[dnsdist] addAction OpCode Iquery
Remi Gacogne
remi.gacogne at powerdns.com
Thu Nov 16 08:10:08 UTC 2023
Hi,
On 16/11/2023 04:37, Nicolas Baumgarten via dnsdist wrote:
> Queries with opcode 1 (DNSOpcode.IQuery) are being ignored (droped?) on 1.4
> But 1.6.1 answers NOT implemented.
My guess is that these queries have a query records count (qdcount) of 0
and you are seeing the effect of [1], implemented in 1.6.0-alpha1,
because it was needed to conform to rfc8906's tests.
> We don't know which is the reason for this queries, but in the not
> implemented scenario these queries are retried for a couple of minutes,
> hundreds or thousands per second by some devices.
That's awful, and of course the device should be fixed, but
unfortunately not unheard of.
> Trying to stop this, we created a rule to drop them but it's not working:
> addAction(OpcodeRule(DNSOpcode.IQuery),DropAction())
> the same with opcode Query works.
>
> # Name Matches Rule
> Action
> 0 0 opcode==1
> no op
> 1 191722 opcode==0
> no op
>
> There is some preprocessing before the rules which answers not implemented?
Correct, this check occurs very early, if only because several rules
assume that all queries have a qname which is not true when qdcount == 0.
> There is any option to solve this? If not, we will try with iptables.
Not at the moment, no. We could make the qdcount==0 behaviour
configurable, to allow dropping or sending a custom response code
(Refused? No Error?) instead of Not Implemented. Opening a feature
request would go a long way to make it happen :)
[1]: https://github.com/PowerDNS/pdns/pull/9991
Best regards,
--
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20231116/94392c3d/attachment.sig>
More information about the dnsdist
mailing list