[dnsdist] dnsdist Digest, Vol 65, Issue 11

Sat Jan 30 18:11:01 UTC 2021

thank you Jacob for your reply ,
I want to know the normal response from a dns resolver server in general (the value in ms)
here is the setup
-- listen for console connection with the given secret key
controlSocket("0.0.0.0")
addLocal('@IP-serverdnsdist:53',{doTCP=true, reusePort=true, tcpFastOpenSize=0})
setACL('@IP/24')
-- fix up possibly badly truncated answers from pdns 2.9.22
truncateTC(true)

warnlog(string.format("Script starting %s", "up!"))
newServer({name="unbound", address="@IP", qps=1000, order=1})
newServer({name="pdns-recursor", address="@IP", order=2})
--newServer({address="8.8.8.8", pool="abuse"})

-- set the TC-bit (truncate) on ANY queries received over UDP, forcing a retry over TCP.
addAction(AndRule({QTypeRule(dnsdist.ANY), TCPRule(false)}), TCAction())

-- DDos protection, block for 5 minutes. https://dnsdist.org/guides/dynblocks.html
local dbr = dynBlockRulesGroup()
dbr:setQueryRate(30, 10, "Exceeded query rate", 3000)
dbr:setRCodeRate(dnsdist.NXDOMAIN, 20, 10, "Exceeded NXD rate", 3000)
dbr:setRCodeRate(dnsdist.SERVFAIL, 20, 10, "Exceeded ServFail rate", 300)
dbr:setQTypeRate(dnsdist.ANY, 5, 10, "Exceeded ANY rate", 300)
dbr:setResponseByteRate(10000, 10, "Exceeded resp BW rate", 300)
-- send the queries for selected domain suffixes to the server
-- in the 'abuse' pool
addAction({"ezdns.it.", "xxx."}, PoolAction("abuse"))
-- send the queries from a selected subnet to the
-- abuse pool
addAction("192.168.1.0/24", PoolAction("abuse"))
-- send only queries from the selected subnet to
-- the luarule function
addLuaAction("192.168.1.0/24", luarule)

-- drop queries exceeding 5 qps, grouped by /24 for IPv4
-- and /64 for IPv6
addAction(MaxQPSIPRule(5, 24, 64), DropAction())

-- move the last rule to the first position
topRule()

-- drop queries for the following suffixes:
addAction("powerdns.org.", DropAction())
addAction("spectre.", DropAction())

-- called before we distribute a question
block=newDNSName("powerdns.org.")
truncateNMG = newNMG()
truncateNMG:addMask("213.244.0.0/16")
truncateNMG:addMask("2001:503:ba3e::2:30")
truncateNMG:addMask("fe80::/16")

print(string.format("Have %d entries in truncate NMG", truncateNMG:size()))

-- called to pick a downstream server, ignores 'up' status
counter=0
function luaroundrobin(servers, dq)
	 counter=counter+1;
	 return servers[1+(counter % #servers)]
end
-- based on the RD flag
function splitSetup(servers, dq)
	 if(dq.dh:getRD() == false)
	 then
		return firstAvailable.policy(getPoolServers("auth"), dq)
	 else
		return firstAvailable.policy(servers, dq)
	 end
end
-- setServerPolicyLua("splitSetup", splitSetup)

-- the 'maintenance' function is called every second
function maintenance()
	 -- block all hosts that exceeded 20 qps over the past 10s,
	 -- for 60s
	 addDynBlocks(exceedQRate(20, 10), "Exceeded query rate", 60)
end

--addAction(AllRule(), LogAction("/var/log/dnsdist.log", false, true, false,true,true))
addAction(AllRule(), LogAction("/var/log/dnsdist.log", false, true, false))

I await your response and suggestion

Best regards

Cordialement,

Sami Rahal
Service Hosting
Direction Technique & SI
Siège Social TOPNET, Centre Urbain Nord
Tél. :71185000
GSM :99 459 812

________________________________________
De : dnsdist <dnsdist-bounces at mailman.powerdns.com> de la part de dnsdist-request at mailman.powerdns.com <dnsdist-request at mailman.powerdns.com>
Envoyé : samedi 30 janvier 2021 13:00
À : dnsdist at mailman.powerdns.com
Objet : dnsdist Digest, Vol 65, Issue 11

Send dnsdist mailing list submissions to
        dnsdist at mailman.powerdns.com

To subscribe or unsubscribe via the World Wide Web, visit
        https://mailman.powerdns.com/mailman/listinfo/dnsdist
or, via email, send a message with subject or body 'help' to
        dnsdist-request at mailman.powerdns.com

You can reach the person managing the list at
        dnsdist-owner at mailman.powerdns.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of dnsdist digest..."

Today's Topics:

   1. Average response latency (SAMI RAHAL)
   2. Re: Average response latency (Jacob Bunk Nielsen)

----------------------------------------------------------------------

Message: 1
Date: Fri, 29 Jan 2021 16:41:57 +0000
From: SAMI RAHAL <Sami.Rahal at topnetpro.tn>
To: "dnsdist at mailman.powerdns.com" <dnsdist at mailman.powerdns.com>
Subject: [dnsdist] Average response latency
Message-ID: <1611938548715.44407 at topnetpro.tn>
Content-Type: text/plain; charset="iso-8859-1"

hello please
is the following result from my dnsdist server within standards? and at the same time I want to know the optimal response time of a dns resolver server

Average response latency: 69.79 msec
   msec
   0.10
   0.20
   0.40    :
   0.80    **********************************************************************
   1.60    ************************
   3.20    :
   6.40    .
  12.80    *
  25.60    :
  51.20    *******************************************
 102.40    **********************
 204.80    **************
 409.60    ************
 819.20    **
1638.40    :

Cordialement, Sami Rahal Service Hosting Direction Technique & SI Si?ge Social TOPNET, Centre Urbain Nord T?l. :71185000 GSM :99 459 812
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20210129/aecd9492/attachment-0001.htm>

------------------------------

Message: 2
Date: Fri, 29 Jan 2021 20:37:51 +0100
From: Jacob Bunk Nielsen <jbn at one.com>
To: dnsdist at mailman.powerdns.com
Subject: Re: [dnsdist] Average response latency
Message-ID: <c36d5052-8ea7-3dbb-18a1-f97b01363dd5 at one.com>
Content-Type: text/plain; charset=windows-1252; format=flowed

On 29/01/2021 17.41, SAMI RAHAL via dnsdist wrote:
> hello please is the following result from my dnsdist server within
> standards? and at the same time I want to know the optimal response
> time of a dns resolver server

What's your setup?

The ~1 ms response times are probably cached responses.

The ~50-500ms response times are probably from backends. You tell us if
that's reasonable for your setup?

Best regards,

Jacob

------------------------------

Subject: Digest Footer

_______________________________________________
dnsdist mailing list
dnsdist at mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist

------------------------------

End of dnsdist Digest, Vol 65, Issue 11
***************************************