[dnsdist] dnsdist 1.7 : allow only A request

Fri Mar 17 15:37:36 UTC 2023

Hi Jacob,

Here :

[root at UAVARRDIJ01 ~]# cat /etc/dnsdist/dnsdist.conf
-- DNSdist configuration file

-- disable security status polling via DNS
setSecurityPollSuffix("")

-- world reachable
setACL({'0.0.0.0/0', '::/0'})

-- listen on
setLocal('X.X.X.X')

-- control socket on localhost
controlSocket('127.0.0.1:5199')
setConsoleACL('127.0.0.1/32')
setKey('vr1zmw7JwKBN0hzk7n9vD69/SLkT+pl+Rb+crkiHYIM=')

webserver("X.X.X.X:8081")
-- webserver ("127.0.0.1:8081")
setWebserverConfig({password="xxxx", apiKey="xxxxx", acl="0.0.0.0/0"})

includeDirectory("/etc/dnsdist/conf.d")

==================================================================

cat /etc/dnsdist/conf.d/myconf_dnsdit.conf

setServerPolicy(wrandom)

newServer({address="127.0.0.1:853", name="my_server", pool="local", qps=1000, order=1, weight=10, useClientSubnet=true})

newServer({address="180.112.144.96", name="remote-server" , pool="remote", checkType="A", checkName="my_domain.fr" , qps=1500, order=1, weight=10 , useClientSubnet=true})

addAction(
NotRule (
OrRule {QTypeRule(DNSQType.A), QTypeRule(DNSQType.AAAA)}
),
AllowAction()
)

addAction({'toto.com'}, PoolAction("local"))
addAction({'titi.com'}, PoolAction("remote-server"))

Orange Restricted

-----Message d'origine-----
De : dnsdist <dnsdist-bounces at mailman.powerdns.com> De la part de Jacob Bunk Nielsen via dnsdist
Envoyé : vendredi 17 mars 2023 16:27
À : dnsdist at mailman.powerdns.com
Objet : Re: [dnsdist] dnsdist 1.7 : allow only A request

Hi

On 17/03/2023 16.23, david.neau at orange.com wrote:
> Hello all
>
> After some tests I see a potential issue, tell me if I m right please :
>
> It works for A request :
> [root at node ~]# dig a 
> https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.t
> oto.com%2F&data=05%7C01%7Cdavid.neau%40orange.com%7C3f1a3779819f422afd
> 2308db26fc038f%7C90c7a20af34b40bfbc48b9253b6f5d20%7C0%7C0%7C6381466360
> 48960015%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiL
> CJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=hIHI2hcmF6p5xsmQmL
> pzXS%2BVERe5nietPu20Tn6ILjs%3D&reserved=0 @X.X.X.X +short
> 2.2.2.2
>
> It stays mute more most of the requests ( expected behavior ), ^C is needed to get the prompt back.

Please provide the full configuration of dnsdist in your setup, otherwise it will be close to impossible to help you figure out why things work the way they do.

Best regards,

Jacob

_______________________________________________
dnsdist mailing list
dnsdist at mailman.powerdns.com
https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmailman.powerdns.com%2Fmailman%2Flistinfo%2Fdnsdist&data=05%7C01%7Cdavid.neau%40orange.com%7C3f1a3779819f422afd2308db26fc038f%7C90c7a20af34b40bfbc48b9253b6f5d20%7C0%7C0%7C638146636048960015%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=TIDL9LtWZGALEb5HhjgtG9h6F9wwd50sOU8j9yH3zmc%3D&reserved=0

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.