[Pdns-dev] (no subject)
bert hubert
bert.hubert at powerdns.com
Wed Aug 26 14:14:55 CEST 2015
Hi Burak,
I just tested this:
addLocal("0.0.0.0:5200")
newServer("192.168.1.2")
function blockFilter(remote, qname, qtype, dh)
dh:setTC(true)
dh:setQR(true)
return false
end
And I get this output:
$ dig ds9a.nl @127.0.0.1 -p 5200
;; Truncated, retrying in TCP mode.
; <<>> DiG 9.9.5-3ubuntu0.4-Ubuntu <<>> ds9a.nl @127.0.0.1 -p 5200
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64932
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;ds9a.nl. IN A
;; ANSWER SECTION:
ds9a.nl. 349 IN A 82.94.213.34
;; Query time: 1 msec
;; SERVER: 127.0.0.1#5200(127.0.0.1)
;; WHEN: Wed Aug 26 14:14:31 CEST 2015
;; MSG SIZE rcvd: 41
Can you try as well?
Bert
On Wed, Aug 26, 2015 at 09:16:33AM +0300, Burak Ozalp wrote:
> I did not run " sudo service pdns start", so i didn't bind
> 0.0.0.0:53 on same host. Also i can run addAnyTCRule() perfectly,
> and it rejects ANY queries well
> (i.e;root at burak-desktop:/home/burak# dig any google.com @127.0.0.1
> ;; Truncated, retrying in TCP mode.
> ;; communications error: end of file).
>
> My main problem is that i couldn't manage to work dnsdistconf.lua as
> I want even if with the command ( dnsdist --local 0.0.0.0:53
> 192.168.0.1 --config dnsdistconf.lua ).
>
>
> Alinti Aki Tuomi <cmouse at youzen.ext.b2.fi>
>
> >Well, technically if you are already listening on 192.168.0.1:53
> >you cannot bind on 0.0.0.0:53 on *same* host.
> >
> >Aki
> >
> >On Wed, Aug 26, 2015 at 08:50:47AM +0300, Burak Ozalp wrote:
> >>In another terminal i run the following command;
> >>
> >>dnsdist --local 0.0.0.0:53 192.168.0.1
> >>
> >>Is it wrong ?
> >>
> >>Alinti Aki Tuomi <cmouse at youzen.ext.b2.fi>
> >>
> >>>Did you put dnsdist in front of powerdns instance? Is it listening on
> >>>127.0.0.1:53?
> >>>
> >>>Aki
> >>>
> >>>On Tue, Aug 25, 2015 at 04:39:55PM +0300, Burak Ozalp wrote:
> >>>>This is my dig output;
> >>>>dig google.com @127.0.0.1
> >>>>; <<>> DiG 9.9.5-3ubuntu0.4-Ubuntu <<>> google.com @127.0.0.1
> >>>>;; global options: +cmd
> >>>>;; Got answer:
> >>>>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2143
> >>>>;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 5
> >>>>
> >>>>;; OPT PSEUDOSECTION:
> >>>>; EDNS: version: 0, flags:; udp: 4096
> >>>>;; QUESTION SECTION:
> >>>>;google.com. IN A
> >>>>
> >>>>;; ANSWER SECTION:
> >>>>google.com. 167 IN A 216.58.209.14
> >>>>
> >>>>;; AUTHORITY SECTION:
> >>>>google.com. 30662 IN NS ns4.google.com.
> >>>>google.com. 30662 IN NS ns1.google.com.
> >>>>google.com. 30662 IN NS ns2.google.com.
> >>>>google.com. 30662 IN NS ns3.google.com.
> >>>>
> >>>>;; ADDITIONAL SECTION:
> >>>>ns1.google.com. 30944 IN A 216.239.32.10
> >>>>ns2.google.com. 10757 IN A 216.239.34.10
> >>>>ns3.google.com. 12219 IN A 216.239.36.10
> >>>>ns4.google.com. 40489 IN A 216.239.38.10
> >>>>
> >>>>;; Query time: 17 msec
> >>>>;; SERVER: 127.0.0.1#53(127.0.0.1)
> >>>>;; WHEN: Tue Aug 25 16:16:23 EEST 2015
> >>>>;; MSG SIZE rcvd: 191
> >>>>
> >>>>
> >>>>Alinti bert hubert <bert.hubert at powerdns.com>
> >>>>
> >>>>>Does it print out anything at all?
> >>>>>
> >>>>>Can you show a 'dig' command that shows TC:0 response and no fallback to
> >>>>>TCP/IP?
> >>>>>
> >>>>>Thanks!
> >>>>>
> >>>>>On Tue, Aug 25, 2015 at 02:52:33PM +0300, Burak Ozalp wrote:
> >>>>>>Dear Bert;
> >>>>>>
> >>>>>>Firstly, thanks a lot for fast and illustrative replies. i learned a
> >>>>>>lot of things. But i have a problem again :(
> >>>>>>I change the dnsdistconf.lua file blockfilter() function as:
> >>>>>>function blockFilter(remote, qname, qtype, dh)
> >>>>>>
> >>>>>> print("any query, tc=1")
> >>>>>> dh:setTC(true)
> >>>>>> dh:setQR(true)
> >>>>>>
> >>>>>> if(qname:isPartOf(block))
> >>>>>> then
> >>>>>> print("Blocking *.powerdns.org")
> >>>>>> return true
> >>>>>> end
> >>>>>> return false
> >>>>>>end
> >>>>>>
> >>>>>>then i did re-installation and run dnsdist. However, nothing
> >>is changed..
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>Alinti bert hubert <bert.hubert at powerdns.com>
> >>>>>>
> >>>>>>>sent from the wrong account first, sorry.
> >>>>>>>
> >>>>>>>>Begin forwarded message:
> >>>>>>>>
> >>>>>>>>Subject: Re: [Pdns-dev] How to set PowerDNS Server with
> >>>>option any-to-tcp
> >>>>>>>>From: bert hubert <bert.hubert at netherlabs.nl>
> >>>>>>>>Date: 25 Aug 2015 12:39:05 CEST
> >>>>>>>>Cc: Aki Tuomi <cmouse at youzen.ext.b2.fi>, pdns-dev at mailman.powerdns.com
> >>>>>>>>To: Burak Ozalp <burak.ozalp at metu.edu.tr>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>>On 25 Aug 2015, at 12:24, Burak Ozalp
> >><burak.ozalp at metu.edu.tr> wrote:
> >>>>>>>>>
> >>>>>>>>>Thanks Bert,
> >>>>>>>>>
> >>>>>>>>>I installed dnsdist. with addAnyTCRule() i can easily do pdns
> >>>>>>>>>any-to-tcp(). However, i couldn't manage to do for all types
> >>>>>>>>>of queries. Should I patch the conf file ?
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>Hi Burak,
> >>>>>>>>
> >>>>>>>>Try:
> >>>>>>>>
> >>>>>>>>"The blockFilter() also gets passed read/writable copy of the
> >>>>>>>>DNS Header. If you invoke setQR(1) on that, dnsdist knows you
> >>>>>>>>turned the packet into a response, and will send the answer
> >>>>>>>>directly to the original client.
> >>>>>>>>
> >>>>>>>>If you also called setTC(1), this will tell the remote client to
> >>>>>>>>move to TCP/IP, and in this way you can implement ANY-to-TCP
> >>>>>>>>even for downstream servers that lack this feature.?
> >>>>>>>>
> >>>>>>>>See: https://github.com/PowerDNS/pdns/blob/master/pdns/README-dnsdist.md#any-or-whatever-to-tc
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>just call setQR(1) and setTC(1) on the header field of
> >>>>>>>>blockFilter() and you are done.
> >>>>>>>>
> >>>>>>>>Good luck!
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>>
> >>>>>>>>>Best Regards
> >>>>>>>>>Burak Ozalp
> >>>>>>>>>
> >>>>>>>>>Alinti bert hubert <bert.hubert at powerdns.com>
> >>>>>>>>>
> >>>>>>>>>>Hi Burak,
> >>>>>>>>>>
> >>>>>>>>>>dnsdist can do this easily, please see http://dnsdist.org/
> >>>>>>>>>>for more details.
> >>>>>>>>>>It can set TC on any criterium.
> >>>>>>>>>>
> >>>>>>>>>>Good luck!
> >>>>>>>>>>
> >>>>>>>>>> Bert
> >>>>>>>>>>
> >>>>>>>>>>On Tue, Aug 25, 2015 at 09:59:12AM +0300, Burak Ozalp wrote:
> >>>>>>>>>>>Dear Tuomi,
> >>>>>>>>>>>
> >>>>>>>>>>>Yes it works.Does it possible to force all UDP request with
> >>>>>>>>>>>truncated packet, and force all to use TCP ?
> >>>>>>>>>>>
> >>>>>>>>>>>Best Regards
> >>>>>>>>>>>Burak Ozalp
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>Alinti Aki Tuomi <cmouse at youzen.ext.b2.fi>
> >>>>>>>>>>>
> >>>>>>>>>>>>On Mon, Aug 24, 2015 at 03:36:02PM +0300, Burak Ozalp wrote:
> >>>>>>>>>>>>>I install PowerDNS with MySql backend from here.I
> >>would like to set
> >>>>>>>>>>>>>any-to-tcp=yes for PowerDNS Server. I tried to configure
> >>>>>>>>>>>>>/etc/powerdns/pdns.conf file and add a line
> >>"any-to-tcp=yes". This
> >>>>>>>>>>>>>option should reject UDP request from client and
> >>force to use tcp.
> >>>>>>>>>>>>>But when i run dig @127.0.0.1 it doesn't set the truncated bit in
> >>>>>>>>>>>>>response, so it doesn't work.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>How to set correctly any-to-tcp option ?
> >>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>It only truncates ANY query, try dig any domain.com @localhost
> >>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>_______________________________________________
> >>>>>>>>>>>>>Pdns-dev mailing list
> >>>>>>>>>>>>>Pdns-dev at mailman.powerdns.com
> >>>>>>>>>>>>>http://mailman.powerdns.com/mailman/listinfo/pdns-dev
> >>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>_______________________________________________
> >>>>>>>>>>>Pdns-dev mailing list
> >>>>>>>>>>>Pdns-dev at mailman.powerdns.com
> >>>>>>>>>>>http://mailman.powerdns.com/mailman/listinfo/pdns-dev
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>_______________________________________________
> >>>>Pdns-dev mailing list
> >>>>Pdns-dev at mailman.powerdns.com
> >>>>http://mailman.powerdns.com/mailman/listinfo/pdns-dev
> >>>>
> >>>
> >>
> >>
> >>
> >>
> >
>
>
>
>
More information about the Pdns-dev
mailing list