[dnsdist] [EXT] Re: Dynamic rule NXDomain

Remi Gacogne remi.gacogne at powerdns.com
Tue Sep 28 13:08:02 UTC 2021 

Hi John,

Please keep the discussion on the list, so it can benefit others. 
Response inline below.

On 9/23/21 22:46, John Littlekate wrote:
> Your explanation is nice and clear, thank you. I have deleted
> "QueryRate" rule from dnsdist config for test purposes, restarted
> dnsdist daemon and there is a problem, that no rule is applied at all
> for that problem client even "DNSRCode.NXDOMAIN" rule is triggered. I
> see no reason why that problem client should not be trapped by rule. 
> The "DNSRCode.NXDOMAIN" rule works fine, because other client is 
> sometimes trapped by this rule.
>
> a/n/au a/ the number of answer records /n/ the number of name server
> records /au the number of additional records
> 
> I've done some tests to find what is a problem.
> 
> If I have send queries by 'dig', rule for NXDomain rate worked well. 
> $ dig -t a imap at somedomain.com @10.53.53.153
> 
> If I have send same queries by 'host', rule for NXDomain rate did not
> work. $ host -t a imap at somedomain.com 10.53.53.153
> 
> The difference is only "0/1/0 vs 0/1/1" in resposes.
> 
> Most probably, there is a problem with EDNS in responses in rule 
> NXDomain rate. If I run, $ dig +noedns -t a imap at somedomain.com
> @10.53.53.153 the answer is same as of 'host' answer and NXDomain
> rate rule does not work.
> 
> Same behaviour is for the DNSRCode.SERVFAIL dynamic rule. I think,
> this is a bug.

I tried your dynamic block configuration on the latest master and I 
don't see any issue, the offending client is quickly blocked even when 
the queries are sent via dig +noedns. That's not a big surprise to me 
since we don't parse the content of the response in the dynamic block 
code, we only look at the response code, so I guess there is something 
else at play here. Would you mind providing your full configuration?

Please we aware that we need to have enough queries and responses in our 
ring buffers to get consistent results, at described by Denis Machard in 
[1]. Perhaps that might be your issue?

[1]: 
https://mailman.powerdns.com/pipermail/dnsdist/2021-September/001111.html

Best regards,
-- 
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20210928/13cbb9aa/attachment.sig>

More information about the dnsdist mailing list