Re: [Pdns-users] Recursor Container Issue
De: Pdns-users En nombre de Blue Thunder Somogyi via Pdns-users Enviado el: lunes, 20 de marzo de 2023 17:34 Para: pdns-users@mailman.powerdns.com Asunto: [Pdns-users] Recursor Container Issue Hello, When using the PowerDNS recursor container (https://hub.docker.com/r/powerdns/pdns-recursor-48) if you mount a configuration file directly under `/etc/powerdns/recursor.conf` in the container, the recursor seems to hang and be non-responsive (no response from API, nor from DNS queries). I raise this because this behavior is different from the Auth server (container), which has no issue with a config file mounted under `/etc/powerdns/pdns.conf`. Is this a known issue? The workaround is to put the config under `/etc/powerdns/recursor.d/` directory, but this is not documented, and I've lost a non-trivial amount of my life figuring this out Yes, It’s very confuse. 2.4.9 release have the same issue. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Recursor 4.8.x Debian 12 repo
Hello, an error crept into ont of the publishing proceses. I built a rec-4.8.5 for Debian 12, which can be retrieved here: https://github.com/PowerDNS/pdns/actions/runs/6693473758/job/18184678477 We wil also make sure the package gets published in the regular place. This might take some time though. -Otto > On 29/10/2023 09:42 CET Christoph via Pdns-users > wrote: > > > Hi, > > for regression testing we would like to downgrade our recursor to > version 4.8.x but we noticed that there is no rec-48 debian repo on > https://repo.powerdns.com/debian/dists/ > for Debian Bookworm. > > Is this on purpose or will there be a recursor 48 repo for Debian 12 in > the future? > > thank you! > Christoph > ___ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com > https://mailman.powerdns.com/mailman/listinfo/pdns-users signature.asc Description: PGP signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] LUA for "filter-aaaa-on-v4"
> On 30 Oct 2023, at 09:50, Brian Candler wrote: > > On 30/10/2023 09:10, Djerk Geurts via Pdns-users wrote: >> >> Your right that once dual stack is enabled on parts of the network and in >> clients, then we'll need to be mindful of this. But, I would expect most >> dual stack clients to default to querying DNS using IPv6. In fact as we >> control the client IP addressing, we can ensure to convert DNS server >> settings to IPv6 when enabling dual stack. > > DHCP(v4) can only give out IPv4 DNS server addresses. Therefore, your > dual-stack clients will end up learning about both v4 and v6 DNS servers, and > you cannot control which they use. You can *hope* that they will prefer the > IPv6 ones, but you can't enforce it. > > I can't really see what problem you're trying to solve. Do you have evidence > that certain client OSes are making DNS requests for addresses even when > they don't have an IPv6 address? If so, have you measured the amount of extra > network traffic or DNS recursor load these are generating, and is this > significant in the overall picture? That’s a fair point. I guess my thinking was to clean up the DNS caches a bit as I see a fair bit of recorded on the firewalls which resolve FQDN’s and don’t need to waste memory on that. As for the servers, they have a local IPv6 address, so in essence are dual stack as IPv6 is mostly not disabled on the sysctl level. But no IPv6 traffic is seen on the network, nor is the network configured for it. As for the extra traffic due to requests, I expect this to be minimal. You’re probably right in your assessment that I’m trying to swat a fly with an elephant! Sometimes voicing an idea, is required to realise the futility of the initial thought... > > Furthermore, even for IPv4-only single stack clients, it seems to me you are > going to create more problems than you solve by trying to mess with this: > it's a case of an unnecessary "optimisation". If you drop the requests you > will force the clients to retry, which could add several seconds of latency > before they give up. But if you respond to them, you might as well give the > valid response to the query they asked for. Thank you for your input. Incidentally all production machines use static IPs, not DHCP in this particular deployment, but doesn’t take much away from your valid input. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] LUA for "filter-aaaa-on-v4"
On 30/10/2023 09:10, Djerk Geurts via Pdns-users wrote: Your right that once dual stack is enabled on parts of the network and in clients, then we'll need to be mindful of this. But, I would expect most dual stack clients to default to querying DNS using IPv6. In fact as we control the client IP addressing, we can ensure to convert DNS server settings to IPv6 when enabling dual stack. DHCP(v4) can only give out IPv4 DNS server addresses. Therefore, your dual-stack clients will end up learning about both v4 and v6 DNS servers, and you cannot control which they use. You can *hope* that they will prefer the IPv6 ones, but you can't enforce it. I can't really see what problem you're trying to solve. Do you have evidence that certain client OSes are making DNS requests for addresses even when they don't have an IPv6 address? If so, have you measured the amount of extra network traffic or DNS recursor load these are generating, and is this significant in the overall picture? Furthermore, even for IPv4-only single stack clients, it seems to me you are going to create more problems than you solve by trying to mess with this: it's a case of an unnecessary "optimisation". If you drop the requests you will force the clients to retry, which could add several seconds of latency before they give up. But if you respond to them, you might as well give the valid response to the query they asked for. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] LUA for "filter-aaaa-on-v4"
There are no dual stack clients as the network isn't IPv6 enabled (yet). The idea is to reduce the chatter for single stack clients. Your right that once dual stack is enabled on parts of the network and in clients, then we'll need to be mindful of this. But, I would expect most dual stack clients to default to querying DNS using IPv6. In fact as we control the client IP addressing, we can ensure to convert DNS server settings to IPv6 when enabling dual stack. I would not want to apply this to "public" recursors which may be used as forward servers and by clients not under our control. Thank you for your input, Djerk Geurts On 30 Oct 2023, 06:26, at 06:26, Otto Moerbeek wrote: >On Mon, Oct 30, 2023 at 04:35:25AM +, Djerk Geurts via Pdns-users >wrote: > >> Hi all, >> >> Not had the opportunity to test this yet, but wanted to check with >those more experienced at LUA scripting if the following has any >unexpected side effects: >> >> function preresolve(dq) >> -- Implementation of 'filter--on-v4' >> if dq.qtype == pdns. and dq.remoteaddr:isIPv4() then >> dq.appliedPolicy.policyKind = pdns.policykinds.Drop >> return false >> else >> return false >> end >> end >> >> I will run a test when I get the opportunity. Does anyone filter >requests for single stack clients (IPv4 only obviously)? >> >> Thanks, >> Djerk Geurts > >This polciy will also apply to dual stack clients that happen to >contact the rescursor over v4 to request an . There is nothing >wrong with that, but your policy will cause timeouts for the clients. >So not recommended. > > -Otto ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] LUA for "filter-aaaa-on-v4"
On Mon, Oct 30, 2023 at 04:35:25AM +, Djerk Geurts via Pdns-users wrote: > Hi all, > > Not had the opportunity to test this yet, but wanted to check with those more > experienced at LUA scripting if the following has any unexpected side effects: > > function preresolve(dq) > -- Implementation of 'filter--on-v4' > if dq.qtype == pdns. and dq.remoteaddr:isIPv4() then > dq.appliedPolicy.policyKind = pdns.policykinds.Drop > return false > else > return false > end > end > > I will run a test when I get the opportunity. Does anyone filter > requests for single stack clients (IPv4 only obviously)? > > Thanks, > Djerk Geurts This polciy will also apply to dual stack clients that happen to contact the rescursor over v4 to request an . There is nothing wrong with that, but your policy will cause timeouts for the clients. So not recommended. -Otto ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
