[Pdns-dev] (DNSDist udptotcp with browser)

Burak Ozalp burak.ozalp at metu.edu.tr
Thu Aug 27 13:14:46 CEST 2015


Hi everyone,

when i run dnsdist with the config file, and change to  
/etc/resolv.conf nameserver with 127.0.0.1, i can use dig command and  
it works perfectly.
However, after applying these configurations, when a connect a new  
web-site ( not in cached one) with chrome browser, in first 2 or 3  
tries it didn't work then it connect the web-site.

What did cause these problem?

Best Regards
Burak Özalp

Alinti Burak Ozalp <burak.ozalp at metu.edu.tr>

> It works! Thank you for all. I did when i want finally.
>
> Best Regards
> Burak Ozalp
>
> Alinti bert hubert <bert.hubert at powerdns.com>
>
>> Hi Burak,
>>
>> I just tested this:
>>
>> addLocal("0.0.0.0:5200")
>> newServer("192.168.1.2")
>>
>> function blockFilter(remote, qname, qtype, dh)
>>        dh:setTC(true)
>>        dh:setQR(true)
>>        return false
>> end
>>
>> And I get this output:
>>
>> $ dig ds9a.nl @127.0.0.1 -p 5200
>> ;; Truncated, retrying in TCP mode.
>>
>> ; <<>> DiG 9.9.5-3ubuntu0.4-Ubuntu <<>> ds9a.nl @127.0.0.1 -p 5200
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64932
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>> ;ds9a.nl.                       IN      A
>>
>> ;; ANSWER SECTION:
>> ds9a.nl.                349     IN      A       82.94.213.34
>>
>> ;; Query time: 1 msec
>> ;; SERVER: 127.0.0.1#5200(127.0.0.1)
>> ;; WHEN: Wed Aug 26 14:14:31 CEST 2015
>> ;; MSG SIZE  rcvd: 41
>>
>> Can you try as well?
>>
>> 	Bert
>>
>> On Wed, Aug 26, 2015 at 09:16:33AM +0300, Burak Ozalp wrote:
>>> I did not run " sudo service pdns start", so i didn't bind
>>> 0.0.0.0:53 on same host. Also i can run addAnyTCRule() perfectly,
>>> and it rejects ANY queries well
>>> (i.e;root at burak-desktop:/home/burak# dig any google.com @127.0.0.1
>>> ;; Truncated, retrying in TCP mode.
>>> ;; communications error: end of file).
>>>
>>> My main problem is that i couldn't manage to work dnsdistconf.lua as
>>> I want even if with the command ( dnsdist --local 0.0.0.0:53
>>> 192.168.0.1 --config dnsdistconf.lua ).
>>>
>>>
>>> Alinti Aki Tuomi <cmouse at youzen.ext.b2.fi>
>>>
>>>> Well, technically if you are already listening on 192.168.0.1:53
>>>> you cannot bind on 0.0.0.0:53 on *same* host.
>>>>
>>>> Aki
>>>>
>>>> On Wed, Aug 26, 2015 at 08:50:47AM +0300, Burak Ozalp wrote:
>>>>> In another terminal i run the following command;
>>>>>
>>>>> dnsdist --local 0.0.0.0:53 192.168.0.1
>>>>>
>>>>> Is it wrong ?
>>>>>
>>>>> Alinti Aki Tuomi <cmouse at youzen.ext.b2.fi>
>>>>>
>>>>>> Did you put dnsdist in front of powerdns instance? Is it listening on
>>>>>> 127.0.0.1:53?
>>>>>>
>>>>>> Aki
>>>>>>
>>>>>> On Tue, Aug 25, 2015 at 04:39:55PM +0300, Burak Ozalp wrote:
>>>>>>> This is my dig output;
>>>>>>> dig google.com @127.0.0.1
>>>>>>> ; <<>> DiG 9.9.5-3ubuntu0.4-Ubuntu <<>> google.com @127.0.0.1
>>>>>>> ;; global options: +cmd
>>>>>>> ;; Got answer:
>>>>>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2143
>>>>>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 5
>>>>>>>
>>>>>>> ;; OPT PSEUDOSECTION:
>>>>>>> ; EDNS: version: 0, flags:; udp: 4096
>>>>>>> ;; QUESTION SECTION:
>>>>>>> ;google.com.                    IN      A
>>>>>>>
>>>>>>> ;; ANSWER SECTION:
>>>>>>> google.com.             167     IN      A       216.58.209.14
>>>>>>>
>>>>>>> ;; AUTHORITY SECTION:
>>>>>>> google.com.             30662   IN      NS      ns4.google.com.
>>>>>>> google.com.             30662   IN      NS      ns1.google.com.
>>>>>>> google.com.             30662   IN      NS      ns2.google.com.
>>>>>>> google.com.             30662   IN      NS      ns3.google.com.
>>>>>>>
>>>>>>> ;; ADDITIONAL SECTION:
>>>>>>> ns1.google.com.         30944   IN      A       216.239.32.10
>>>>>>> ns2.google.com.         10757   IN      A       216.239.34.10
>>>>>>> ns3.google.com.         12219   IN      A       216.239.36.10
>>>>>>> ns4.google.com.         40489   IN      A       216.239.38.10
>>>>>>>
>>>>>>> ;; Query time: 17 msec
>>>>>>> ;; SERVER: 127.0.0.1#53(127.0.0.1)
>>>>>>> ;; WHEN: Tue Aug 25 16:16:23 EEST 2015
>>>>>>> ;; MSG SIZE  rcvd: 191
>>>>>>>
>>>>>>>
>>>>>>> Alinti bert hubert <bert.hubert at powerdns.com>
>>>>>>>
>>>>>>>> Does it print out anything at all?
>>>>>>>>
>>>>>>>> Can you show a 'dig' command that shows TC:0 response and no  
>>>>>>>> fallback to
>>>>>>>> TCP/IP?
>>>>>>>>
>>>>>>>> Thanks!
>>>>>>>>
>>>>>>>> On Tue, Aug 25, 2015 at 02:52:33PM +0300, Burak Ozalp wrote:
>>>>>>>>> Dear Bert;
>>>>>>>>>
>>>>>>>>> Firstly, thanks a lot for fast and illustrative replies. i learned a
>>>>>>>>> lot of things. But i have a problem again :(
>>>>>>>>> I change the dnsdistconf.lua file blockfilter() function as:
>>>>>>>>> function blockFilter(remote, qname, qtype, dh)
>>>>>>>>>
>>>>>>>>>     print("any query, tc=1")
>>>>>>>>>     dh:setTC(true)
>>>>>>>>> 	 dh:setQR(true)
>>>>>>>>>
>>>>>>>>> 	 if(qname:isPartOf(block))
>>>>>>>>> 	 then
>>>>>>>>> 		print("Blocking *.powerdns.org")
>>>>>>>>> 		return true
>>>>>>>>> 	 end
>>>>>>>>> 	 return false
>>>>>>>>> end
>>>>>>>>>
>>>>>>>>> then i did re-installation and run dnsdist. However, nothing
>>>>> is changed..
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Alinti bert hubert <bert.hubert at powerdns.com>
>>>>>>>>>
>>>>>>>>>> sent from the wrong account first, sorry.
>>>>>>>>>>
>>>>>>>>>>> Begin forwarded message:
>>>>>>>>>>>
>>>>>>>>>>> Subject: Re: [Pdns-dev] How to set PowerDNS Server with
>>>>>>> option any-to-tcp
>>>>>>>>>>> From: bert hubert <bert.hubert at netherlabs.nl>
>>>>>>>>>>> Date: 25 Aug 2015 12:39:05 CEST
>>>>>>>>>>> Cc: Aki Tuomi <cmouse at youzen.ext.b2.fi>,  
>>>>>>>>>>> pdns-dev at mailman.powerdns.com
>>>>>>>>>>> To: Burak Ozalp <burak.ozalp at metu.edu.tr>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>> On 25 Aug 2015, at 12:24, Burak Ozalp
>>>>> <burak.ozalp at metu.edu.tr> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks Bert,
>>>>>>>>>>>>
>>>>>>>>>>>> I installed dnsdist. with addAnyTCRule() i can easily do pdns
>>>>>>>>>>>> any-to-tcp(). However, i couldn't manage to do for all types
>>>>>>>>>>>> of queries. Should I patch the conf file ?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Hi Burak,
>>>>>>>>>>>
>>>>>>>>>>> Try:
>>>>>>>>>>>
>>>>>>>>>>> "The blockFilter() also gets passed read/writable copy of the
>>>>>>>>>>> DNS Header. If you invoke setQR(1) on that, dnsdist knows you
>>>>>>>>>>> turned the packet into a response, and will send the answer
>>>>>>>>>>> directly to the original client.
>>>>>>>>>>>
>>>>>>>>>>> If you also called setTC(1), this will tell the remote client to
>>>>>>>>>>> move to TCP/IP, and in this way you can implement ANY-to-TCP
>>>>>>>>>>> even for downstream servers that lack this feature.?
>>>>>>>>>>>
>>>>>>>>>>> See:  
>>>>>>>>>>> https://github.com/PowerDNS/pdns/blob/master/pdns/README-dnsdist.md#any-or-whatever-to-tc
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> just call setQR(1) and setTC(1) on the header field of
>>>>>>>>>>> blockFilter() and you are done.
>>>>>>>>>>>
>>>>>>>>>>> Good luck!
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Best Regards
>>>>>>>>>>>> Burak Ozalp
>>>>>>>>>>>>
>>>>>>>>>>>> Alinti bert hubert <bert.hubert at powerdns.com>
>>>>>>>>>>>>
>>>>>>>>>>>>> Hi Burak,
>>>>>>>>>>>>>
>>>>>>>>>>>>> dnsdist can do this easily, please see http://dnsdist.org/
>>>>>>>>>>>>> for more details.
>>>>>>>>>>>>> It can set TC on any criterium.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Good luck!
>>>>>>>>>>>>>
>>>>>>>>>>>>> 	Bert
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Tue, Aug 25, 2015 at 09:59:12AM +0300, Burak Ozalp wrote:
>>>>>>>>>>>>>> Dear Tuomi,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Yes it works.Does it possible to force all UDP request with
>>>>>>>>>>>>>> truncated packet, and force all to use TCP ?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Best Regards
>>>>>>>>>>>>>> Burak Ozalp
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Alinti Aki Tuomi <cmouse at youzen.ext.b2.fi>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Mon, Aug 24, 2015 at 03:36:02PM +0300, Burak Ozalp wrote:
>>>>>>>>>>>>>>>> I install PowerDNS with MySql backend from here.I
>>>>> would like to set
>>>>>>>>>>>>>>>> any-to-tcp=yes for PowerDNS Server. I tried to configure
>>>>>>>>>>>>>>>> /etc/powerdns/pdns.conf file and add a line
>>>>> "any-to-tcp=yes". This
>>>>>>>>>>>>>>>> option should reject UDP request from client and
>>>>> force to use tcp.
>>>>>>>>>>>>>>>> But when i run dig @127.0.0.1 it doesn't set the  
>>>>>>>>>>>>>>>> truncated bit in
>>>>>>>>>>>>>>>> response, so it doesn't work.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> How to set correctly any-to-tcp option ?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> It only truncates ANY query, try dig any domain.com @localhost
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>>>> Pdns-dev mailing list
>>>>>>>>>>>>>>>> Pdns-dev at mailman.powerdns.com
>>>>>>>>>>>>>>>> http://mailman.powerdns.com/mailman/listinfo/pdns-dev
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>> Pdns-dev mailing list
>>>>>>>>>>>>>> Pdns-dev at mailman.powerdns.com
>>>>>>>>>>>>>> http://mailman.powerdns.com/mailman/listinfo/pdns-dev
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Pdns-dev mailing list
>>>>>>> Pdns-dev at mailman.powerdns.com
>>>>>>> http://mailman.powerdns.com/mailman/listinfo/pdns-dev
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>>>
>>>
>>
>
>
>
>
> _______________________________________________
> Pdns-dev mailing list
> Pdns-dev at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-dev
>





More information about the Pdns-dev mailing list