[dnsdist] dnsdist 1.7 : allow only A request

david.neau at orange.com david.neau at orange.com
Fri Mar 10 08:21:57 UTC 2023


Hello Stephane

Thanks for your answer 

I tried to explicitly deny the most current DNS requests like for ex :

-- refused query type :
	addAction(QTypeRule(dnsdist.ANY), DropAction())
	addAction(QTypeRule(dnsdist.SOA), DropAction())

It was working with DNS 1.2 on Ubuntu, but not working in my current set up  :

[root@ dnsdist]# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.7 (Ootpa)
[root@ dnsdist]# dnsdist -V
dnsdist 1.7.3 (Lua 5.1.4 [LuaJIT 2.1.0-beta3])
Enabled features: cdb dns-over-tls(gnutls openssl) dns-over-https(DOH) dnscrypt ebpf fstrm ipcipher libsodium lmdb outgoing-dns-over-https(nghttp2) protobuf re2 recvmmsg/sendmmsg snmp systemd

I tried also something similar to your example, not working :

-- Allow only A requests
	function onlya(dq)
  		if(dq.qtype==DNSQType.A)
  		then
			return DNSAction.Allow, ""
  		else
    			-- return DNSAction.None, ""      -- no action
			return DNSAction.Drop, ""
  		end
	end

I tried your proposal ( thanks ) 

luarule(dq)
        if (dq.qtype!=dnsdist.AAAA) => line 79
                then
                        return DNSAction.Nxdomain, ""
                else
                        return DNSAction.Allow, ""
        end
end => line 85
addLuaAction(AllRule(), luarule)addLuaAction(AllRule(), luarule)

and : [root at UAVARRDIJ01 dnsdist]# dnsdist --check-config
Fatal Lua error: [string "chunk"]:17: Caught exception: [string "chunk"]:79: ')' expected near '!'
stack traceback:
        [C]: in function 'includeDirectory'
        [string "chunk"]:17: in main chunk

It looks it doesn't like " if (dq.qtype!=dnsdist.AAAA)" :(

To see I changed by : if (dq.qtype==dnsdist.AAAA)"

Fatal Lua error: [string "chunk"]:17: Caught exception: [string "chunk"]:85: '<eof>' expected near 'end'

Sorry I m not Lua expert :(

Regards
/d



Orange Restricted

-----Message d'origine-----
De : Stephane Bortzmeyer <bortzmeyer at nic.fr> 
Envoyé : jeudi 9 mars 2023 18:05
À : NEAU David DTSI/PFS <david.neau at orange.com>
Cc : dnsdist at mailman.powerdns.com
Objet : Re: [dnsdist] dnsdist 1.7 : allow only A request

On Thu, Mar 09, 2023 at 04:25:12PM +0000,  david n via dnsdist <dnsdist at mailman.powerdns.com> wrote  a message of 149 lines which said:

> I tried many ways

Which ones?

> but none are working.

I guess that a Lua custom action is probably the best solution, such as:

luarule(dq) if (dq.qtype!=dnsdist.AAAA) then return DNSAction.Nxdomain, "" else return DNSAction.Allow, "" end end addLuaAction(AllRule(), luarule)

(Untested)

> I just want to DnsDist only answers to A or AAAA requests.

It seems a very bad idea (for instance, it will break old QNAME
minimization) so I suggest not doing it.

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.



More information about the dnsdist mailing list