From larry at wapnitsky.com  Sat Jun  3 07:00:02 2023
From: larry at wapnitsky.com (Larry Wapnitsky)
Date: Sat, 3 Jun 2023 03:00:02 -0400
Subject: [dnsdist] MAC addresses being grouped downstream
Message-ID: <CAMbq2J-HoUUdWZovEJgUuP0-1GURm9bc-3K3zf4vQ1YeVRw+Nw@mail.gmail.com>

I'm using dnsdist to route my clients based on subnet as to whether or not
they should be using my pihole server for adblocking. Overall, this works
great, but I"m noticing that pihole groups all queries by client to a
single MAC address, that of the dnsdist server. Is there a way to break
this out before it goes to the pihole server?

My dnsdist config:

setLocal('10.150.33.102')
addLocal('[2001:470:e1eb:33::102]:53')


webserver("10.150.33.102:8083")
setWebserverConfig({acl="10.150.0.0/8"})
setWebserverConfig({password='$scrypt$ln=10,p=1,r=***='})

addACL('10.150.0.0/8')
addACL('2001:470:e1eb::0/48')

setECSOverride(true)
setECSSourcePrefixV4(32)

newServer({address="10.150.33.5", name="ns1", pool="default", qps=1,
useClientSubnet=true})
newServer({address="10.150.33.6", name="ns2", qps=1, pool="default",
useClientSubnet=true})
newServer({address="10.150.33.7", name="ns3", pool="default", qps=1,
useClientSubnet=true})


newServer({address="10.150.33.15", name="ns1_auth", pool="auth",
checkName="wapnet.local.lan"})
newServer({address="2001:470:#", name="ns1_auth", pool="auth",
checkName="wapnet.local.lan"})
newServer({address="10.150.33.16", name="ns2_auth", pool="auth",
checkName="wapnet.local.lan"})

newServer({address="2001:470:#", name="ns1_auth", pool="auth",
checkName="wapnet.local.lan"})
newServer({address="10.150.33.17", name="ns3_auth", pool="auth",
checkName="wapnet.local.lan"})
newServer({address="2001:470:#", name="ns1_auth", pool="auth",
checkName="wapnet.local.lan"})

newServer({address="10.150.33.3:53", name="pihole", pool="pihole",
useClientSubnet=true,checkInterval=3600})

adblock_ips=newNMG()
adblock_ips:addMask('10.150.222.0/24')
adblock_ips:addMask('10.150.12.0/24')
adblock_ips:addMask('10.150.11.0/24')
adblock_ips:addMask('10.150.66.0/24')
adblock_ips:addMask('2001:470:e1eb:66::/64')
adblock_ips:addMask('10.150.100.0/24')
adblock_ips:addMask('2001:470:e1eb:100::/64')
adblock_ips:addMask('10.150.99.0/24')
adblock_ips:addMask('10.150.33.1/32')
adblock_ips:addMask('10.150.33.211/32')
adblock_ips:addMask('10.150.33.212/32')
addAction(NetmaskGroupRule(adblock_ips), PoolAction('pihole'))



addAction({'wapnet.local.lan'}, PoolAction("auth"))


addAction(AllRule(), PoolAction('default'))

-- setServerPolicy(firstAvailable)
setServerPolicy(whashed)



*Larry G. Wapnitsky*


*E: Larry at Wapnitsky.com*
*Web: Larry.Wapnitsky.com <http://larry.wapnitsky.com/>*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20230603/9faa7f57/attachment.htm>

From winfried.angele at gmail.com  Sat Jun  3 08:30:44 2023
From: winfried.angele at gmail.com (Winfried Angele)
Date: Sat, 03 Jun 2023 10:30:44 +0200
Subject: [dnsdist] MAC addresses being grouped downstream
In-Reply-To: <CAMbq2J-HoUUdWZovEJgUuP0-1GURm9bc-3K3zf4vQ1YeVRw+Nw@mail.gmail.com>
References: <CAMbq2J-HoUUdWZovEJgUuP0-1GURm9bc-3K3zf4vQ1YeVRw+Nw@mail.gmail.com>
Message-ID: <8965B28A-7C5F-4BC4-85BC-C8F96030829B@gmail.com>

Hi Larry, I've no experience with pihole, but I read it supports ECS. Maybe one solution could be to use the client IP passed with ECS to pihole.

See here https://dnsdist.org/advanced/passing-source-address.html

Winfried
 

Am 3. Juni 2023 09:00:02 MESZ schrieb Larry Wapnitsky via dnsdist <dnsdist at mailman.powerdns.com>:
>I'm using dnsdist to route my clients based on subnet as to whether or not
>they should be using my pihole server for adblocking. Overall, this works
>great, but I"m noticing that pihole groups all queries by client to a
>single MAC address, that of the dnsdist server. Is there a way to break
>this out before it goes to the pihole server?
>
>My dnsdist config:
>
>setLocal('10.150.33.102')
>addLocal('[2001:470:e1eb:33::102]:53')
>
>
>webserver("10.150.33.102:8083")
>setWebserverConfig({acl="10.150.0.0/8"})
>setWebserverConfig({password='$scrypt$ln=10,p=1,r=***='})
>
>addACL('10.150.0.0/8')
>addACL('2001:470:e1eb::0/48')
>
>setECSOverride(true)
>setECSSourcePrefixV4(32)
>
>newServer({address="10.150.33.5", name="ns1", pool="default", qps=1,
>useClientSubnet=true})
>newServer({address="10.150.33.6", name="ns2", qps=1, pool="default",
>useClientSubnet=true})
>newServer({address="10.150.33.7", name="ns3", pool="default", qps=1,
>useClientSubnet=true})
>
>
>newServer({address="10.150.33.15", name="ns1_auth", pool="auth",
>checkName="wapnet.local.lan"})
>newServer({address="2001:470:#", name="ns1_auth", pool="auth",
>checkName="wapnet.local.lan"})
>newServer({address="10.150.33.16", name="ns2_auth", pool="auth",
>checkName="wapnet.local.lan"})
>
>newServer({address="2001:470:#", name="ns1_auth", pool="auth",
>checkName="wapnet.local.lan"})
>newServer({address="10.150.33.17", name="ns3_auth", pool="auth",
>checkName="wapnet.local.lan"})
>newServer({address="2001:470:#", name="ns1_auth", pool="auth",
>checkName="wapnet.local.lan"})
>
>newServer({address="10.150.33.3:53", name="pihole", pool="pihole",
>useClientSubnet=true,checkInterval=3600})
>
>adblock_ips=newNMG()
>adblock_ips:addMask('10.150.222.0/24')
>adblock_ips:addMask('10.150.12.0/24')
>adblock_ips:addMask('10.150.11.0/24')
>adblock_ips:addMask('10.150.66.0/24')
>adblock_ips:addMask('2001:470:e1eb:66::/64')
>adblock_ips:addMask('10.150.100.0/24')
>adblock_ips:addMask('2001:470:e1eb:100::/64')
>adblock_ips:addMask('10.150.99.0/24')
>adblock_ips:addMask('10.150.33.1/32')
>adblock_ips:addMask('10.150.33.211/32')
>adblock_ips:addMask('10.150.33.212/32')
>addAction(NetmaskGroupRule(adblock_ips), PoolAction('pihole'))
>
>
>
>addAction({'wapnet.local.lan'}, PoolAction("auth"))
>
>
>addAction(AllRule(), PoolAction('default'))
>
>-- setServerPolicy(firstAvailable)
>setServerPolicy(whashed)
>
>
>
>*Larry G. Wapnitsky*
>
>
>*E: Larry at Wapnitsky.com*
>*Web: Larry.Wapnitsky.com <http://larry.wapnitsky.com/>*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20230603/18949de1/attachment.htm>

From larry at wapnitsky.com  Sat Jun  3 14:32:26 2023
From: larry at wapnitsky.com (Larry Wapnitsky)
Date: Sat, 3 Jun 2023 10:32:26 -0400
Subject: [dnsdist] MAC addresses being grouped downstream
In-Reply-To: <CAMbq2J-HoUUdWZovEJgUuP0-1GURm9bc-3K3zf4vQ1YeVRw+Nw@mail.gmail.com>
References: <CAMbq2J-HoUUdWZovEJgUuP0-1GURm9bc-3K3zf4vQ1YeVRw+Nw@mail.gmail.com>
Message-ID: <CAMbq2J_EU5aY4uad_DbcERtWVsBspYYii5AA1ME4Aay1ZXSAAQ@mail.gmail.com>

I've already configured ECS, as you can suggested, in my existing
configuration, but that's not working

*Larry G. Wapnitsky*


*E: Larry at Wapnitsky.com*
*Web: Larry.Wapnitsky.com <http://larry.wapnitsky.com/>*






On Sat, Jun 3, 2023 at 3:00?AM Larry Wapnitsky <larry at wapnitsky.com> wrote:

> I'm using dnsdist to route my clients based on subnet as to whether or not
> they should be using my pihole server for adblocking. Overall, this works
> great, but I"m noticing that pihole groups all queries by client to a
> single MAC address, that of the dnsdist server. Is there a way to break
> this out before it goes to the pihole server?
>
> My dnsdist config:
>
> setLocal('10.150.33.102')
> addLocal('[2001:470:e1eb:33::102]:53')
>
>
> webserver("10.150.33.102:8083")
> setWebserverConfig({acl="10.150.0.0/8"})
> setWebserverConfig({password='$scrypt$ln=10,p=1,r=***='})
>
> addACL('10.150.0.0/8')
> addACL('2001:470:e1eb::0/48')
>
> setECSOverride(true)
> setECSSourcePrefixV4(32)
>
> newServer({address="10.150.33.5", name="ns1", pool="default", qps=1,
> useClientSubnet=true})
> newServer({address="10.150.33.6", name="ns2", qps=1, pool="default",
> useClientSubnet=true})
> newServer({address="10.150.33.7", name="ns3", pool="default", qps=1,
> useClientSubnet=true})
>
>
> newServer({address="10.150.33.15", name="ns1_auth", pool="auth",
> checkName="wapnet.local.lan"})
> newServer({address="2001:470:#", name="ns1_auth", pool="auth",
> checkName="wapnet.local.lan"})
> newServer({address="10.150.33.16", name="ns2_auth", pool="auth",
> checkName="wapnet.local.lan"})
>
> newServer({address="2001:470:#", name="ns1_auth", pool="auth",
> checkName="wapnet.local.lan"})
> newServer({address="10.150.33.17", name="ns3_auth", pool="auth",
> checkName="wapnet.local.lan"})
> newServer({address="2001:470:#", name="ns1_auth", pool="auth",
> checkName="wapnet.local.lan"})
>
> newServer({address="10.150.33.3:53", name="pihole", pool="pihole",
> useClientSubnet=true,checkInterval=3600})
>
> adblock_ips=newNMG()
> adblock_ips:addMask('10.150.222.0/24')
> adblock_ips:addMask('10.150.12.0/24')
> adblock_ips:addMask('10.150.11.0/24')
> adblock_ips:addMask('10.150.66.0/24')
> adblock_ips:addMask('2001:470:e1eb:66::/64')
> adblock_ips:addMask('10.150.100.0/24')
> adblock_ips:addMask('2001:470:e1eb:100::/64')
> adblock_ips:addMask('10.150.99.0/24')
> adblock_ips:addMask('10.150.33.1/32')
> adblock_ips:addMask('10.150.33.211/32')
> adblock_ips:addMask('10.150.33.212/32')
> addAction(NetmaskGroupRule(adblock_ips), PoolAction('pihole'))
>
>
>
> addAction({'wapnet.local.lan'}, PoolAction("auth"))
>
>
> addAction(AllRule(), PoolAction('default'))
>
> -- setServerPolicy(firstAvailable)
> setServerPolicy(whashed)
>
>
>
> *Larry G. Wapnitsky*
>
>
> *E: Larry at Wapnitsky.com*
> *Web: Larry.Wapnitsky.com <http://larry.wapnitsky.com/>*
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20230603/f8a4777d/attachment.htm>

From bortzmeyer at nic.fr  Mon Jun 12 12:44:15 2023
From: bortzmeyer at nic.fr (Stephane Bortzmeyer)
Date: Mon, 12 Jun 2023 14:44:15 +0200
Subject: [dnsdist] Some statistics I would like to have
Message-ID: <ZIcTH/UYvprXWden@nic.fr>

I'm wondering about the average number of DNS queries per DoT/DoH
connection (to see if the setup "cost" is amortized over enough
requests). I do not find something like that in the output of
dumpStats (I have the number of queries but not the number of
connections). Any idea?

Also, the Web interface tells me:
Average response time: [...] DoT 357.45 ms, DoH 531.12 ms
I assumed, may be wrongly, that this response time depended on the
time required to fetch the response and so was the same for DoT and
DoH. Why not?


From remi.gacogne at powerdns.com  Tue Jun 13 08:23:26 2023
From: remi.gacogne at powerdns.com (Remi Gacogne)
Date: Tue, 13 Jun 2023 10:23:26 +0200
Subject: [dnsdist] Some statistics I would like to have
In-Reply-To: <ZIcTH/UYvprXWden@nic.fr>
References: <ZIcTH/UYvprXWden@nic.fr>
Message-ID: <726b1a49-4142-2827-6777-2d57cc18abdb@powerdns.com>

Hi St?phane,

On 12/06/2023 14:44, Stephane Bortzmeyer via dnsdist wrote:
> I'm wondering about the average number of DNS queries per DoT/DoH
> connection (to see if the setup "cost" is amortized over enough
> requests). I do not find something like that in the output of
> dumpStats (I have the number of queries but not the number of
> connections). Any idea?

You should be able to find what you are looking for in the output of 
"showTCPStats()".

> Also, the Web interface tells me:
> Average response time: [...] DoT 357.45 ms, DoH 531.12 ms
> I assumed, may be wrongly, that this response time depended on the
> time required to fetch the response and so was the same for DoT and
> DoH. Why not?

The response time is computed from the moment we received the query from 
the client until after the response has been sent, so while this is 
usually indeed pretty much equal to the time required to fetch the 
response, it also records the time needed for internal processing, there 
might be some differences between protocols.
But more importantly, dnsdist forwards queries received over DoH using 
UDP, while queries received over DoT are forwarded over TCP, unless the 
backend has been configured as TCP-only, DoT or DoH. So it might be why 
you are seeing a difference, although this usually tends to be the other 
way around with DoH being faster than DoT because DNS servers have 
historically been optimized for UDP.

-- 
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20230613/e5b395aa/attachment.sig>

From bortzmeyer at nic.fr  Tue Jun 13 08:34:25 2023
From: bortzmeyer at nic.fr (Stephane Bortzmeyer)
Date: Tue, 13 Jun 2023 10:34:25 +0200
Subject: [dnsdist] Some statistics I would like to have
In-Reply-To: <726b1a49-4142-2827-6777-2d57cc18abdb@powerdns.com>
References: <ZIcTH/UYvprXWden@nic.fr>
 <726b1a49-4142-2827-6777-2d57cc18abdb@powerdns.com>
Message-ID: <ZIgqEZZwLndMrk1G@nic.fr>

On Tue, Jun 13, 2023 at 10:23:26AM +0200,
 Remi Gacogne via dnsdist <dnsdist at mailman.powerdns.com> wrote 
 a message of 85 lines which said:

> You should be able to find what you are looking for in the output of
> "showTCPStats()".

Ah, yes, thanks. But the numbers are disconcerting. I see twice as
much queries per connection with IPv4 than IPv6, but only for DoT. For
DoH, it is the opposite. This may be simply because it is a small
resolver so the numbers are not statistically significant.

> But more importantly, dnsdist forwards queries received over DoH using UDP,
> while queries received over DoT are forwarded over TCP, unless the backend
> has been configured as TCP-only, DoT or DoH.

Which is the case, no?

newServer({address="[::1]:853", name="Local-Unbound", tls="openssl", subjectName="dot-backend.bortzmeyer.fr", validateCertificates=true, useClientSubnet=false, maxInFlight=1024})


From remi.gacogne at powerdns.com  Tue Jun 13 08:40:54 2023
From: remi.gacogne at powerdns.com (Remi Gacogne)
Date: Tue, 13 Jun 2023 10:40:54 +0200
Subject: [dnsdist] [EXT] Re:  Some statistics I would like to have
In-Reply-To: <ZIgqEZZwLndMrk1G@nic.fr>
References: <ZIcTH/UYvprXWden@nic.fr>
 <726b1a49-4142-2827-6777-2d57cc18abdb@powerdns.com> <ZIgqEZZwLndMrk1G@nic.fr>
Message-ID: <bac0ce8a-6f24-4fe7-e62a-f1fb2d99afd4@powerdns.com>

On 13/06/2023 10:34, Stephane Bortzmeyer wrote:
> Ah, yes, thanks. But the numbers are disconcerting. I see twice as
> much queries per connection with IPv4 than IPv6, but only for DoT. For
> DoH, it is the opposite. This may be simply because it is a small
> resolver so the numbers are not statistically significant.

Interesting, it would be nice to know if large resolvers are also seeing 
very different numbers. I'll ask around.

>> But more importantly, dnsdist forwards queries received over DoH using UDP,
>> while queries received over DoT are forwarded over TCP, unless the backend
>> has been configured as TCP-only, DoT or DoH.
> 
> Which is the case, no?
> 
> newServer({address="[::1]:853", name="Local-Unbound", tls="openssl", subjectName="dot-backend.bortzmeyer.fr", validateCertificates=true, useClientSubnet=false, maxInFlight=1024})

Indeed, so queries received over DoT and DoH are forwarded in the same 
way. I wonder why the latency numbers are so different. Perhaps we are 
seeing different query patterns between DoT and DoH clients?

-- 
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20230613/6ca8ec9d/attachment.sig>