[dnsdist] dnsdist and PROXYv2 testing - accepting TCP connections when an upstream server is available

Remi Gacogne remi.gacogne at powerdns.com
Mon Jan 31 17:05:48 UTC 2022 

Hi Oto,

On 31/01/2022 16:50, Oto Šťáva via dnsdist wrote:
> firstly, I want to thank everyone involved for making dnsdist available, 
> it has helped me greatly these past few weeks with implementing and 
> testing support for the PROXYv2 protocol in Knot Resolver [1] here at 
> CZ.NIC.

That's very good news, thanks!

> I have been looking through the dnsdist docs and what I am looking for 
> is probably currently not available, but I would like to ask first 
> before deciding on what to do next: Is there a way to make dnsdist 
> refuse all TCP connections while there are no upstream servers 
> available?

I'm afraid there is not. The reason why is that dnsdist supports 
multiple pools of servers, and queries can be routed to a different pool 
based on their provenance and/or content, so we cannot really know 
beforehand whether we will be able to handle a TCP connection or not. We 
could even be able to serve some queries but not others sent on the same 
TCP connection, depending on the configured rules.

> If not, do you have any suggestions on how to properly detect 
> dnsdist's readiness?

If you already track the state of the backends and can wait until they 
are actually ready before starting the test, you might be able to get 
away with simply disabling health-checking in dnsdist by setting the 
server status to 'Up' [1].

Otherwise the more reliable way to do that would be to use the REST API 
[2] to get the status of the pool you are interested in, but that would 
require writing a bit of dnsdist-specific code which is not great in 
your case.
Would sending an actual UDP query be a possibility? You could then 
detect the availability by checking that you get either a response 
(default) or a non-servfail answer (if you set 
setServFailWhenNoServer(true) [3]).



[1]: https://dnsdist.org/reference/config.html?highlight=setup#Server:setUp
[2]: 
https://dnsdist.org/guides/webserver.html?highlight=api#get--api-v1-servers-localhost-pool?name=pool-name
[3]: https://dnsdist.org/guides/serverselection.html#setServFailWhenNoServer

Best regards,
-- 
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20220131/720688a8/attachment.sig>

More information about the dnsdist mailing list