[dnsdist] Query current config of dynBlockRulesGroup

Ben Kaplan ben.kaplan at redis.com
Thu Aug 24 11:11:33 UTC 2023


Oh I see why this happens... my bad sry.

The conf file used "local dbr = ....", once I removed the local I can see
the rule as expected!

On Thu, Aug 24, 2023 at 2:09 PM Ben Kaplan <ben.kaplan at redis.com> wrote:

> That's great info! thank you Remi,
>
> We have rules set by the dnsdist.conf file and we want to be able to query
> the config and change it via the console without restarting.
> > dbr:toString()
> works perfectly if the dbr object was also created in the console.
>
> Is there a way to check the dynamic config that was set when the service
> started?
> Regarding the second question, running addDynBlocks from the console will
> *modify* the rules set from configuration files (assuming the existing
> rule expiration is shorter)?
>
> Thanks again for your help
>
> On Thu, Aug 24, 2023 at 12:58 PM Remi Gacogne via dnsdist <
> dnsdist at mailman.powerdns.com> wrote:
>
>> Hi,
>>
>> On 24/08/2023 11:47, Ben Kaplan via dnsdist wrote:
>> >  1. We're searching for how to query the current values of
>> >     dynBlockRulesGroup (using ebpf) via the console.
>> >     Once the rule kicks in we can see the IP blocked and the warning
>> >     message when running "showDynBlocks()".
>> >     However, we can't find any way to query for the actual values and
>> >     rules configured in "function maintenance()".
>>
>> The dynBlockRulesGroup class has a 'toString' method which describes the
>> current configuration [1]. So if you have declared it with, for example:
>>
>> dbr = dynBlockRulesGroup()
>> dbr:setRCodeRate(DNSRCode.NXDOMAIN, 5, 5, "Exceeded NXD rate", 60)
>>
>> you can later retrieve the current configuration via:
>>
>>  > dbr:toString()
>> Query rate rule:
>> Response rate rule:
>> SuffixMatch rule:
>> RCode rules:
>> - Non-Existent domain: Apply the global DynBlock action for 60 seconds
>> when over 5 during the last 5 seconds, reason: 'Exceeded NXD rate'
>> QType rules:
>> Excluded Subnets:
>> Excluded Domains:
>>
>> >  2. When running "addDynBlocks(addresses, message[, seconds=10[,
>> >     action]])" from the console when dnsdist already has the same rule
>> >     configured. will this create a second rule or modify the value of
>> >     the existing rule?
>>
>> Modify, unless the existing rule was still valid for a longer time than
>> the one you are trying to insert.
>>
>> [1]:
>> https://dnsdist.org/reference/config.html#DynBlockRulesGroup:toString
>>
>> Best regards,
>> --
>> Remi Gacogne
>> PowerDNS.COM BV - https://www.powerdns.com/
>>
>> _______________________________________________
>> dnsdist mailing list
>> dnsdist at mailman.powerdns.com
>> https://mailman.powerdns.com/mailman/listinfo/dnsdist
>>
>

Disclaimer

The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful.

This email has been scanned for viruses and malware, and may have been automatically archived by Mimecast Ltd, an innovator in Software as a Service (SaaS) for business. Providing a safer and more useful place for your human generated data. Specializing in; Security, archiving and compliance. To find out more visit the Mimecast website.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20230824/c403d736/attachment-0001.htm>


More information about the dnsdist mailing list