[dnsdist] [EXT] XDP/eBPF blocking (was dnsdist 1.7.0 released)

Remi Gacogne remi.gacogne at powerdns.com
Tue Jan 18 09:03:44 UTC 2022


Hi Klaus,

On 17/01/2022 21:05, Klaus Darilion wrote:
>> Pierre Grié from Nameshield contributed an XDP program to reply to 
>> blocked UDP queries with a truncated response directly from the
>> kernel, in a similar way to what we were already doing using eBPF
>> socket filters. This version adds support for eBPF pinned maps,
>> allowing dnsdist to populate the maps using our dynamic blocking
>> mechanism, and letting the external XDP program do the actual
>> blocking or response.
> 
> How does this work in detail? If example.com is on these lists
> (filtering or truncate response), will it block also www.example.com
> (and other subdomains) or only exactly the name on the list?

I'm afraid the current XDP program would only block the exact name on 
the list. Now that the actual program can live outside of dnsdist it 
would be easier to write a new XDP program doing suffix matching, but 
no-one has done so yet. The main issue was that we wanted to keep our 
eBPF code working on older kernels where the number of eBPF instructions 
is very limited, but it would be very fine for an external XDP program 
to target newer kernels only. I would be happy to merge such a program 
in our "contrib" directory :-)

Best regards,
-- 
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20220118/0121c24c/attachment.sig>


More information about the dnsdist mailing list