Re: [dnsdist] how to increase connection qlen on DoH listener?
> please open a feature request [1] if you > think it's worth it. thanks for considering this https://github.com/PowerDNS/pdns/issues/8986 >> Reading >> https://www.freebsd.org/doc/en/books/handbook/configtuning-kernel-limits.html >> I would expect that you want to increase kern.ipc.soacceptqueue >> >> -Otto > https://docs.freebsd.org/doc/12.1-RELEASE/usr/local/share/doc/freebsd/en/books/handbook/configtuning-kernel-limits.html > > confirms that that is very likely the proper sysctl for your version, They are the same setting but as Remi said it is not supported by dnsdist. from listen(2): The kern.ipc.somaxconn sysctl(3) has been replaced with kern.ipc.soacceptqueue in FreeBSD 10.0 to prevent confusion about its actual functionality. The original sysctl(3) kern.ipc.somaxconn is still available but hidden from a sysctl(3) -a output so that existing applications and scripts continue to work. ___ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
Re: [dnsdist] A SNI with a raw IPv6 address closes the DoT connection
On Mon, Mar 30, 2020 at 12:15:41PM +0200, Remi Gacogne via dnsdist wrote a message of 73 lines which said: > What tool are you using to test? I can't reproduce that behaviour with > openssl s_client, I can: % openssl s_client -connect dot.bortzmeyer.fr:853 -servername 2001:db8::1 CONNECTED(0003) closed --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 313 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) % openssl s_client -connect dot.bortzmeyer.fr:853 -servername dot.bortzmeyer.fr CONNECTED(0003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = dot.bortzmeyer.fr verify return:1 --- Certificate chain 0 s:CN = dot.bortzmeyer.fr i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 i:O = Digital Signature Trust Co., CN = DST Root CA X3 --- Server certificate [Everything works] Since dot.bortzmeyer.fr is a pristine dnsdist 1.4.0, could it be a paranoid IPS somewhere on the path? (AFAIK, there is none but you never know, these days. As long as we don't have encrypted SNI, we will have thee issues.) ___ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
Re: [dnsdist] how to increase connection qlen on DoH listener?
Hi Christoph, On 3/29/20 8:25 PM, Christoph via dnsdist wrote: > after restarting dnsdist we noticed that while nginx takes > the new setting into account dnsdist remains at 128: > > netstat -Lan > Current listen queue sizes (qlen/incqlen/maxqlen) > Proto Listen > tcp4 0/0/128 <<< dnsdist > tcp4 5/0/2048 <<< nginx > > > Is there a way to tell dnsdist to increase the connection queue on the > DoH listener? I'm afraid there is currently no way to do this. We call listen() with SOMAXCONN, which defaults to 128 on most Unixes. We could make that value configurable since SOMAXCONN is no longer an hard limit on several systems including Linux, so please open a feature request [1] if you think it's worth it. > I also tried: > setMaxTCPQueuedConnections(2048) > > from: > https://dnsdist.org/reference/tuning.html This is an unrelated setting, controlling the number of connections we are willing to queue in our internal pipe. [1]: https://github.com/PowerDNS/pdns/issues/new/choose Best regards, -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/ signature.asc Description: OpenPGP digital signature ___ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
Re: [dnsdist] A SNI with a raw IPv6 address closes the DoT connection
Hello Stephane, On 3/27/20 12:20 PM, Stephane Bortzmeyer via dnsdist wrote: > I observe that sending a SNI which is a host name or an IPv4 address > works fine but when the SNI is a raw IPv6 address, the TLS connection > is immediately closed by the server. > > Is it my fault or the one of dnsdist? What tool are you using to test? I can't reproduce that behaviour with openssl s_client, but I'm not sure I'm sending a "raw IPv6 address" in the same way you are: openssl s_client -connect 127.0.0.1:853 -servername 2001:db8::1 With this command the DoT connection is accepted by dnsdist (with the OpenSSL DoT provider) and `dq:getServerNameIndication()` returns '2001:db8::1'. Best regards, -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/ signature.asc Description: OpenPGP digital signature ___ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
Re: [dnsdist] how to increase connection qlen on DoH listener?
On Mon, Mar 30, 2020 at 08:37:24AM +0200, Otto Moerbeek via dnsdist wrote: > On Sun, Mar 29, 2020 at 06:20:00PM +, Christoph via dnsdist wrote: > > > Hi, > > > > due to log entries saying: > > "Listen queue overflow: 193 already in queue awaiting acceptance" > > we increased > > kern.ipc.somaxconn to 2048 > > > > > > after restarting dnsdist we noticed that while nginx takes > > the new setting into account dnsdist remains at 128: > > > > netstat -Lan > > Current listen queue sizes (qlen/incqlen/maxqlen) > > Proto Listen > > tcp4 0/0/128 <<< dnsdist > > tcp4 5/0/2048 <<< nginx > > > > > > Is there a way to tell dnsdist to increase the connection queue on the > > DoH listener? > > > > I didn't not see something like that in the documentation: > > https://dnsdist.org/reference/config.html?highlight=adddohlocal#addDOHLocal > > > > > > This is on FreeBSD 12.1 with dnsdist v1.4.0 > > > > thanks, > > Christoph > > > > > > refs: > > > > kern.ipc.somaxconn: Maximum listen socket pending connection accept > > queue size > > > > from FreeBSD netstat(1) manual page: > > -L Show the size of the various listen queues. The first > > count shows the number of unaccepted connections, the > > second count shows the amount of unaccepted incomplete > > connections, and the third count is the maximum number of > > queued connections. > > > > Reading > https://www.freebsd.org/doc/en/books/handbook/configtuning-kernel-limits.html > I would expect that you want to increase kern.ipc.soacceptqueue > > -Otto https://docs.freebsd.org/doc/12.1-RELEASE/usr/local/share/doc/freebsd/en/books/handbook/configtuning-kernel-limits.html confirms that that is very likely the proper sysctl for your version, -Otto ___ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
Re: [dnsdist] how to increase connection qlen on DoH listener?
On Sun, Mar 29, 2020 at 06:20:00PM +, Christoph via dnsdist wrote: > Hi, > > due to log entries saying: > "Listen queue overflow: 193 already in queue awaiting acceptance" > we increased > kern.ipc.somaxconn to 2048 > > > after restarting dnsdist we noticed that while nginx takes > the new setting into account dnsdist remains at 128: > > netstat -Lan > Current listen queue sizes (qlen/incqlen/maxqlen) > Proto Listen > tcp4 0/0/128 <<< dnsdist > tcp4 5/0/2048 <<< nginx > > > Is there a way to tell dnsdist to increase the connection queue on the > DoH listener? > > I didn't not see something like that in the documentation: > https://dnsdist.org/reference/config.html?highlight=adddohlocal#addDOHLocal > > > This is on FreeBSD 12.1 with dnsdist v1.4.0 > > thanks, > Christoph > > > refs: > > kern.ipc.somaxconn: Maximum listen socket pending connection accept > queue size > > from FreeBSD netstat(1) manual page: > -L Show the size of the various listen queues. The first > count shows the number of unaccepted connections, the > second count shows the amount of unaccepted incomplete > connections, and the third count is the maximum number of > queued connections. > Reading https://www.freebsd.org/doc/en/books/handbook/configtuning-kernel-limits.html I would expect that you want to increase kern.ipc.soacceptqueue -Otto ___ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist