Re: [dnsdist] documentation for "showDOHFrontends()" output
Remi Gacogne wrote: > On 6/12/19 12:05 AM, Christoph wrote: >> We saw 400 Bad Request responses but the counter in the "Bad" column did >> not increase but I'll rerun the tests to make sure this was not caused >> by looking at the IPv4 counter stats while hitting the IPv6 frontend >> or vice versa. > > Note that invalid HTTP queries will get a 400 before our DNS code even > get called, so you might indeed get 400 errors without the "Bad" counter > increasing. good point and it would be great if the counters in #7898 will include all actual "400 Bad Request" responses. >>> The "Errors" counters refers to invalid or rejected DNS queries: >>> - smaller than a minimal DNS header or the QR bit is set, or QDCOUNT is >>> equal to zero (noncompliant-queries in the regular stats should increase >>> accordingly); >>> - blocked by the ACL (acl-drops should increase) ; >>> - query is dropped by a rule (the counter of the corresponding rule >>> should increase) ; >>> - we encountered an error when sending the query to the selected backend >>> (downstream-send-errors should increase, as well the 'sendErrors' >>> counter of the corresponding backend). >> >> Thanks for writing this down. Are you implying that you currently >> respond with >> 500 Internal Server Error >> in all these "Error" cases? (which would be surprising, at least to me) > > Yes, that's indeed the case with our current code and I agree we need to > handle that differently. I just opened [1] which I hope is a step in the > right direction. Comments welcome! > > [1]: https://github.com/PowerDNS/pdns/pull/7917 If I understood the description correctly you are aiming at closing the connection instead of returning an actual HTTP response code to safe cycles, but in environments with load balancers this will actually increase unnecessary processing. We made that experience already with other DoH server software and we successfully convinced them that closing the connection instead of providing actual response codes is a bad idea. We will add a commend and references to the PR. thanks, Christoph ___ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
Re: [dnsdist] documentation for "showDOHFrontends()" output
On 6/12/19 12:05 AM, Christoph wrote: > We saw 400 Bad Request responses but the counter in the "Bad" column did > not increase but I'll rerun the tests to make sure this was not caused > by looking at the IPv4 counter stats while hitting the IPv6 frontend > or vice versa. Note that invalid HTTP queries will get a 400 before our DNS code even get called, so you might indeed get 400 errors without the "Bad" counter increasing. >> >> The "Errors" counters refers to invalid or rejected DNS queries: >> - smaller than a minimal DNS header or the QR bit is set, or QDCOUNT is >> equal to zero (noncompliant-queries in the regular stats should increase >> accordingly); >> - blocked by the ACL (acl-drops should increase) ; >> - query is dropped by a rule (the counter of the corresponding rule >> should increase) ; >> - we encountered an error when sending the query to the selected backend >> (downstream-send-errors should increase, as well the 'sendErrors' >> counter of the corresponding backend). > > Thanks for writing this down. Are you implying that you currently > respond with > 500 Internal Server Error > in all these "Error" cases? (which would be surprising, at least to me) Yes, that's indeed the case with our current code and I agree we need to handle that differently. I just opened [1] which I hope is a step in the right direction. Comments welcome! [1]: https://github.com/PowerDNS/pdns/pull/7917 Best regards, -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/ signature.asc Description: OpenPGP digital signature ___ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
Re: [dnsdist] documentation for "showDOHFrontends()" output
Hello! On 6/9/19 9:54 PM, Christoph wrote: >> most of the columns in the output of "showDOHFrontends()" are >> self-explanatory, but it would be interesting to know the details behind >> "Bad" and "Errors". >> >> Are these columns documented somewhere? >> >> https://dnsdist.org/reference/config.html#showDOHFrontends > > The "Errors" counter appears to match the amount of HTTP requests > getting answered with: > > 500 Internal Server Error > > The "Bad" column is still unknown to me but it is not > related to HTTP 400 or 408 response codes. The "Bad" counter refers to queries that we could not interpret as a DoH query, meaning that it was not a POST query and either there was no 'dns' parameter in the query or we couldn't not base64 decode the content of the 'dns' parameter. We should return a 400 for these, though, are you sure we don't? The "Errors" counters refers to invalid or rejected DNS queries: - smaller than a minimal DNS header or the QR bit is set, or QDCOUNT is equal to zero (noncompliant-queries in the regular stats should increase accordingly); - blocked by the ACL (acl-drops should increase) ; - query is dropped by a rule (the counter of the corresponding rule should increase) ; - we encountered an error when sending the query to the selected backend (downstream-send-errors should increase, as well the 'sendErrors' counter of the corresponding backend). For that last one it looks like we don't display the value of the 'sendErrors' counters in the console, we do export it via carbon and the API though. Best regards, -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/ signature.asc Description: OpenPGP digital signature ___ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
Re: [dnsdist] documentation for "showDOHFrontends()" output
> most of the columns in the output of "showDOHFrontends()" are > self-explanatory, but it would be interesting to know the details behind > "Bad" and "Errors". > > Are these columns documented somewhere? > > https://dnsdist.org/reference/config.html#showDOHFrontends The "Errors" counter appears to match the amount of HTTP requests getting answered with: 500 Internal Server Error The "Bad" column is still unknown to me but it is not related to HTTP 400 or 408 response codes. related feature request: https://github.com/PowerDNS/pdns/issues/7898 ___ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
