Re: [dnsdist] PowerDNS DNSdist 1.9.3 released

[Stephane Bortzmeyer via dnsdist]

On Mon, May 06, 2024 at 12:54:05PM +0200,
 Marco Davids (SIDN) via dnsdist  wrote 
 a message of 1346 lines which said:

> Is there a specific reason why the Alpine package (in Alpine Edge) of
> DNSdist comes without DoQ support?

Because the QUIC library quiche does not seem packaged?

https://pkgs.alpinelinux.org/packages?name=quiche=edge===

It is a common problem with QUIC, there are very few "official"
packages (not just on Alpine).
___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist

Re: [dnsdist] Unveiling Digitology: The Pinnacle of Digital Marketing Excellence in Egypt

[Stephane Bortzmeyer via dnsdist]

On Mon, Jan 08, 2024 at 02:57:17PM +0200,
 seo 2023 via dnsdist  wrote 
 a message of 417 lines which said:

> - Innovative Strategies: Their forward-thinking approach keeps them ahead
> in the digital game.
> 
> - Customer-Centric Focus: They listen, understand, and deliver beyond
> expectations.
> 
> - Data-Driven Decisions: Leveraging data analytics, they make informed
> decisions that drive growth.

Good description of dnsdist.
___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist

Re: [dnsdist] Some statistics I would like to have

[Stephane Bortzmeyer via dnsdist]

On Tue, Jun 13, 2023 at 10:23:26AM +0200,
 Remi Gacogne via dnsdist  wrote 
 a message of 85 lines which said:

> You should be able to find what you are looking for in the output of
> "showTCPStats()".

Ah, yes, thanks. But the numbers are disconcerting. I see twice as
much queries per connection with IPv4 than IPv6, but only for DoT. For
DoH, it is the opposite. This may be simply because it is a small
resolver so the numbers are not statistically significant.

> But more importantly, dnsdist forwards queries received over DoH using UDP,
> while queries received over DoT are forwarded over TCP, unless the backend
> has been configured as TCP-only, DoT or DoH.

Which is the case, no?

newServer({address="[::1]:853", name="Local-Unbound", tls="openssl", 
subjectName="dot-backend.bortzmeyer.fr", validateCertificates=true, 
useClientSubnet=false, maxInFlight=1024})

___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist

[dnsdist] Some statistics I would like to have

[Stephane Bortzmeyer via dnsdist]

I'm wondering about the average number of DNS queries per DoT/DoH
connection (to see if the setup "cost" is amortized over enough
requests). I do not find something like that in the output of
dumpStats (I have the number of queries but not the number of
connections). Any idea?

Also, the Web interface tells me:
Average response time: [...] DoT 357.45 ms, DoH 531.12 ms
I assumed, may be wrongly, that this response time depended on the
time required to fetch the response and so was the same for DoT and
DoH. Why not?

___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist

Re: [dnsdist] Second Release Candidate of PowerDNS DNSdist 1.8.0

[Stephane Bortzmeyer via dnsdist]

On Thu, Mar 09, 2023 at 10:25:33AM +0100,
 Remi Gacogne via dnsdist  wrote 
 a message of 94 lines which said:

> https://downloads.powerdns.com/releases/dnsdist-8.0-rc2.tar.bz2

404. The correct one seems to be
.
___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist

Re: [dnsdist] dnsdist 1.7 : allow only A request

[Stephane Bortzmeyer via dnsdist]

On Thu, Mar 09, 2023 at 04:25:12PM +,
 david n via dnsdist  wrote 
 a message of 149 lines which said:

> I tried many ways

Which ones?

> but none are working.

I guess that a Lua custom action is probably the best solution, such as:

luarule(dq) if (dq.qtype!=dnsdist.) then return DNSAction.Nxdomain, "" else 
return DNSAction.Allow, "" end end
addLuaAction(AllRule(), luarule)

(Untested)

> I just want to DnsDist only answers to A or  requests.

It seems a very bad idea (for instance, it will break old QNAME
minimization) so I suggest not doing it.
___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist

Re: [dnsdist] dnsdist uptime

[Stephane Bortzmeyer via dnsdist]

On Tue, Oct 26, 2021 at 07:32:51AM +,
 SAMI RAHAL via dnsdist  wrote 
 a message of 125 lines which said:

> I see an "Uptime:" on the Web console which is always less than one
> day, even if I never restart the server.

The log of your system may tell you why (a bug crashing the server,
or a lack of memory forcing the system to kill dnsdist, for
instance).



___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist

Re: [dnsdist] dnsdist: tls support webserver api ?

[Stephane Bortzmeyer via dnsdist]

On Fri, Sep 03, 2021 at 09:17:19AM +,
 dmachard via dnsdist  wrote 
 a message of 149 lines which said:

> I would like to know if  it's planned to support tls on the
> webserver api and web interface ?

In the mean time, I use stunnel in front of dnsdist.

Configuration of dnsdist:

webserver("[::1]:8082")
setWebserverConfig(... whatever)

Configuration of stunnel:

; TLS front-end to a web server
[dnsdist]
; Accepts both IPv4 and IPv6
accept  = :::8083
connect = localhost-ipv6:8082
cert = /etc/stunnel/stunnel.pem
key = /etc/stunnel/stunnel.key

Certificates are obtained from CAcert but any CA you recognize will
work.
___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist

Re: [dnsdist] First alpha release of dnsdist 1.6.0

[Stephane Bortzmeyer via dnsdist]

On Wed, Feb 03, 2021 at 10:23:53AM +0100,
 Stephane Bortzmeyer via dnsdist  wrote 
 a message of 35 lines which said:

> Indeed, DoH has no issue, it is purely a DoT problem.
> 
> I'm currently testing with maxInFlight=0 on everything (addTLSLocal
> and newServer).

Not better, I went back to 1.5.1.
___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist

Re: [dnsdist] First alpha release of dnsdist 1.6.0

[Stephane Bortzmeyer via dnsdist]

On Wed, Feb 03, 2021 at 10:44:55AM +0100,
 Remi Gacogne  wrote 
 a message of 59 lines which said:

> Do you see the timeouts with both Remoh and the getdns-based
> program?

Yes.

> It might be interesting to know if that makes the issue go away,
> yes. But please don't break your service for that,

Well, this is that, or going back to 1.5.
___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist

Re: [dnsdist] First alpha release of dnsdist 1.6.0

[Stephane Bortzmeyer via dnsdist]

On Wed, Feb 03, 2021 at 09:56:02AM +0100,
 Remi Gacogne  wrote 
 a message of 47 lines which said:

> Did you also enable out-of-order between dnsdist and the backend, using
> maxInFlight on the newServer() directive?

Yes:

newServer({address="127.0.0.1:53", name="Local-Unbound", useClientSubnet=false, 
maxInFlight=256})   -

The backend is an Unbound, used over UDP.

> Do you know if the backend does indeed support out-of-order?

Is it relevant when you talk to the backend over UDP? 

> However in your case I'm guessing the monitoring scripts do not really do
> pipelining,

Correct. One request, on one connection.

> Note that client-side DoH in dnsdist has always supported
> out-of-order, as the underlying design of HTTP/2 made that quite
> easy, so nothing should change for DoH in 1.6.0.

Indeed, DoH has no issue, it is purely a DoT problem.

I'm currently testing with maxInFlight=0 on everything (addTLSLocal
and newServer). Should I also test with maxInFlight=256 on addTLSLocal
but maxInFlight=0 on newServer?
___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist

Re: [dnsdist] First alpha release of dnsdist 1.6.0

[Stephane Bortzmeyer via dnsdist]

On Tue, Feb 02, 2021 at 02:10:45PM +0100,
 Remi Gacogne via dnsdist  wrote 
 a message of 149 lines which said:

> We are proud to announce the first alpha release of dnsdist 1.6.0.

Executive summary: be careful beforce activating out-of-order
processing on DoT servers. Read on.

Background: I manage a (very) small public DoT and DoH resolver. It is
automatically monitored from Icinga with two programs, one written in
Python  and the other in C
(based on getdns). So, I can know what happen when I sleep.

I upgraded to 1.6.0 Alpha and the server is running for 18 hours.

So, the big issue: *much* more timeouts are reported by the monitoring
system. With 1.4 and 1.5, everything was smooth, now I have timeouts
all the time.

It only affects DoT, not DoH, so I presume it is not the fault of the
machine or the network.

DoT was configured with maxInFlight=256, I've just go back to
maxInFlight=0 to see if it makes a difference.
___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist

Re: [dnsdist] Latency of the DNS resolver

[Stephane Bortzmeyer via dnsdist]

On Sat, Jan 30, 2021 at 06:11:01PM +,
 SAMI RAHAL via dnsdist  wrote 
 a message of 228 lines which said:

> I want to know the normal response from a dns resolver server in
> general (the value in ms)

For an authoritative server, it is *sometimes* possible to discuss
"typical" or "expected" response times, but it is impossible for a
resolver.

If the data is in the cache, the resolver replies in one or two
milliseconds or less, if it's "local".

If it is not in the cache, all bets are off since the response time
depends on the authoritative name servers of the queried domain. Huge
latencies are possible if they are far away or slow.

That's why it is very difficult to benchmark resolvers.
___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist

Re: [dnsdist] dnsdist 1.5.1 doh + options bug ?

[Stephane Bortzmeyer via dnsdist]

On Mon, Oct 05, 2020 at 08:14:04PM -0400,
 Dave Knight via dnsdist  wrote 
 a message of 121 lines which said:

> I did some fiddling in the config and found that DoH doesn't work
> for a listener configured where addDOHLocal has { options }.

For the record, I use options with DoH and 1.5.0 and it works
flawlessly. This is the relevant line in my config:

addDOHLocal("[::]:443", "/etc/dnsdist/server-doh.pem", 
"/etc/dnsdist/server-doh.key",  {"/", "/rfc", "/about", "/policy", "/help"}, 
{minTLSVersion="tls1.2", cipher="HIGH", 
customResponseHeaders={["link"]="
 rel=\"service-meta\"; type=\"text/html\""}})
___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist

Re: [dnsdist] [EXT] Re: dnsdist timeout with unknown opcode query

[Stephane Bortzmeyer via dnsdist]

On Wed, Sep 23, 2020 at 05:26:34PM +0200,
 Remi Gacogne via dnsdist  wrote 
 a message of 72 lines which said:

> I believe it's the first time someone actually cares about that
> case,

I think it's the fault of RFC 8906, published yesterday, where this
test is explicitely described :-)

https://www.rfc-editor.org/info/rfc8906
___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist

Re: [dnsdist] dnsdist timeout with unknown opcode query

[Stephane Bortzmeyer via dnsdist]

On Wed, Sep 23, 2020 at 04:56:05PM +0200,
 Remi Gacogne via dnsdist  wrote 
 a message of 76 lines which said:

> +header-only instructs dig to send a query without a question
> section (qdcount is 0), and dnsdist doesn't support that. The query
> is deemed invalid and discarded before any counter can be
> incremented.

But in that case, surely dnsdist should reply FORMERR instead?
___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist

Re: [dnsdist] Uptime always resetted?

[Stephane Bortzmeyer via dnsdist]

On Wed, Sep 16, 2020 at 04:57:59PM +0200,
 Winfried Angele  wrote 
 a message of 47 lines which said:

> I'm using 2.2.6 since its release and have never had a problem with
> it. Worth a try I'd say. It would also be interesting if you could
> somehow narrow it down to give the developers a chance to fix it.

I downgraded h2o to 2.2.6 (instead of the 2.3 beta) and, indeed, no
more crashes.
___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist

Re: [dnsdist] Uptime always resetted?

[Stephane Bortzmeyer via dnsdist]

On Wed, Sep 16, 2020 at 12:27:21PM +0200,
 Winfried Angele  wrote 
 a message of 60 lines which said:

> Yes, since 1.4.0-rc2 update h2o to 2.2.6 is recommended anyhow

OK, I'll try to downgrade h2o to see if it's better. Note that the
author of h2o does not think it will help


___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist

[dnsdist] Uptime always resetted?

[Stephane Bortzmeyer via dnsdist]

On the Web console, I see an "Uptime:" which is always less than one
day, even if I never restart the server (version 1.5.0). I assume
dnsdist is automatically restarted (by systemd?) but I would like to
know if it is true and why.

(I never noticed that before 1.5. Running on Arch Linux.)


___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist

Re: [dnsdist] Can dnsdist answer difference server IP with difference source IP

[Stephane Bortzmeyer via dnsdist]

On Tue, Aug 11, 2020 at 01:27:10PM +0700,
 วัชระ กางกั้น via dnsdist  wrote 
 a message of 68 lines which said:

> And I have only one DNS Service with dnsdist in DMZ.

What is the "real" DNS server? If it supports the proxy protocol, you
may configure dnsdist (if version >= 1.5.0) to relay the source IP
address to the backend server, which may then decide to give different
answers to local and remote clients.
___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist

Re: [dnsdist] Fourth release candidate for dnsdist 1.5.0

[Stephane Bortzmeyer via dnsdist]

On Mon, Jul 20, 2020 at 08:10:50AM +0200,
 Otto Moerbeek  wrote 
 a message of 50 lines which said:

> Removing the extra assignment opetor should work. 

Indeed, it now compiles and runs, thanks.
___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist

Re: [dnsdist] Fourth release candidate for dnsdist 1.5.0

[Stephane Bortzmeyer via dnsdist]

On Tue, Jul 07, 2020 at 04:41:00PM +0200,
 Remi Gacogne via dnsdist  wrote 
 a message of 84 lines which said:

> While we expected the third release candidate for dnsdist 1.5.0 to be
> the last one, a race condition that could lead to a crash was discovered
> by Tomas Krizek from CZ.NIC with the DNS Shotgun tool, leading to a new
> release candidate.

Does not compile:

  CXX  doh.o
doh.cc: In function ‘void doh_dispatch_query(DOHServerConfig*, h2o_handler_t*, 
h2o_req_t*, std::string&&, const ComboAddress&, const ComboAddress&, 
std::string&&)’:
doh.cc:677:24: error: expected primary-expression before ‘=’ token
  677 | const char * sni = = h2o_socket_get_ssl_server_name(sock);
  |^
make[2]: *** [Makefile:1351: doh.o] Error 1
make[2]: Leaving directory '/home/stephane/DoH/dnsdist/dnsdist-1.5.0-rc4'
make[1]: *** [Makefile:1478: all-recursive] Error 1
make[1]: Leaving directory '/home/stephane/DoH/dnsdist/dnsdist-1.5.0-rc4'
make: *** [Makefile:1109: all] Error 2
nice make  689.79s user 101.42s system 95% cpu 13:48.71 total

I had no problem with all the 1.5.0rc* before.

Arch Linux, x86_64

% g++ -v
Using built-in specs.
COLLECT_GCC=g++
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-pc-linux-gnu/10.1.0/lto-wrapper
Target: x86_64-pc-linux-gnu
Configured with: /build/gcc/src/gcc/configure --prefix=/usr --libdir=/usr/lib 
--libexecdir=/usr/lib --mandir=/usr/share/man --infodir=/usr/share/info 
--with-bugurl=https://bugs.archlinux.org/ 
--enable-languages=c,c++,ada,fortran,go,lto,objc,obj-c++,d --with-isl 
--with-linker-hash-style=gnu --with-system-zlib --enable-__cxa_atexit 
--enable-cet=auto --enable-checking=release --enable-clocale=gnu 
--enable-default-pie --enable-default-ssp --enable-gnu-indirect-function 
--enable-gnu-unique-object --enable-install-libiberty --enable-linker-build-id 
--enable-lto --enable-multilib --enable-plugin --enable-shared 
--enable-threads=posix --disable-libssp --disable-libstdcxx-pch 
--disable-libunwind-exceptions --disable-werror 
gdc_include_dir=/usr/include/dlang/gdc
Thread model: posix
Supported LTO compression algorithms: zlib zstd
gcc version 10.1.0 (GCC) 
___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist

Re: [dnsdist] A SNI with a raw IPv6 address closes the DoT connection

[Stephane Bortzmeyer via dnsdist]

On Mon, Mar 30, 2020 at 12:15:41PM +0200,
 Remi Gacogne via dnsdist  wrote 
 a message of 73 lines which said:

> What tool are you using to test? I can't reproduce that behaviour with
> openssl s_client,

I can:

% openssl s_client -connect dot.bortzmeyer.fr:853 -servername 2001:db8::1 
   
CONNECTED(0003)
closed
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 313 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

% openssl s_client -connect dot.bortzmeyer.fr:853 -servername dot.bortzmeyer.fr
CONNECTED(0003) 
 
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = dot.bortzmeyer.fr
verify return:1
---
Certificate chain
 0 s:CN = dot.bortzmeyer.fr
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
[Everything works]

Since dot.bortzmeyer.fr is a pristine dnsdist 1.4.0, could it be a
paranoid IPS somewhere on the path? (AFAIK, there is none but you
never know, these days. As long as we don't have encrypted SNI, we
will have thee issues.)
___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist

[dnsdist] A SNI with a raw IPv6 address closes the DoT connection

[Stephane Bortzmeyer via dnsdist]

I observe that sending a SNI which is a host name or an IPv4 address
works fine but when the SNI is a raw IPv6 address, the TLS connection
is immediately closed by the server.

Is it my fault or the one of dnsdist?

dnsdist 1.4.0 (Lua 5.1.4 [LuaJIT 2.0.5])
Enabled features: cdb dns-over-tls(gnutls openssl) dns-over-https(DOH) ebpf 
ipcipher libsodium lmdb protobuf recvmmsg/sendmmsg systemd
___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist

Re: [dnsdist] DNSSEC validation result

[Stephane Bortzmeyer via dnsdist]

On Tue, Mar 03, 2020 at 12:50:20PM +0100,
 Remi Gacogne via dnsdist  wrote 
 a message of 104 lines which said:

> Be careful that recent versions of dig are setting AD=1 by default
> but a lot of DoH and DoT clients aren't.

This is what I missed. Thank you. I now understand that dnsdist is
right.
___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist

[dnsdist] DNSSEC validation result

[Stephane Bortzmeyer via dnsdist]

I run a DoH and DoT resolver with dnsdist. The backend resolvers
validate (I can test them with dig and see the AD bit.) But dnsdist
returns the AD bit to the client only when the client uses the DO
bit. (Unlike, for instance, Unbound, or Cloudflare's 1.1.1.1, which
always return AD if the domain validates, regardless of DO.)

Is it on purpose? I don't see why.

RFC 6840 mentions this behavior only for the case when the *client*
uses the AD bit.
___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist

Re: [dnsdist] Latency Stats Not Updating?

[Stephane Bortzmeyer]

On Fri, Dec 20, 2019 at 10:04:41AM -0500,
 Brian Sullivan  wrote 
 a message of 83 lines which said:

> I am using version 1.4.0 of dnsdist.

Me too, and I didn't enable anything special.

  "latency-avg100": 108417.14787735096,
"latency-avg1000": 120915.88422331357,
  "latency-avg1": 117965.05070504802,
"latency-avg100": 19347.684001277696,
  "latency-count": 367387,
"latency-slow": 2783,
  "latency-sum": 21935585,
"latency0-1": 173171,
  "latency1-10": 20897,
"latency10-50": 59862,
  "latency100-1000": 50622,
"latency50-100": 24614,

___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist

Re: [dnsdist] DoT/DoH - how to disable TLS < 1.3

[Stephane Bortzmeyer]

On Thu, Nov 28, 2019 at 09:51:04AM +0100,
 Aleš Rygl  wrote 
 a message of 160 lines which said:

> I would like to to disable TLS versions in DoT/DoH lower than 1.3 from
> security reasons. I am trying to use:
> 
> addTLSLocal('0.0.0.0', '/etc/dnsdist/cert.pem', '/etc/dnsdist/key.pem', {
> minTLSVersion='tls1.3', provider='OpenSSL' })

For DoH, I use:

addDOHLocal("[::]:443", "/etc/dnsdist/server-doh.pem", 
"/etc/dnsdist/server-doh.key", "/", {minTLSVersion="tls1.2", cipher="HIGH"})

And it seems to work (no TLS 1.1):

% ./testssl.sh doh.bortzmeyer.fr
...
 SSLv2  not offered (OK)
 SSLv3  not offered (OK)
 TLS 1  not offered
 TLS 1.1not offered
 TLS 1.2offered (OK)
 TLS 1.3offered (OK): final
 NPN/SPDY   not offered
 ALPN/HTTP2 h2 (offered)

For DoT, I use GnuTLS:

addTLSLocal("[::]:853", "/etc/dnsdist/server-dot.pem", 
"/etc/dnsdist/server-dot.key", {minTLSVersion="tls1.2", provider="GnuTLS", 
ciphers="PFS:-VERS-TLS1.1:-VERS-TLS1.0"})

And it works as well:

% ./testssl.sh dot.bortzmeyer.fr:853
...
 SSLv2  not offered (OK)
 SSLv3  not offered (OK)
 TLS 1  not offered
 TLS 1.1not offered
 TLS 1.2offered (OK)
 TLS 1.3offered (OK): final
 NPN/SPDY   not offered
 ALPN/HTTP2 not offered

Never tried forcing TLS >= 1.3.

___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist

[dnsdist] [DoH] Cache control

[Stephane Bortzmeyer]

By default, dnsdist 1.4.0 working as a DoH resolver does not send
cache control headers (Cache-control:, Expires:, Last-Modified:…)

< HTTP/2 200 
< server: h2o/dnsdist
< content-type: application/dns-message
< content-length: 88

I do not find how to enable them. The RFC 8484 (section 5.1)
recommends Cache-control: based on the TTL.

cache-control = max-age=3709
___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist

Re: [dnsdist] topClients and topQueries expiration of data

[Stephane Bortzmeyer]

On Mon, Oct 21, 2019 at 05:09:31PM +0200,
 Daniel Stirnimann  wrote 
 a message of 15 lines which said:

> its 10'000 queries in the ringbuffer:
> 
> https://dnsdist.org/reference/config.html?highlight=setringbufferssize#setRingBuffersSize

Thanks, it works.
___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist

[dnsdist] topClients and topQueries expiration of data

[Stephane Bortzmeyer]

Apparently, the data used by topeCLients() and topQueries() expire
after some time (which is good, both for privacy and for memory use),
even if you don't reboot the server but I do not find a documentation
of the expiration algorithm and how to configure it (and I'm too lazy
to read the source code). Is it explained somewhere?
___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist

Re: [dnsdist] LogAction() is ignored?

[Stephane Bortzmeyer]

On Mon, Sep 23, 2019 at 11:20:29AM +0200,
 Remi Gacogne  wrote 
 a message of 98 lines which said:

> If you are using our systemd unit file, note that we do set
> PrivateTmp=true for security reasons, meaning that you'll need to look
> for the actual log file in
> /tmp/systemd-private-*-dnsdist.service-*/dnsdist.log instead of
> /tmp/dnsdist.log.

OK, systemd killed me again. I forgot that (and indeed, the log is
there). Thanks and sorry for the false alarm.

I'm puzzled by the fact that /tmp/dnsdist.log is still created?
___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist

Re: [dnsdist] LogAction() is ignored?

[Stephane Bortzmeyer]

On Sun, Sep 22, 2019 at 12:31:47PM +0200,
 bert hubert  wrote 
 a message of 23 lines which said:

> After some offlist additional checking, this looks like a bug,

Or a feature, to protect the privacy of the users :-)
___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist

[dnsdist] LogAction() is ignored?

[Stephane Bortzmeyer]

I tried to log every query with:

addAction(AllRule(), LogAction("/tmp/dnsdist.log", false, true, false))

buffered=false is here to be sure I see the queries immediately.

dnsdist knows about the action:

> showRules()
# Matches Rule Action
0   0 IP (/32, /64) match for QPS over 100 burst 100   drop
1  68 All  log to 
/tmp/dnsdist.log

/tmp/dnsdist.log is created (world-readable!) but nothing appears in
it. topQueries() show that I do receive queries.

% dnsdist --version
dnsdist 1.4.0-rc2 (Lua 5.1.4 [LuaJIT 2.0.5])
Enabled features: dns-over-tls(gnutls openssl) dns-over-https(DOH) ebpf fstrm 
ipcipher libsodium lmdb protobuf recvmmsg/sendmmsg systemd

Is it a problem specific to RC?
___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist

Re: [dnsdist] Is dnsdist FIPS 140-2 Compliant?

[Stephane Bortzmeyer]

On Tue, Sep 17, 2019 at 09:14:54AM -0400,
 Brian Sullivan  wrote 
 a message of 57 lines which said:

> I have a question from our compliance team, is dnsdist FIPS 140-2 compliant?

I thought that FIPS-140 was about the security of hardware? With
FIPS-140-2 requiring tamper evidence?
___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist

Re: [dnsdist] DoH: 302 redirecting / to a help page

[Stephane Bortzmeyer]

On Mon, Sep 16, 2019 at 11:13:03AM +0200,
 Remi Gacogne  wrote 
 a message of 94 lines which said:

> supportpagemap = { newDOHResponseMapEntry("^/$", 302,
> "https://support.mydoman.com;) }

It seems cool, but it fails for me:

Fatal Lua error: [string "chunk"]:9: attempt to call global 
'newDOHResponseMapEntry' (a nil value)

% dnsdist --version
dnsdist 1.4.0-beta1 (Lua 5.1.4 [LuaJIT 2.0.5])
Enabled features: dns-over-tls(gnutls openssl) dns-over-https(DOH) ebpf fstrm 
ipcipher libsodium protobuf recvmmsg/sendmmsg systemd
___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist

Re: [dnsdist] dnsdist and Let's Encrypt (ACME)

[Stephane Bortzmeyer]

On Sun, Sep 15, 2019 at 12:20:46PM +0200,
 Andrew Nimmo  wrote 
 a message of 72 lines which said:

> The acme.sh script has a standalone mode, if you have port 80 open:

Thanks, I forgot about that (and, indeed, port 80 was available).

So I did:

certbot certonly --standalone --domain doh.bortzmeyer.fr

to have the initial certificate.

Then, I configured dnsdist to use
/etc/letsencrypt/live/doh.bortzmeyer.fr/fullchain.pem and then I set
up this for the future renewals:

certbot renew --standalone --deploy-hook /usr/local/sbin/restart-dnsdist

Thanks again.
___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist