Re: [Pdns-dev] (no subject)

bert hubert Wed, 26 Aug 2015 05:17:18 -0700

Hi Burak,

I just tested this:


addLocal("0.0.0.0:5200")
newServer("192.168.1.2")

function blockFilter(remote, qname, qtype, dh)
        dh:setTC(true)
        dh:setQR(true)
        return false 
end

And I get this output:

$ dig ds9a.nl @127.0.0.1 -p 5200
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.9.5-3ubuntu0.4-Ubuntu <<>> ds9a.nl @127.0.0.1 -p 5200
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64932
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ds9a.nl.                       IN      A

;; ANSWER SECTION:
ds9a.nl.                349     IN      A       82.94.213.34

;; Query time: 1 msec
;; SERVER: 127.0.0.1#5200(127.0.0.1)
;; WHEN: Wed Aug 26 14:14:31 CEST 2015
;; MSG SIZE  rcvd: 41

Can you try as well?

        Bert

On Wed, Aug 26, 2015 at 09:16:33AM +0300, Burak Ozalp wrote:
> I did not run " sudo service pdns start", so i didn't bind
> 0.0.0.0:53 on same host. Also i can run addAnyTCRule() perfectly,
> and it rejects ANY queries well
> (i.e;root@burak-desktop:/home/burak# dig any google.com @127.0.0.1
> ;; Truncated, retrying in TCP mode.
> ;; communications error: end of file).
> 
> My main problem is that i couldn't manage to work dnsdistconf.lua as
> I want even if with the command ( dnsdist --local 0.0.0.0:53
> 192.168.0.1 --config dnsdistconf.lua ).
> 
> 
> Alinti Aki Tuomi <cmo...@youzen.ext.b2.fi>
> 
> >Well, technically if you are already listening on 192.168.0.1:53
> >you cannot bind on 0.0.0.0:53 on *same* host.
> >
> >Aki
> >
> >On Wed, Aug 26, 2015 at 08:50:47AM +0300, Burak Ozalp wrote:
> >>In another terminal i run the following command;
> >>
> >>dnsdist --local 0.0.0.0:53 192.168.0.1
> >>
> >>Is it wrong ?
> >>
> >>Alinti Aki Tuomi <cmo...@youzen.ext.b2.fi>
> >>
> >>>Did you put dnsdist in front of powerdns instance? Is it listening on
> >>>127.0.0.1:53?
> >>>
> >>>Aki
> >>>
> >>>On Tue, Aug 25, 2015 at 04:39:55PM +0300, Burak Ozalp wrote:
> >>>>This is my dig output;
> >>>>dig google.com @127.0.0.1
> >>>>; <<>> DiG 9.9.5-3ubuntu0.4-Ubuntu <<>> google.com @127.0.0.1
> >>>>;; global options: +cmd
> >>>>;; Got answer:
> >>>>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2143
> >>>>;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 5
> >>>>
> >>>>;; OPT PSEUDOSECTION:
> >>>>; EDNS: version: 0, flags:; udp: 4096
> >>>>;; QUESTION SECTION:
> >>>>;google.com.                    IN      A
> >>>>
> >>>>;; ANSWER SECTION:
> >>>>google.com.             167     IN      A       216.58.209.14
> >>>>
> >>>>;; AUTHORITY SECTION:
> >>>>google.com.             30662   IN      NS      ns4.google.com.
> >>>>google.com.             30662   IN      NS      ns1.google.com.
> >>>>google.com.             30662   IN      NS      ns2.google.com.
> >>>>google.com.             30662   IN      NS      ns3.google.com.
> >>>>
> >>>>;; ADDITIONAL SECTION:
> >>>>ns1.google.com.         30944   IN      A       216.239.32.10
> >>>>ns2.google.com.         10757   IN      A       216.239.34.10
> >>>>ns3.google.com.         12219   IN      A       216.239.36.10
> >>>>ns4.google.com.         40489   IN      A       216.239.38.10
> >>>>
> >>>>;; Query time: 17 msec
> >>>>;; SERVER: 127.0.0.1#53(127.0.0.1)
> >>>>;; WHEN: Tue Aug 25 16:16:23 EEST 2015
> >>>>;; MSG SIZE  rcvd: 191
> >>>>
> >>>>
> >>>>Alinti bert hubert <bert.hub...@powerdns.com>
> >>>>
> >>>>>Does it print out anything at all?
> >>>>>
> >>>>>Can you show a 'dig' command that shows TC:0 response and no fallback to
> >>>>>TCP/IP?
> >>>>>
> >>>>>Thanks!
> >>>>>
> >>>>>On Tue, Aug 25, 2015 at 02:52:33PM +0300, Burak Ozalp wrote:
> >>>>>>Dear Bert;
> >>>>>>
> >>>>>>Firstly, thanks a lot for fast and illustrative replies. i learned a
> >>>>>>lot of things. But i have a problem again :(
> >>>>>>I change the dnsdistconf.lua file blockfilter() function as:
> >>>>>>function blockFilter(remote, qname, qtype, dh)
> >>>>>>
> >>>>>>     print("any query, tc=1")
> >>>>>>     dh:setTC(true)
> >>>>>>         dh:setQR(true)
> >>>>>>
> >>>>>>         if(qname:isPartOf(block))
> >>>>>>         then
> >>>>>>                print("Blocking *.powerdns.org")
> >>>>>>                return true
> >>>>>>         end
> >>>>>>         return false
> >>>>>>end
> >>>>>>
> >>>>>>then i did re-installation and run dnsdist. However, nothing
> >>is changed..
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>Alinti bert hubert <bert.hub...@powerdns.com>
> >>>>>>
> >>>>>>>sent from the wrong account first, sorry.
> >>>>>>>
> >>>>>>>>Begin forwarded message:
> >>>>>>>>
> >>>>>>>>Subject: Re: [Pdns-dev] How to set PowerDNS Server with
> >>>>option any-to-tcp
> >>>>>>>>From: bert hubert <bert.hub...@netherlabs.nl>
> >>>>>>>>Date: 25 Aug 2015 12:39:05 CEST
> >>>>>>>>Cc: Aki Tuomi <cmo...@youzen.ext.b2.fi>, pdns-dev@mailman.powerdns.com
> >>>>>>>>To: Burak Ozalp <burak.oz...@metu.edu.tr>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>>On 25 Aug 2015, at 12:24, Burak Ozalp
> >><burak.oz...@metu.edu.tr> wrote:
> >>>>>>>>>
> >>>>>>>>>Thanks Bert,
> >>>>>>>>>
> >>>>>>>>>I installed dnsdist. with addAnyTCRule() i can easily do pdns
> >>>>>>>>>any-to-tcp(). However, i couldn't manage to do for all types
> >>>>>>>>>of queries. Should I patch the conf file ?
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>Hi Burak,
> >>>>>>>>
> >>>>>>>>Try:
> >>>>>>>>
> >>>>>>>>"The blockFilter() also gets passed read/writable copy of the
> >>>>>>>>DNS Header. If you invoke setQR(1) on that, dnsdist knows you
> >>>>>>>>turned the packet into a response, and will send the answer
> >>>>>>>>directly to the original client.
> >>>>>>>>
> >>>>>>>>If you also called setTC(1), this will tell the remote client to
> >>>>>>>>move to TCP/IP, and in this way you can implement ANY-to-TCP
> >>>>>>>>even for downstream servers that lack this feature.?
> >>>>>>>>
> >>>>>>>>See: 
> >>>>>>>>https://github.com/PowerDNS/pdns/blob/master/pdns/README-dnsdist.md#any-or-whatever-to-tc
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>just call setQR(1) and setTC(1) on the header field of
> >>>>>>>>blockFilter() and you are done.
> >>>>>>>>
> >>>>>>>>Good luck!
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>>
> >>>>>>>>>Best Regards
> >>>>>>>>>Burak Ozalp
> >>>>>>>>>
> >>>>>>>>>Alinti bert hubert <bert.hub...@powerdns.com>
> >>>>>>>>>
> >>>>>>>>>>Hi Burak,
> >>>>>>>>>>
> >>>>>>>>>>dnsdist can do this easily, please see http://dnsdist.org/
> >>>>>>>>>>for more details.
> >>>>>>>>>>It can set TC on any criterium.
> >>>>>>>>>>
> >>>>>>>>>>Good luck!
> >>>>>>>>>>
> >>>>>>>>>>    Bert
> >>>>>>>>>>
> >>>>>>>>>>On Tue, Aug 25, 2015 at 09:59:12AM +0300, Burak Ozalp wrote:
> >>>>>>>>>>>Dear Tuomi,
> >>>>>>>>>>>
> >>>>>>>>>>>Yes it works.Does it possible to force all UDP request with
> >>>>>>>>>>>truncated packet, and force all to use TCP ?
> >>>>>>>>>>>
> >>>>>>>>>>>Best Regards
> >>>>>>>>>>>Burak Ozalp
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>Alinti Aki Tuomi <cmo...@youzen.ext.b2.fi>
> >>>>>>>>>>>
> >>>>>>>>>>>>On Mon, Aug 24, 2015 at 03:36:02PM +0300, Burak Ozalp wrote:
> >>>>>>>>>>>>>I install PowerDNS with MySql backend from here.I
> >>would like to set
> >>>>>>>>>>>>>any-to-tcp=yes for PowerDNS Server. I tried to configure
> >>>>>>>>>>>>>/etc/powerdns/pdns.conf file and add a line
> >>"any-to-tcp=yes". This
> >>>>>>>>>>>>>option should reject UDP request from client and
> >>force to use tcp.
> >>>>>>>>>>>>>But when i run dig @127.0.0.1 it doesn't set the truncated bit in
> >>>>>>>>>>>>>response, so it doesn't work.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>How to set correctly any-to-tcp option ?
> >>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>It only truncates ANY query, try dig any domain.com @localhost
> >>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>_______________________________________________
> >>>>>>>>>>>>>Pdns-dev mailing list
> >>>>>>>>>>>>>Pdns-dev@mailman.powerdns.com
> >>>>>>>>>>>>>http://mailman.powerdns.com/mailman/listinfo/pdns-dev
> >>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>_______________________________________________
> >>>>>>>>>>>Pdns-dev mailing list
> >>>>>>>>>>>Pdns-dev@mailman.powerdns.com
> >>>>>>>>>>>http://mailman.powerdns.com/mailman/listinfo/pdns-dev
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>_______________________________________________
> >>>>Pdns-dev mailing list
> >>>>Pdns-dev@mailman.powerdns.com
> >>>>http://mailman.powerdns.com/mailman/listinfo/pdns-dev
> >>>>
> >>>
> >>
> >>
> >>
> >>
> >
> 
> 
> 
> 

_______________________________________________
Pdns-dev mailing list
Pdns-dev@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-dev

Re: [Pdns-dev] (no subject)

Reply via email to