[dnsdist] Whitelisting IP addresses with XDP filtering

Remi Gacogne remi.gacogne at powerdns.com
Tue Oct 4 16:06:00 UTC 2022


Hi Pierre,

On 04/10/2022 17:59, Pierre Grié via dnsdist wrote:
> I am currently working on a XDP BPF filter to work with dnsdist BPF maps 
> which put the TC bit on packet from incoming IPs flagged by dnsdist, and 
> I am trying to implement a whitelist system with an additional map that 
> would contain IPs we would like to "whitelist" (i.e which would be 
> allowed to perform UDP queries even when flagged by dnsdist and put in 
> the BPF map with the DNSAction.Truncate action).

Sounds great!

> The whitelisting mechanism work fine by itself, but it seems that when 
> the whitelisted UDP query hits dnsdist after passing through the XDP 
> filter, it is resend with the TC bit, thus forcing the client the retry 
> with TCP. Is the DNSAction also enforced in userspace ?

Yes, the current behaviour is to add the rule to the userspace dynamic 
block even when eBPF filtering is enabled. It was initially done to 
prevent the dynamic blocks being bypassed on some distributions where 
the kernel was pretending that eBPF was working even though it was not.
We might be able to get rid of that now, or at the very least we should 
make it optional.
In the meantime you could exclude the range using [1] to make sure that 
this is really the root cause of your issue.

[1]: 
https://dnsdist.org/reference/config.html#DynBlockRulesGroup:excludeRange

Best,
-- 
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20221004/8d17b1dd/attachment.sig>


More information about the dnsdist mailing list