[Pdns-dev] (DNSDist udptotcp with browser)
Burak Ozalp
burak.ozalp at metu.edu.tr
Fri Aug 28 08:02:11 CEST 2015
I tested with the master branch and the steps at http://dnsdist.org/
main page with my PC with Ubuntu 14.04 LTS . I tested with the
following config lua script.
addLocal("0.0.0.0:53")
newServer("192.168.0.1")
function blockFilter(remote, qname, qtype, dh)
dh:setTC(true)
dh:setQR(true)
return false
end
Alinti bert hubert <bert.hubert at powerdns.com>
> On Thu, Aug 27, 2015 at 02:14:46PM +0300, Burak Ozalp wrote:
>> Hi everyone,
>>
>> when i run dnsdist with the config file, and change to
>> /etc/resolv.conf nameserver with 127.0.0.1, i can use dig command
>> and it works perfectly.
>
> Which exact version do you run? I think you tried a version from an old RPM,
> and one from git?
>
>> However, after applying these configurations, when a connect a new
>> web-site ( not in cached one) with chrome browser, in first 2 or 3
>> tries it didn't work then it connect the web-site.
>
> Is this with your "reply TC=1" or "TCP for everything" configuration? Can
> you retest with that off if it is?
>
> Bert
>
>
>>
>> What did cause these problem?
>>
>> Best Regards
>> Burak Özalp
>>
>> Alinti Burak Ozalp <burak.ozalp at metu.edu.tr>
>>
>> >It works! Thank you for all. I did when i want finally.
>> >
>> >Best Regards
>> >Burak Ozalp
>> >
>> >Alinti bert hubert <bert.hubert at powerdns.com>
>> >
>> >>Hi Burak,
>> >>
>> >>I just tested this:
>> >>
>> >>addLocal("0.0.0.0:5200")
>> >>newServer("192.168.1.2")
>> >>
>> >>function blockFilter(remote, qname, qtype, dh)
>> >> dh:setTC(true)
>> >> dh:setQR(true)
>> >> return false
>> >>end
>> >>
>> >>And I get this output:
>> >>
>> >>$ dig ds9a.nl @127.0.0.1 -p 5200
>> >>;; Truncated, retrying in TCP mode.
>> >>
>> >>; <<>> DiG 9.9.5-3ubuntu0.4-Ubuntu <<>> ds9a.nl @127.0.0.1 -p 5200
>> >>;; global options: +cmd
>> >>;; Got answer:
>> >>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64932
>> >>;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>> >>
>> >>;; QUESTION SECTION:
>> >>;ds9a.nl. IN A
>> >>
>> >>;; ANSWER SECTION:
>> >>ds9a.nl. 349 IN A 82.94.213.34
>> >>
>> >>;; Query time: 1 msec
>> >>;; SERVER: 127.0.0.1#5200(127.0.0.1)
>> >>;; WHEN: Wed Aug 26 14:14:31 CEST 2015
>> >>;; MSG SIZE rcvd: 41
>> >>
>> >>Can you try as well?
>> >>
>> >> Bert
>> >>
>> >>On Wed, Aug 26, 2015 at 09:16:33AM +0300, Burak Ozalp wrote:
>> >>>I did not run " sudo service pdns start", so i didn't bind
>> >>>0.0.0.0:53 on same host. Also i can run addAnyTCRule() perfectly,
>> >>>and it rejects ANY queries well
>> >>>(i.e;root at burak-desktop:/home/burak# dig any google.com @127.0.0.1
>> >>>;; Truncated, retrying in TCP mode.
>> >>>;; communications error: end of file).
>> >>>
>> >>>My main problem is that i couldn't manage to work dnsdistconf.lua as
>> >>>I want even if with the command ( dnsdist --local 0.0.0.0:53
>> >>>192.168.0.1 --config dnsdistconf.lua ).
>> >>>
>> >>>
>> >>>Alinti Aki Tuomi <cmouse at youzen.ext.b2.fi>
>> >>>
>> >>>>Well, technically if you are already listening on 192.168.0.1:53
>> >>>>you cannot bind on 0.0.0.0:53 on *same* host.
>> >>>>
>> >>>>Aki
>> >>>>
>> >>>>On Wed, Aug 26, 2015 at 08:50:47AM +0300, Burak Ozalp wrote:
>> >>>>>In another terminal i run the following command;
>> >>>>>
>> >>>>>dnsdist --local 0.0.0.0:53 192.168.0.1
>> >>>>>
>> >>>>>Is it wrong ?
>> >>>>>
>> >>>>>Alinti Aki Tuomi <cmouse at youzen.ext.b2.fi>
>> >>>>>
>> >>>>>>Did you put dnsdist in front of powerdns instance? Is it listening on
>> >>>>>>127.0.0.1:53?
>> >>>>>>
>> >>>>>>Aki
>> >>>>>>
>> >>>>>>On Tue, Aug 25, 2015 at 04:39:55PM +0300, Burak Ozalp wrote:
>> >>>>>>>This is my dig output;
>> >>>>>>>dig google.com @127.0.0.1
>> >>>>>>>; <<>> DiG 9.9.5-3ubuntu0.4-Ubuntu <<>> google.com @127.0.0.1
>> >>>>>>>;; global options: +cmd
>> >>>>>>>;; Got answer:
>> >>>>>>>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2143
>> >>>>>>>;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 5
>> >>>>>>>
>> >>>>>>>;; OPT PSEUDOSECTION:
>> >>>>>>>; EDNS: version: 0, flags:; udp: 4096
>> >>>>>>>;; QUESTION SECTION:
>> >>>>>>>;google.com. IN A
>> >>>>>>>
>> >>>>>>>;; ANSWER SECTION:
>> >>>>>>>google.com. 167 IN A 216.58.209.14
>> >>>>>>>
>> >>>>>>>;; AUTHORITY SECTION:
>> >>>>>>>google.com. 30662 IN NS ns4.google.com.
>> >>>>>>>google.com. 30662 IN NS ns1.google.com.
>> >>>>>>>google.com. 30662 IN NS ns2.google.com.
>> >>>>>>>google.com. 30662 IN NS ns3.google.com.
>> >>>>>>>
>> >>>>>>>;; ADDITIONAL SECTION:
>> >>>>>>>ns1.google.com. 30944 IN A 216.239.32.10
>> >>>>>>>ns2.google.com. 10757 IN A 216.239.34.10
>> >>>>>>>ns3.google.com. 12219 IN A 216.239.36.10
>> >>>>>>>ns4.google.com. 40489 IN A 216.239.38.10
>> >>>>>>>
>> >>>>>>>;; Query time: 17 msec
>> >>>>>>>;; SERVER: 127.0.0.1#53(127.0.0.1)
>> >>>>>>>;; WHEN: Tue Aug 25 16:16:23 EEST 2015
>> >>>>>>>;; MSG SIZE rcvd: 191
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>Alinti bert hubert <bert.hubert at powerdns.com>
>> >>>>>>>
>> >>>>>>>>Does it print out anything at all?
>> >>>>>>>>
>> >>>>>>>>Can you show a 'dig' command that shows TC:0
>> >>>>>>>>response and no fallback to
>> >>>>>>>>TCP/IP?
>> >>>>>>>>
>> >>>>>>>>Thanks!
>> >>>>>>>>
>> >>>>>>>>On Tue, Aug 25, 2015 at 02:52:33PM +0300, Burak Ozalp wrote:
>> >>>>>>>>>Dear Bert;
>> >>>>>>>>>
>> >>>>>>>>>Firstly, thanks a lot for fast and illustrative replies. i
>> learned a
>> >>>>>>>>>lot of things. But i have a problem again :(
>> >>>>>>>>>I change the dnsdistconf.lua file blockfilter() function as:
>> >>>>>>>>>function blockFilter(remote, qname, qtype, dh)
>> >>>>>>>>>
>> >>>>>>>>> print("any query, tc=1")
>> >>>>>>>>> dh:setTC(true)
>> >>>>>>>>> dh:setQR(true)
>> >>>>>>>>>
>> >>>>>>>>> if(qname:isPartOf(block))
>> >>>>>>>>> then
>> >>>>>>>>> print("Blocking *.powerdns.org")
>> >>>>>>>>> return true
>> >>>>>>>>> end
>> >>>>>>>>> return false
>> >>>>>>>>>end
>> >>>>>>>>>
>> >>>>>>>>>then i did re-installation and run dnsdist. However, nothing
>> >>>>>is changed..
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>>Alinti bert hubert <bert.hubert at powerdns.com>
>> >>>>>>>>>
>> >>>>>>>>>>sent from the wrong account first, sorry.
>> >>>>>>>>>>
>> >>>>>>>>>>>Begin forwarded message:
>> >>>>>>>>>>>
>> >>>>>>>>>>>Subject: Re: [Pdns-dev] How to set PowerDNS Server with
>> >>>>>>>option any-to-tcp
>> >>>>>>>>>>>From: bert hubert <bert.hubert at netherlabs.nl>
>> >>>>>>>>>>>Date: 25 Aug 2015 12:39:05 CEST
>> >>>>>>>>>>>Cc: Aki Tuomi <cmouse at youzen.ext.b2.fi>,
>> >>>>>>>>>>>pdns-dev at mailman.powerdns.com
>> >>>>>>>>>>>To: Burak Ozalp <burak.ozalp at metu.edu.tr>
>> >>>>>>>>>>>
>> >>>>>>>>>>>
>> >>>>>>>>>>>>On 25 Aug 2015, at 12:24, Burak Ozalp
>> >>>>><burak.ozalp at metu.edu.tr> wrote:
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>Thanks Bert,
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>I installed dnsdist. with addAnyTCRule() i can easily do pdns
>> >>>>>>>>>>>>any-to-tcp(). However, i couldn't manage to do for all types
>> >>>>>>>>>>>>of queries. Should I patch the conf file ?
>> >>>>>>>>>>>
>> >>>>>>>>>>>
>> >>>>>>>>>>>Hi Burak,
>> >>>>>>>>>>>
>> >>>>>>>>>>>Try:
>> >>>>>>>>>>>
>> >>>>>>>>>>>"The blockFilter() also gets passed read/writable copy of the
>> >>>>>>>>>>>DNS Header. If you invoke setQR(1) on that, dnsdist knows you
>> >>>>>>>>>>>turned the packet into a response, and will send the answer
>> >>>>>>>>>>>directly to the original client.
>> >>>>>>>>>>>
>> >>>>>>>>>>>If you also called setTC(1), this will tell the remote client to
>> >>>>>>>>>>>move to TCP/IP, and in this way you can implement ANY-to-TCP
>> >>>>>>>>>>>even for downstream servers that lack this feature.?
>> >>>>>>>>>>>
>> >>>>>>>>>>>See:
>> https://github.com/PowerDNS/pdns/blob/master/pdns/README-dnsdist.md#any-or-whatever-to-tc
>> >>>>>>>>>>>
>> >>>>>>>>>>>
>> >>>>>>>>>>>just call setQR(1) and setTC(1) on the header field of
>> >>>>>>>>>>>blockFilter() and you are done.
>> >>>>>>>>>>>
>> >>>>>>>>>>>Good luck!
>> >>>>>>>>>>>
>> >>>>>>>>>>>
>> >>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>Best Regards
>> >>>>>>>>>>>>Burak Ozalp
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>Alinti bert hubert <bert.hubert at powerdns.com>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>>Hi Burak,
>> >>>>>>>>>>>>>
>> >>>>>>>>>>>>>dnsdist can do this easily, please see http://dnsdist.org/
>> >>>>>>>>>>>>>for more details.
>> >>>>>>>>>>>>>It can set TC on any criterium.
>> >>>>>>>>>>>>>
>> >>>>>>>>>>>>>Good luck!
>> >>>>>>>>>>>>>
>> >>>>>>>>>>>>> Bert
>> >>>>>>>>>>>>>
>> >>>>>>>>>>>>>On Tue, Aug 25, 2015 at 09:59:12AM +0300, Burak Ozalp wrote:
>> >>>>>>>>>>>>>>Dear Tuomi,
>> >>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>Yes it works.Does it possible to force all UDP request with
>> >>>>>>>>>>>>>>truncated packet, and force all to use TCP ?
>> >>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>Best Regards
>> >>>>>>>>>>>>>>Burak Ozalp
>> >>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>Alinti Aki Tuomi <cmouse at youzen.ext.b2.fi>
>> >>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>On Mon, Aug 24, 2015 at 03:36:02PM +0300, Burak Ozalp wrote:
>> >>>>>>>>>>>>>>>>I install PowerDNS with MySql backend from here.I
>> >>>>>would like to set
>> >>>>>>>>>>>>>>>>any-to-tcp=yes for PowerDNS Server. I tried to configure
>> >>>>>>>>>>>>>>>>/etc/powerdns/pdns.conf file and add a line
>> >>>>>"any-to-tcp=yes". This
>> >>>>>>>>>>>>>>>>option should reject UDP request from client and
>> >>>>>force to use tcp.
>> >>>>>>>>>>>>>>>>But when i run dig @127.0.0.1 it
>> >>>>>>>>>>>>>>>>doesn't set the truncated bit in
>> >>>>>>>>>>>>>>>>response, so it doesn't work.
>> >>>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>>How to set correctly any-to-tcp option ?
>> >>>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>It only truncates ANY query, try dig any domain.com
>> @localhost
>> >>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>>_______________________________________________
>> >>>>>>>>>>>>>>>>Pdns-dev mailing list
>> >>>>>>>>>>>>>>>>Pdns-dev at mailman.powerdns.com
>> >>>>>>>>>>>>>>>>http://mailman.powerdns.com/mailman/listinfo/pdns-dev
>> >>>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>_______________________________________________
>> >>>>>>>>>>>>>>Pdns-dev mailing list
>> >>>>>>>>>>>>>>Pdns-dev at mailman.powerdns.com
>> >>>>>>>>>>>>>>http://mailman.powerdns.com/mailman/listinfo/pdns-dev
>> >>>>>>>>>>>>>>
>> >>>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>_______________________________________________
>> >>>>>>>Pdns-dev mailing list
>> >>>>>>>Pdns-dev at mailman.powerdns.com
>> >>>>>>>http://mailman.powerdns.com/mailman/listinfo/pdns-dev
>> >>>>>>>
>> >>>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>
>> >
>> >
>> >
>> >
>> >_______________________________________________
>> >Pdns-dev mailing list
>> >Pdns-dev at mailman.powerdns.com
>> >http://mailman.powerdns.com/mailman/listinfo/pdns-dev
>> >
>>
>>
>>
>
More information about the Pdns-dev
mailing list