Re: [dnsdist] Number of Actions

[Wang Jian]

bert hubert  于2019年4月16日周二 上午3:23写道：

>
>
> You can also create a SuffixMatchNode and fill it programatically and then
> use a SuffixMatchNodeRule(smn) on it.
>

The usage you refer is undocumented, isn't it?  The functionality has been
there for quite some time, but few people know that.

Even I did read this issue https://github.com/PowerDNS/pdns/issues/5433 , I
didn't
realize that I can use it (to forward some specific domains to specific
server).

Google "newSuffixMatchNode site:dnsdist.org" returns only  1 false result.
Here we
need doc improvement, I think.

BTW, it should be use carefully, because
https://mailman.powerdns.com/pipermail/dnsdist/2016-February/000122.html
___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist

Re: [dnsdist] Number of Actions

[Klaus Darilion]

Hello Bert!

Am 15.04.2019 um 21:23 schrieb bert hubert:
> On Mon, Apr 15, 2019 at 08:39:30PM +0200, Klaus Darilion wrote:
>> Hello!
>>
>> Is there a max number of actions, before there might be performance
>> problems?
> 
> Yes. The design goal is not to have hundreds of rules, but to have fewer,
> more powerful rules.
> 
> For example, in your case, you can do:
> addAction({"lots", "of", "domains"}, DropAction())
> 
> This is then fast, much faster than three separate rules.
> 
> You can also create a SuffixMatchNode and fill it programatically and then
> use a SuffixMatchNodeRule(smn) on it.
> 
> Finally for your case, which I spotted on another list, you may want to look
> at https://dnsdist.org/guides/dynblocks.html which can be a lot of fun.

Do you have an example? The examples on the page you referenced do not
deal with query-domains. Filtering based on response code does not help
as the request already hit the authoritative server. Filtering on client
IP would also filter good queries coming from this client.

Thanks
Klaus


___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist

Re: [dnsdist] Number of Actions

[bert hubert]

On Mon, Apr 15, 2019 at 08:39:30PM +0200, Klaus Darilion wrote:
> Hello!
> 
> Is there a max number of actions, before there might be performance
> problems?

Yes. The design goal is not to have hundreds of rules, but to have fewer,
more powerful rules.

For example, in your case, you can do:
addAction({"lots", "of", "domains"}, DropAction())

This is then fast, much faster than three separate rules.

You can also create a SuffixMatchNode and fill it programatically and then
use a SuffixMatchNodeRule(smn) on it.

Finally for your case, which I spotted on another list, you may want to look
at https://dnsdist.org/guides/dynblocks.html which can be a lot of fun.

Bert
___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist

[dnsdist] Number of Actions

[Klaus Darilion]

Hello!

Is there a max number of actions, before there might be performance
problems?

During a random subdomain attack I would like to "whitelist" all real
subdomains and then rate limit the rest, ie:

-- Allow the following lables without limiting
addAction(QNameRule("www.example.com"), AllowAction())
addAction(QNameRule("mail.example.com"), AllowAction())
... (around 500 more lables)

-- Ratelimiting for all other labels
addAction(AndRule({makeRule("example.com"),NotRule(MaxQPSRule(10))}),
DropAction())

May I experience performance problems when all my queries have to pass
through 500 actions first?


Thanks
Klaus
___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist