[dnsdist] dnsdist 1.8, change of behavior for dynamic blocks
Jacob Bunk Nielsen
jbn at one.com
Thu May 11 10:06:06 UTC 2023
On 11/05/2023 11.58, Remi Gacogne via dnsdist wrote:
> On 14/04/2023 08:25, Jacob Bunk Nielsen via dnsdist wrote:
>> Just a heads up, we run an auth DNS service and I noticed after we
>> upgraded to dnsdist 1.8 that we have started blocking a lot more
>> based on a dynamic block rule defined as:
>> dbr:setRCodeRate(DNSRCode.REFUSED, N, X, 'Exceeded REFUSED response
>> rate', Y)
>> This is what the metrics look like from around the upgrade time:
>> https://allg.one/bvLn - I suspect that the rule above have now
>> started working as intended.
> Thanks a lot for the heads-up! I don't remember any recent change in
> the related code, so I'm a bit surprised. Just to be sure, was dnsdist
> upgraded from 1.7.x? I'm asking because I remember fixing an issue
> that could be related in 1.6, but that doesn't match if you upgraded
> from 1.7.x, of course.
We upgraded from 1.7.3 to 1.8.0. I suspect many of the REFUSED responses
to be answered from cache, since most of them will (in our case) be a
result of a lame delegation and lame delegations seems to retried very
eagerly by some resolvers.
More information about the dnsdist