[dnsdist] addAction OpCode Iquery

Remi Gacogne remi.gacogne at powerdns.com
Thu Nov 16 08:10:08 UTC 2023


On 16/11/2023 04:37, Nicolas Baumgarten via dnsdist wrote:
> Queries with opcode 1 (DNSOpcode.IQuery) are being ignored (droped?) on 1.4
> But 1.6.1 answers NOT implemented.

My guess is that these queries have a query records count (qdcount) of 0 
and you are seeing the effect of [1], implemented in 1.6.0-alpha1, 
because it was needed to conform to rfc8906's tests.

> We don't know which is the reason for this queries, but in the not 
> implemented scenario these queries are retried for a couple of minutes, 
> hundreds or thousands per second by some devices.

That's awful, and of course the device should be fixed, but 
unfortunately not unheard of.

> Trying  to stop this, we created a rule to drop them but it's not working:
>   addAction(OpcodeRule(DNSOpcode.IQuery),DropAction())
> the same with opcode Query works.
> #   Name                             Matches Rule                       
>                                Action
> 0                                          0 opcode==1                   
>                               no op
> 1                                     191722 opcode==0                   
>                               no op
> There is some preprocessing before the rules which answers not implemented?

Correct, this check occurs very early, if only because several rules 
assume that all queries have a qname which is not true when qdcount == 0.
> There is any option to solve this? If not, we will try with iptables.

Not at the moment, no. We could make the qdcount==0 behaviour 
configurable, to allow dropping or sending a custom response code 
(Refused? No Error?) instead of Not Implemented. Opening a feature 
request would go a long way to make it happen :)

[1]: https://github.com/PowerDNS/pdns/pull/9991

Best regards,
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20231116/94392c3d/attachment.sig>

More information about the dnsdist mailing list