[dnsdist] Whitelisting IP addresses with XDP filtering

Remi Gacogne remi.gacogne at powerdns.com
Wed Oct 5 08:01:06 UTC 2022


On 05/10/2022 09:30, Pierre Grié via dnsdist wrote:
>> In the meantime you could exclude the range using [1] to make sure that 
>> this is really the root cause of your issue.
> We already identified that dnsdist was the root cause by restarting 
> dnsdist after it inserted the IP in the DynBlock and checking it was 
> truncating new queries event after whitelisting. This lead to the BPF 
> map remaining unchagned (the IP was still in it, so queries were 
> supposed to be TC but were whitelisted), and the new queries were not 
> truncated anymore, as the DynBlock was empty on userspace side.


>> We might be able to get rid of that now, or at the very least we should 
>> make it optional.
> That would really be a time-saver for us !

I opened a feature request ticket to track this at [1]. I tentatively 
set the milestone to 1.8.0 but I'm not sure I will have the time to look 
into this quickly.
If you, or someone else, wants to tackle it and open a pull request I 
think the second option I listed in the ticket should be fairly 
straight-forward to implement.

[1]: https://github.com/PowerDNS/pdns/issues/12061

Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20221005/349afb6c/attachment.sig>

More information about the dnsdist mailing list