[dnsdist] Client query id in the dq-object?

Tom lists at verreckte-cheib.ch
Fri Nov 4 07:02:46 UTC 2022



On 11/3/22 15:38, Otto Moerbeek wrote:
> On Wed, Nov 02, 2022 at 05:19:54PM +0100, Tom via dnsdist wrote:
> 
>> Hi list
>>
>> A few months ago, I've asked the question below and wasn't able to find a
>> solution in the meantime. Does someone has a hint, how to achieve this?
>>
>> Many thanks in advance.
>> Tom
>>
>>
>> On 7/28/22 11:17, Tom wrote:
>>> Hi
>>>
>>> Using dnsdist-1.7.2, I'm trying to get the query id from the
>>> client-query, but I can't find the matching parameter in the dq-object.
>>> My goal is to find a specific query-id (ex. 9999) and then use this
>>> (same) specific query-id also for the outbound query from dnsdist to the
>>> backend server.
>>>
>>> Any hints how to achieve this?
>>>
>>> Many thanks.
>>> Tom
> 
> There is no API to get the queryid. It could maybe be added, but
> *setting* the query id four outgoing queries is something else.
> 
> Keeping track of query-id's is a complex problem, think about multiple
> clients, multiple backends, many queries in-flight. This is not
> something to be done from Lua, but a job for dnsdist itself.
> 
> To ask a more general question: what problem are you trying to solve?

Since BIND-9.18.0 there's a feature which turns on query-debugging for 
requests with query ID 0 
(https://gitlab.isc.org/isc-projects/bind9/-/issues/1851). DIG supports 
setting the query ID with "+qid=0". This means querying BIND with 
"+qid=0" provides me a debug log of the appropriate query.

So, if a BIND is behind dnsdist, then I'm not able to trigger this 
query-debugging via dnsdist, because dnsdist uses random query IDs 
against a backend server. A way could be to query BIND directly (without 
dnsdist), but perhaps I'm not able to do so (firewall...).

So the idea was to set a dnsdist rule on which I can set the 
AllowedDebugSRC (the admin's IP, to prevent, that anybody else could 
trigger the debug), check the QueryID and then send this kind of 
requests to a debug-enabled BIND, which then write a debug log from the 
received query. Someting like this:


AllowedDebugSRC = newNMG()
AllowedDebugSRC:addMask("1.2.3.4/32")
function qidlog(dq)
         if(AllowedDebugSRC:match(dq.remoteaddr) and <qid> == 0) then
                 print("Debugging from " .. dq.remoteaddr:toString() .. 
" with query id" .. <qid>)
                 return DNSAction.Pool, "bind-querylog"
         end
end
addAction(AllRule(), LuaAction(qidlog))

Thanks a lot.
Tom


> 
> If we would have more insight in that, we can maybe suggest an
> alternative approach to solve your problem.
> 
> 	-Otto


More information about the dnsdist mailing list