[dnsdist] Client query id in the dq-object?
lists at verreckte-cheib.ch
Fri Nov 4 07:02:46 UTC 2022
On 11/3/22 15:38, Otto Moerbeek wrote:
> On Wed, Nov 02, 2022 at 05:19:54PM +0100, Tom via dnsdist wrote:
>> Hi list
>> A few months ago, I've asked the question below and wasn't able to find a
>> solution in the meantime. Does someone has a hint, how to achieve this?
>> Many thanks in advance.
>> On 7/28/22 11:17, Tom wrote:
>>> Using dnsdist-1.7.2, I'm trying to get the query id from the
>>> client-query, but I can't find the matching parameter in the dq-object.
>>> My goal is to find a specific query-id (ex. 9999) and then use this
>>> (same) specific query-id also for the outbound query from dnsdist to the
>>> backend server.
>>> Any hints how to achieve this?
>>> Many thanks.
> There is no API to get the queryid. It could maybe be added, but
> *setting* the query id four outgoing queries is something else.
> Keeping track of query-id's is a complex problem, think about multiple
> clients, multiple backends, many queries in-flight. This is not
> something to be done from Lua, but a job for dnsdist itself.
> To ask a more general question: what problem are you trying to solve?
Since BIND-9.18.0 there's a feature which turns on query-debugging for
requests with query ID 0
(https://gitlab.isc.org/isc-projects/bind9/-/issues/1851). DIG supports
setting the query ID with "+qid=0". This means querying BIND with
"+qid=0" provides me a debug log of the appropriate query.
So, if a BIND is behind dnsdist, then I'm not able to trigger this
query-debugging via dnsdist, because dnsdist uses random query IDs
against a backend server. A way could be to query BIND directly (without
dnsdist), but perhaps I'm not able to do so (firewall...).
So the idea was to set a dnsdist rule on which I can set the
AllowedDebugSRC (the admin's IP, to prevent, that anybody else could
trigger the debug), check the QueryID and then send this kind of
requests to a debug-enabled BIND, which then write a debug log from the
received query. Someting like this:
AllowedDebugSRC = newNMG()
if(AllowedDebugSRC:match(dq.remoteaddr) and <qid> == 0) then
print("Debugging from " .. dq.remoteaddr:toString() ..
" with query id" .. <qid>)
return DNSAction.Pool, "bind-querylog"
Thanks a lot.
> If we would have more insight in that, we can maybe suggest an
> alternative approach to solve your problem.
More information about the dnsdist