times out.
> Can anyone spot something I've done wrong, or suggest how I can go about
> debugging this further (I can't seem to figure out, for example, why
> pdns thinks the packet is corrupt).

This indeed suggests that dnsdist might be corrupting the packet 
somehow, perhaps by adding the EDNS Client Subnet payload. Is there any 
chance you could have a look at the packet sent from dnsdist to the 
Authoritative Server, using for example tcpdump?
I am not aware of any issue of that type in 1.5.1 but we have had bugs 
in that area before, so perhaps one remains?

Best regards,
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

More information about the dnsdist mailing list