Hi Stephane,
On 2/29/20 1:55 PM, Stephane Bortzmeyer via dnsdist wrote:
> I run a DoH and DoT resolver with dnsdist. The backend resolvers
> validate (I can test them with dig and see the AD bit.) But dnsdist
> returns the AD bit to the client only when the client uses the DO
> bit. (Unlike, for
Hi,
On 3/6/20 8:09 AM, Fredrik Pettai via dnsdist wrote:
>> On 6 Mar 2020, at 05:42, Michael Van Der Beek
>> wrote:
>> Have you noticed this setting on dnsdist.
>> setUDPTimeout(num)
>
> Yes, I did, but I didn’t play around with that before I sent the email to the
> mailing list
>
>> Set the
Hi Daniel,
On 2/21/20 4:13 PM, Ambauen Daniel (ID NET) via dnsdist wrote:
> I try to setup a new remoteLogger with additional option according to the
> documentation.
> newRemoteLogger(address[, timeout=2[, maxQueuedEntries=100[,
> reconnectWaitTime=1]]])
>
> I’m able to setup “simple”
Hello everyone,
We are very happy to announce the first release candidate of dnsdist
1.5.0. 1.5.0 contains several new exciting features and a few breaking
changes since 1.4.0 that were detailed in the announcement of alpha1
[1]. If you upgrade from 1.4.0, please see the upgrade guide [2] for
Hi Fredrik,
On 4/15/20 3:38 PM, Fredrik Pettai via dnsdist wrote:
> Is there a way to make dnsdist reset all (dump)stats counters after reading
> them?
> (nothing shows up here https://dnsdist.org/statistics.html)
>
> To exemplify this in another resolver-project, unbound(-control) has the
>
Hi Fredrik,
On 4/15/20 6:05 PM, Fredrik Pettai via dnsdist wrote:
> Is there a way to manipulate dynBlockRulesGroup():excludeRange at runtime,
> for instance add networks to the excludeRange ?
> And how to I look/print what current object holds with :toString() ?
>
>>
Hi Christoph,
On 3/29/20 8:25 PM, Christoph via dnsdist wrote:
> after restarting dnsdist we noticed that while nginx takes
> the new setting into account dnsdist remains at 128:
>
> netstat -Lan
> Current listen queue sizes (qlen/incqlen/maxqlen)
> Proto Listen
> tcp4 0/0/128 <<< dnsdist
Hello Stephane,
On 3/27/20 12:20 PM, Stephane Bortzmeyer via dnsdist wrote:
> I observe that sending a SNI which is a host name or an IPv4 address
> works fine but when the SNI is a raw IPv6 address, the TLS connection
> is immediately closed by the server.
>
> Is it my fault or the one of
Hi Christopher,
On 5/13/20 10:39 PM, Christopher Engelhard via dnsdist wrote:
> how exactly are the RPM packages on repo.powerdns.org created? I'm
> trying to build them locally, and it doesn't (and in my opinion can not)
> work.
>
> Background: dnsdist in Fedora lacks DoH support, because
Hi Mark,
On 5/15/20 11:03 AM, Mark Smith via dnsdist wrote:
> It sounds like a trivial problem, but I just can't get to the bottom of
> it. I am getting errors as shown below when restarting dnsdist after
> upgrading to the latest build (1.5rc2)
>
> May 15 08:13:40 resolver dnsdist[871574]:
>
Hi Dave,
On 5/15/20 9:31 AM, Dave Strydom via dnsdist wrote:
> I've picked up a strange issue in 1.4 where the
>
> dbr:setRCodeRate(DNSRCode.NXDOMAIN, 5, 10, "Exceeded NXD rate", 120)
>
> rate limit seems to be ignored if the packet cache is enabled and only
> the dbr:setQueryRate triggers.
>
Hi Thibaud,
On 5/13/20 9:50 AM, Thib D via dnsdist wrote:
> I am currently trying to set up a rate-limiting config and I have a few
> questions about how Dynblocks and Packet policies rules work :
>
> When an IP is inserted in a DynBlockRule, an action is automatically
> given to the query for
Hello everyone,
We are very happy to announce the 1.5.0 alpha 1 release of dnsdist. This
version contains several new exciting features detailed below, but also
a few breaking changes so please take the time to read the next section.
Your feedback will be much appreciated so we can deliver a
Hi Frederikn
On 3/21/20 2:16 PM, Frederik Pettai wrote:
>> On 20 Mar 2020, at 14:32, Remi Gacogne via dnsdist
>> wrote:
>>
>> […] The most exciting new feature is the implementation of the
>> Proxy Protocol between dnsdist and its backends. Aimed to replace
&g
Hi Andrew,
On 9/4/20 2:51 PM, Andrew Pogrebennyk via dnsdist wrote:
> I am using dnsdist as load-balancer because I want specific types of
> queries to be routed to different downstream servers. I have one
> specific server that only responds on TCP (non-standard port) but it is
> immediately
Hi Aleksey,
On 10/12/20 1:09 PM, Aleksey Chudov via dnsdist wrote:
> Is there a way to modify the DNS response from an upstream server? I
> especially want to add the RA flag (for testing purposes) if the RD flag
> is set. If this is not possible, I can change the source code. Please
> lead me to
Hi,
On 9/29/20 2:52 PM, prochazka--- via dnsdist wrote:
> How to block reverse query for ipv6 in case of internal subdomains? I
> want to evade having every ipv6 reverse zone in internal_domains. Using
>
Hi Arnaud,
On 9/23/20 4:03 PM, Arnaud Gavara via dnsdist wrote:
> While doing tests on dnsdist (v1.5.0) I noticed a strange (wrong ?) behavior.
>
> If I request dnsdist with an intentionally unknown opcode, I get a timeout:
> (dig with +noedns +noad +opcode=15 +norec +header-only)
> ;;
On 9/23/20 5:17 PM, Stephane Bortzmeyer wrote:
> On Wed, Sep 23, 2020 at 04:56:05PM +0200,
> Remi Gacogne via dnsdist wrote
> a message of 76 lines which said:
>
>> +header-only instructs dig to send a query without a question
>> section (qdcount is 0), and
Hi Tom, Daniel,
On 9/22/20 11:48 AM, Daniel Stirnimann via dnsdist wrote:
> On 22.09.20 11:26, Tom via dnsdist wrote:
>> My 2nd question:
>> Assuming the dnsdist-cache is working, has a A-Record-cache-entry for
>> "www.example.com" and dnsdist is in front of a resolver and the resolver
>>
Hello everyone,
This release fixes a few issues discovered since 1.5.0:
- the thread handling responses sent from a backend was not stopped when
that backend was removed ;
- getEDNSOptions() would throw an exception for queries with an empty
additional section but records in the answer or
Hello everyone,
While we expected the third release candidate for dnsdist 1.5.0 to be
the last one, a race condition that could lead to a crash was discovered
by Tomas Krizek from CZ.NIC with the DNS Shotgun tool, leading to a new
release candidate. This new release candidate has no changes
On 7/2/20 7:10 PM, Phillip R. Jaenke wrote:
> EDNS0 was the first thing I eliminated, in fact.. the whole thing looks
> literally like this (the lookups changing but you get the concept):
>
> rs=1
> while [ $rs -le 100 ]; do
> for xs in a b c d e f g h i j k l m; do
> dig -t A
Hi Phillip,
On 7/1/20 6:57 PM, Phillip R. Jaenke via dnsdist wrote:
> To test/evaluate performance, one of the tests I run is basically "look
> up a consistent group of records I know exist, then do it a couple
> hundred more times or so." Some from the local authoritative, some from
> the
Hello everyone,
We are very happy to announce the third release candidate of dnsdist
1.5.0. 1.5.0 contains several new exciting features and a few breaking
changes since 1.4.0 that were detailed in the announcement [1] of
alpha1. If you upgrade from 1.4.0, please see the upgrade guide [2] for
Hi Jason,
On 6/22/20 7:04 PM, Jason Bailey via dnsdist wrote:
> So I want to put dnsdist in front of all of my recursor and my auth
> servers and make sure that a given subdomain basically only exists when
> queried by a given IP or set of IPs.
>
> For example, suppose I have the subdomain
On 7/20/20 8:10 AM, Otto Moerbeek wrote:
> Thanks for the report. It seems an unfortunate typo slipped in. We
> need to figure out why this wasn't caught in our QA.
That's on me, sorry about that! Our QA did not spot it because the
h2o_socket_get_ssl_server_name() function has not made it to a
Hello everyone,
After four release candidates, we are thrilled to announce the final
release of dnsdist 1.5.0! This new release contains several new exciting
features and a few breaking changes since 1.4.0, so please read the
upgrade guide if you are upgrading from 1.4.0 or earlier. We described
Hi Alexander,
On 1/12/21 10:52 AM, Alexander Fateyev via dnsdist wrote:
From google public DNS docs:
"3. Authoritative name servers that implement ECS must respond to all
ECS queries with ECS responses, including negative and referral responses."
But dnsdist self-generated reponses don't
On 1/6/21 7:53 PM, Darac Marjal via dnsdist wrote:
It looks like it might be something EDNS related. I can see, in
Wireshark, that the update is forwarded on with additional records. I've
attached a PCAP showing the update coming it and being forwarded on.
And, if I turn off
Hi,
On 12/24/20 7:25 AM, Jahanzeb Arshad via dnsdist wrote:
We have deployed two instances of dnsdist v1.5.1 on CentOS 7.9. After
running for 7-8 days both the machines start showing erratic CPU usage
pattern. The CPU usage jumps to 40% then 0 and the servers keep on doing
this. If the
second parameter to the
setRingBuffersSize() command:
https://dnsdist.org/reference/config.html#setRingBuffersSize
You are using the default size so setRingBuffersSize(1, 10) would
only change the number of shards, and will likely improve performance a bit.
Best regards,
Remi
On Thu, 2020-12-24 at 09:56 +01
Hi Christoph,
On 11/14/20 5:59 PM, Christoph via dnsdist wrote:
> while creating a dashboard for dnsdist prometheus metrics
> we noticed that the following values are always 0 in case of DoH,
> in case of DoT they appear to work fine:
>
> dnsdist_frontend_tcpavgqueriesperconnection
>
Hi Markus,
On 11/13/20 1:28 PM, Markus Ehrlicher via dnsdist wrote:
> For my both existing rules, the regex has the behavior, that queries for
> „*.subdomain.example.org“ should be blocked, but „subdomain.example.org“
> itself is an existing domain and should be handled normally.
Note that you
Hi Daniel,
On 10/30/20 3:49 PM, Ambauen Daniel (ID NET) via dnsdist wrote:
> Per default the RemoteLogResponseAction only exports A and records.
>
> RemoteLogResponseAction(remoteLogger[, alterFunction[, includeCNAME[,
> options]]])
> I guess the alterFunction call could be used to call an
Hi Darac,
On 1/6/21 5:35 PM, Darac Marjal via dnsdist wrote:
Watching messages on the webserver, I can see that the "DNSOpcode.Update
-> auth" rule is applied, but then the number of "Drops" on the auth
server increments. On the pdns webmonitor "Remote hosts sending corrupt
packets" also
Hi Kevin,
On 1/15/21 1:37 PM, dbgong--- via dnsdist wrote:
In the DoT and TCP model, dnsdist only issue a TCP query to the
backend server. And there is no way to configure it to send a UDP
query to the backend server. Is this a feature or a bug?
Forwarding queries received over TCP and DoT
Hi Blason,
On 1/27/21 10:49 AM, Blason R via dnsdist wrote:
I am implementing DOH with BIND as my backend. I do have certain queries
and would really appreciate it if community can help me?
1. After implementing dnsdist and BIND as downstream servers; I
observed that a lot of queries are
Hello!
We are proud to announce the first alpha release of dnsdist 1.6.0. This
release contains several new exciting features, as well as improvements
and bug fixes.
In our view, the most exciting new feature is the support of
out-of-order processing for TCP and DNS over TLS connections.
Hi Stephane,
On 2/3/21 9:27 AM, Stephane Bortzmeyer wrote:
Executive summary: be careful beforce activating out-of-order
processing on DoT servers. Read on.
Background: I manage a (very) small public DoT and DoH resolver. It is
automatically monitored from Icinga with two programs, one written
On 2/3/21 10:23 AM, Stephane Bortzmeyer wrote:
Did you also enable out-of-order between dnsdist and the backend, using
maxInFlight on the newServer() directive?
Yes:
newServer({address="127.0.0.1:53", name="Local-Unbound", useClientSubnet=false,
maxInFlight=256}) -
The backend is
Hi Tom,
On 6/14/21 2:41 PM, Tom via dnsdist wrote:
Why do I see the protocol "UDP" in the fstrm-log for a DoH request,
although I am sure (tcpdump) that this request was made with tcp? Maybe
because dnsdist queries the backend server with UDP for the DoH request?
Yes, it looks like a bug. It
Hi Tom,
On 6/10/21 8:03 AM, Tom via dnsdist wrote:
In the case above, I see 14926 drops from backend01. According the
documentation, the backend server discards these requests. Is there a
way in dnsdist, to see which queries where dropped? What can cause a
backend server to drop requests? For
On 6/10/21 2:27 PM, Tom via dnsdist wrote:
Our UDP-Timeouts defaults to 2. With the "grepq("2000ms")" command, I
can see a lot of entries with the mentioned "T.O" (timeout). But I see
also the following entry with a latency of 2891.8ms which should be
dropped if UDP, right?:
-12.4
Hello!
We are proud to announce the final release of dnsdist 1.6.0, with no
changes since the second release candidate. Compared to 1.5.x, this
release contains several new exciting features, as well as improvements
and bug fixes.
In our view, the most exciting new feature is the support of
Hi everyone!
We are happy to release dnsdist 1.5.2 today, a maintenance release
fixing a few bugs reported since 1.5.1:
- A typo in prometheus metrics dnsdist_frontend_tlshandshakefailures
(AppliedPrivacy)
- A hang when removing a server with more than one socket
- SNI availability on resumed
Hi,
On 5/12/21 7:51 PM, Suresh Gunasekaran via dnsdist wrote:
I see that in dnsdist 1.6.0 sub-paths of a DoH query can be accepted by
setting the exactPathMatching option to false in addDOHLocal().
https://dnsdist.org/reference/config.html#addDOHLocal
Hi Suresh,
On 5/20/21 12:05 AM, Suresh Gunasekaran wrote:
1. Is there a way to run a custom script either before a DoH query is
sent to the backend server or after a response was received from the
backend? And can this script have access to the sub-path?
That can be done using a LuaAction
Hi Eldon,
On 5/26/21 7:22 PM, Eldon Koyle via dnsdist wrote:
I'm trying to spoof a CNAME reply to enforce safe search, but running
into unexpected behavior.
I have a rule like:
-- try to match all possible google TLDs, optionally with www.
Hi Jochen,
On 5/27/21 10:24 AM, Jochen Demmer via dnsdist wrote:
I wasn't able to figure out the right syntax of NegativeAndSOAAction
that's why I went with DNSRCode.
What is it that you could not figure out, so we can improve the
documentation? You have an example in our regression tests,
On 6/26/21 8:09 AM, Eldon Koyle via dnsdist wrote:
Is there any “easy” way to basically disable the packetcache for
specific query names (ideally wildcarding the domain part of it),
so it always causes a query to the backend/upstream servers?
I'm not sure if this is the best way, but you
Hi everyone,
We are happy to announce the second release candidate of what should
become dnsdist 1.6.0. This release contains very few changes since the
first release candidate, and thanks to the great feedback we received
on previous versions we expect to be able to release 1.6.0 final very
Hi everyone,
OpenSSL released a new advisory [1] today about two new vulnerabilities
in their implementations. The first issue, CVE-2021-3450, is not
relevant to dnsdist which does not set the X509_V_FLAG_X509_STRICT
flag. Unfortunately the second issue, CVE-2021-3449, applies to all
servers
Hi everyone,
We are happy to announce the third alpha release of dnsdist 1.6.0. This
release contains a few fixes for issues reported in the second release
candidate:
- DNS over HTTPS queries with a non-zero ID were not properly handled.
Very few DoH clients actually send an ID with a value
Hi,
On 4/2/21 4:47 AM, willow.pine.2011 via dnsdist wrote:
> My question is: what I did wrong? How should I configure webserver to
> disable the apiKey usage?
I'm not sure I understand, aren't the first three steps demonstrating
that setting an empty API key indeed disables it?
Or are you
Hi,
On 3/15/21 9:04 AM, Cheikh Dieng via dnsdist wrote:
I'm using dnsdist in docker mode.
I have to add some downstream servers in my running dnsdist docker.
I want to know if there is a way to dynamic reload my conf files for
the new entries without rebuilding the dnsdist images or do and
Hello everyone,
We are happy to announce the second alpha release of dnsdist 1.6.0.
This release contains mostly fixes for issues reported in the first
release candidate:
- A race condition was found to sometimes occur at startup, making it
possible for the first TCP connection to happen
Hi Aleš,
On 2/23/21 4:35 PM, Aleš Rygl via dnsdist wrote:
My idea was that changing mode of agentx directory above to 755 could
help but it is not like that. I had to force dnsdist to run with root
privileges to make it work again.
What should be the correct setup to run dnsdist under
Hi everyone,
We are happy to announce the first release candidate of what should
become dnsdist 1.6.0. This release contains very few changes since the
third alpha:
- Add missing getEDNSOptions and getDO bindings for DNSResponse
- Fix some issues reported by Thread Sanitizer
- Lua: don’t destroy
Hi Sami,
On 2/5/21 7:12 PM, SAMI RAHAL via dnsdist wrote:
> Hi Jacob
> i use tcpdump :
> tcpdump -vvv -s O -l -n port 53 | grep domaine.tld
> Always dnsdist contact my two backend resolvers
How are you sending the queries? If you are using dig, please check with
+nocookie since the content
Hi Tom,
On 8/27/21 8:21 AM, Tom via dnsdist wrote:
Using dnsdist-1.6.0, a packet-cache-configuration and a dnstap
(newFrameStreamUnixLogger) configuration, which is configured for
logging responses too:
I have noticed that in the dnstap-logs the CLIENT_RESPONSE only appears,
when dnsdist
Hi Denis,
On 9/13/21 11:36, dmachard via dnsdist wrote:
I don't find anything in the documentation about this limitation, but
after some investigation, my conclusion is that the "rate" argument of
the setQueryRate function has a maximum value not to be exceeded.
maxRate = (The maximum
Hi Adam,
On 9/10/21 00:50, Adam Bishop via dnsdist wrote:
After running for some amount of time (seems to be days), our dnsdist
instances suddenly start trying to talk to the backends using the
loopback address as the source:
# tcpdump -i ens192 -nn port 53 dropped privs to tcpdump tcpdump:
Hello!
We are happy to release dnsdist 1.6.1 today, a maintenance release
fixing a few bugs reported since 1.6.0:
- Adding ECS failed for queries with records in the answer or additional
section (Dimitrios Mavrommatis)
- The transport was not properly set in dnstap and protobuf messages for
Hello Denis,
On 9/3/21 11:17 AM, dmachard via dnsdist wrote:
I would like to know if it’s planned to support tls on the webserver
api and web interface ?
There has been interest before in TLS/HTTPS support for the web API and
interface, but as far as I know no work has been done on that
Hi Ron,
On 8/5/21 5:23 AM, Ron Vachiyer via dnsdist wrote:
Is there a way to add the resource returned to the client in the log? I
wish to be able to define a passive-dns log and the reply sent to the
client is what I am looking to add.
By default dnsdist will only export the content of A
Hi everyone,
We are proud to announce the first alpha release of dnsdist 1.7.0. This
release contains several new exciting features, as well as improvements
and bug fixes.
In our view, the most exciting new feature is the support of outgoing
DNS over TLS and DNS over HTTPS, as well as the
Hi John,
On 9/23/21 17:10, John Littlekate via dnsdist wrote:
There is more than 120 qps and all the queries end with "NXDomain" response.
If I read my dynamic rules from top, I think, this client should be
trapped by "DNSRCode.NXDOMAIN" rule,
which is more strict for this case, but the client
Hi everyone,
We are happy to announce the second alpha release of dnsdist 1.7.0!
We spent quite some time since alpha1 reproducing an issue reported by
Stephane Bortzmeyer in our new outgoing DNS over TLS feature. The issue
turned out to be triggered by the use of the GnuTLS provider, and to
Hi Antoine,
On 9/27/21 14:00, antoine blin via dnsdist wrote:
I'm using the rule : "addAction(MaxQPSIPRule(5), DropAction())" and I'm
wondering if it is possible to see, through the console API or other
API, the list of subnet in which rate limit rule is applied.
Not directly, I'm afraid,
Hi John,
Please keep the discussion on the list, so it can benefit others.
Response inline below.
On 9/23/21 22:46, John Littlekate wrote:
Your explanation is nice and clear, thank you. I have deleted
"QueryRate" rule from dnsdist config for test purposes, restarted
dnsdist daemon and there
Hi Denis,
On 10/2/21 22:47, Denis MACHARD via dnsdist wrote:
With the alpha release of dnsdist 1.7.0, we have the new following log
message during startup:
Passing a plain-text password via the 'password' parameter to
'setWebserverConfig()' is not advised, please consider generating a
Hi Denis,
On 10/1/21 09:07, dmachard via dnsdist wrote:
I am trying to use DoH backends the new alpha release of dnsdist 1.7.0
I had a behavior I don’t understand with the packet cache, here the
configuration used:
[...]
With this configuration, I don’t succeed to use the packet cache with
Hi everyone!
We are happy to announce the first release candidate of what will become
dnsdist 1.7.0, with only one fix and one improvement since the second beta.
We fixed a crash introduced in 1.7.0-alpha1 that could occur when a DoH
query was forwarded to a backend over TCP, DoT or DoH and
Hi everyone!
We are happy to announce the first beta release of dnsdist 1.7.0!
We introduced a fair number of improvements and new features since the
second alpha, and we will now iron out the documentation and fix any
bugs before hopefully releasing the first release candidate very soon.
Hi Adam,
On 11/12/21 04:05, Adam Bishop via dnsdist wrote:> 'print *dss' didn't
work, but dss looked like it contained a smart
pointer, so I tried 'print *dss._M_ptr - the output of that is at the
end of this message. The field seems intact though.
That's very useful, thank you. Indeed I
Hi everyone!
We are happy to announce the second beta release of dnsdist 1.7.0, with
few fixes since the first beta, the most important one being a memory
leak when reusing TLS sessions for outgoing DNS over TLS and DNS over
HTTPS connections. During that work we stumbled upon a memory leak
On 10/29/21 15:32, Adam Bishop via dnsdist wrote:
On 29 Oct 2021, at 13:38, Remi Gacogne via dnsdist
wrote:
Would you mind checking that you still have IPv6 addresses on that interface? I
see you still have some on the incoming interface, though, since we receive a
query over IPv6 on file
Hi Adam,
On 10/29/21 12:10, Adam Bishop via dnsdist wrote:
On 13 Sep 2021, at 13:47, Adam Bishop wrote:
On 13 Sep 2021, at 13:31, Remi Gacogne via dnsdist
wrote:
That's very weird, I don't have any clue to what might be happening. Would you
mind sharing the whole configuration
On 10/29/21 13:04, Adam Bishop via dnsdist wrote:
On 29 Oct 2021, at 11:33, Remi Gacogne via dnsdist
wrote:
would you mind getting the output of "lsof -n -p " while the
issue is still happening? A full backtrace with gdb might also be good to have
Sure that's fine, output fol
Hi Stephan,
On 11/8/21 13:03, De Webmakers (Stephan) via dnsdist wrote:
We recently experienced a DDoS on our nameservers.
We are now looking to (help) prevent this in the future and since we are
using powerDNS we came across dnsdist.
We analyzed the DDoS requests and the requests came from
Hi Rob,
On 10/21/21 18:13, Robert Schwartz via dnsdist wrote:
I'm trying to find a way to add a suffix to an existing NSID string
response coming back from a backend server. My use-case is to be able to
know, not only which backend server responded to the query (that's in
the backend
Hi Chandra,
On 10/12/2021 14:27, Chandra via dnsdist wrote:
For #1: I didn't find a proper server policy to fit my needs but, it
doesn't seem to be a completely new thing to have. Currently the
weighted random policy does work to some extent. But there are some
queries which goto the fallback
Hi Jahanzeb,
On 13/12/2021 08:00, Jahanzeb Arshad via dnsdist wrote:
We want to implement blocking of large number (3M+) of undesirable
domains (adult/malware) via DNS. We have tested using PowerDNS recursor
and it is working in test environment. For blocking we have use LUA dns
script with
Hi,
On 11/12/2021 08:44, me aharen via dnsdist wrote:
I am running dnsdist 1.6.1 and I am unable to figure out the safest
method of handling large amounts of SERVFAIL queries to random domains.
Right now I manually check SERVFAIL responses via 'topResponses(50,
dnsdist.SERVFAIL)', and pick
Hi David,
On 07/01/2022 12:06, David Bader via dnsdist wrote:
Hello,
is my understanding correct, that dnsdist sends the client a
ServFail answer after 2 seconds when the backend resolver does not
respond within the timeout (2 seconds by default):
Hi David,
On 07/01/2022 18:03, David Bader via dnsdist wrote:
Ok, so in case of a timeout, dnsdist does not send anything to the
client and the client will also timeout (and retry).
Does that mean, it would make sense to increase the dnsdist
configuration to use the same timeout as the
Hi everyone!
We are proud to announce the release of dnsdist 1.7.0. This release
contains several new exciting features since 1.6.1, as well as
improvements and bug fixes. It contains one single change from the first
release candidate, a fix for DynBlockRatioRule::warningRatioExceeded
Hi Larry,
On 06/01/2022 18:16, Larry Wapnitsky via dnsdist wrote:
I've set up dnsdist in my lab to forward to my dns servers, running powerdns
If I do nslookup directly to the ipv6 addresses on the name servers, I
can resolve.
If I try to resolve via dnsdist, I get no connection.
Here is
Hi Mike,
On 23/02/2022 16:49, Willis, Michael via dnsdist wrote:
I have intentionally set the trigger for "ANY" to 1 ever 100 seconds, so
it will trigger and stay triggered.
This is so I can verify the correct rule is applying.
dbr:setQTypeRate(DNSQType.ANY, 1, 100, "Exceeded ANY rate",
On 23/02/2022 17:20, Willis, Michael wrote:
I changed the to rule to:
dbr:setQTypeRate(DNSQType.ANY, 1, 10, "Exceeded ANY rate", 600)
After testing It looks like the entire 10 seconds needed to elapse
before the rule is evaluated.
I was not expecting this logic, and that was tripping me up. I
Hi,
> We have configured dnsdist instance to handle around 500k QPS, but we
> are seeing downstream down frequently once QPS reached above 25k. below
> are the logs which we found to relative issue.
>
> dnsdist[29321]: Marking downstream server1 IP:53 as 'down'
>
> dnsdist[29321]: Marking
Hi,
On 31/03/2022 10:59, me aharen via dnsdist wrote:
And added the action "addAction(RCodeRule(DNSRCode.SERVFAIL),
DropAction())" - although I am uncertain if this works as I think it would.
This will not work as expected, as this rule is going to drop queries
with a response code set to
Hi Adrian,
On 02/04/2022 14:36, Adrian Kägi via dnsdist wrote:
Theese are my "newServer" statements:
newServer({address="pdns_auth_IPv4:5353", name="nsa-1_v4", pool="sec",
useProxyProtocol=True})
newServer({address="[pdns_auth_IPv6]:5353", name="nsa-sec1_v6",
pool="sec",
Hi,
On 03/04/2022 10:42, me aharen wrote:
Thanks for the input. Yes, we have legit customers participating in the
PRSD floods.
Understood.
Setting the DynBlockRulesGroup:setRCodeRatio is interesting, can you
share a sample config of this rule?
I cannot find any example in the
Hi!
On 29/03/2022 14:52, Y7n05h wrote:
I'm interested in improving the performance of dnsdist with AF_XDP
in GSoC, I've spent a lot of time learning XDP and AF_XDP.
I hope there are some simple issues waiting to be done to help me get
familiar with the architecture of dnsdist.
It would be
Hi Stephan,
On 04/02/2022 10:47, De Webmakers (Stephan) via dnsdist wrote:
I’ve been struggling with this for far to long now…
Is it possible to run dnsdist and pdns on the same server and accept dns
request from everyone (just as it would be without dnsdist).
The problem is that I just
Hi Oto,
On 31/01/2022 16:50, Oto Šťáva via dnsdist wrote:
firstly, I want to thank everyone involved for making dnsdist available,
it has helped me greatly these past few weeks with implementing and
testing support for the PROXYv2 protocol in Knot Resolver [1] here at
CZ.NIC.
That's very
Hi Klaus,
On 17/01/2022 21:05, Klaus Darilion wrote:
Pierre Grié from Nameshield contributed an XDP program to reply to
blocked UDP queries with a truncated response directly from the
kernel, in a similar way to what we were already doing using eBPF
socket filters. This version adds support
Hi Thomas,
On 21/01/2022 13:55, Thomas Mieslinger via dnsdist wrote:
I'm completely new to dnsdist. I'd like to use it for DNS split horizon
setup.
Goal: send queries which end with 'internal.domain' to Pool "int".
According to the documentation there are two ways to do so:
-- setup default
1 - 100 of 168 matches
Mail list logo