[dnsdist] Whitelisting IP addresses with XDP filtering

Pierre Grié pierre.grie at nameshield.net
Tue Oct 4 15:59:31 UTC 2022


I am currently working on a XDP BPF filter to work with dnsdist BPF maps 
which put the TC bit on packet from incoming IPs flagged by dnsdist, and 
I am trying to implement a whitelist system with an additional map that 
would contain IPs we would like to "whitelist" (i.e which would be 
allowed to perform UDP queries even when flagged by dnsdist and put in 
the BPF map with the DNSAction.Truncate action).

The whitelisting mechanism work fine by itself, but it seems that when 
the whitelisted UDP query hits dnsdist after passing through the XDP 
filter, it is resend with the TC bit, thus forcing the client the retry 
with TCP. Is the DNSAction also enforced in userspace ?


More information about the dnsdist mailing list