[dnsdist] [EXT] XDP/eBPF blocking (was dnsdist 1.7.0 released)
Remi Gacogne
remi.gacogne at powerdns.com
Tue Jan 18 09:03:44 UTC 2022
Hi Klaus,
On 17/01/2022 21:05, Klaus Darilion wrote:
>> Pierre Grié from Nameshield contributed an XDP program to reply to
>> blocked UDP queries with a truncated response directly from the
>> kernel, in a similar way to what we were already doing using eBPF
>> socket filters. This version adds support for eBPF pinned maps,
>> allowing dnsdist to populate the maps using our dynamic blocking
>> mechanism, and letting the external XDP program do the actual
>> blocking or response.
>
> How does this work in detail? If example.com is on these lists
> (filtering or truncate response), will it block also www.example.com
> (and other subdomains) or only exactly the name on the list?
I'm afraid the current XDP program would only block the exact name on
the list. Now that the actual program can live outside of dnsdist it
would be easier to write a new XDP program doing suffix matching, but
no-one has done so yet. The main issue was that we wanted to keep our
eBPF code working on older kernels where the number of eBPF instructions
is very limited, but it would be very fine for an external XDP program
to target newer kernels only. I would be happy to merge such a program
in our "contrib" directory :-)
Best regards,
--
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20220118/0121c24c/attachment.sig>
More information about the dnsdist
mailing list