Re: [Pdns-users] PowerDNS Recursor Performance and Tuning

2022-01-21 Thread Otto Moerbeek via Pdns-users 
On Thu, Jan 20, 2022 at 07:41:42AM +0100, Otto Moerbeek wrote:

> On Thu, Jan 20, 2022 at 09:51:51AM +0330, Hamed Haghshenas via Pdns-users 
> wrote:
> 
> > >> How can I secure my dns Recursor? I try read document about dnssec in
> > powerdns wiki but can't understand what should I do ?
> > 
> > >>  
> > https://doc.powerdns.com/recursor/dnssec.html
> > 
> > > In short:
> > 
> > > dnssec=validat
> > 
> >  
> > 
> > I set dnssec=validate, but one error exist  (Invalid signature: connected)
> > 
> >  
> > 
> > #
> > 
> > Your dns security:
> > 
> > DNSSEC (FAIL)
> > 
> > *   Valid signature: connected
> > *   Invalid signature: connected
> > *   Expired signature: not connected
> > *   Missing signature: not connected
> > 
> >  
> > 
> > Best Regards,
> 
> This is interesting. AFAKS, the query used for this test is
> 
> dig badsig.go.dnscheck.tools TXT
> 
> According to the website, it should not validate. I will investigate.
> 
>   -Otto

The issue is that PowerDNS Recursor marks the result as Insecure (not
signed by DNSSEC). Other resolvers do mark it as Bogus (failing DNSSEC
validation). The test site expects the latter.

The rec beaviour is because the replies to determine the delegation
point (aka zone-cut) are inconsistent: specifically the NSEC reply is
inconsistent. At the moment we draw the conclusion: it is an Insecure
delegation. There is now a PR that changes this behavior (rejecting
the NSEC record).

See https://github.com/PowerDNS/pdns/pull/11225

We also reported the issue in (as it is mainly an issue that should be
fixed on the authoritative server side)

https://www.reddit.com/r/u_dnschecktool/comments/rpf6uh/dnschecktools_identify_your_dns_resolvers/htl14g4/

This is the only contact that dnsckec.tools lists.

Note: while this may look like a downgrade attack, it is not, as only
the owner of the domain can create the inconsistent *but signed* NSEC
records. So don't worry about the failing test result.

Regards, 

 -Otto
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS Recursor Performance and Tuning

2022-01-19 Thread Otto Moerbeek via Pdns-users 
On Thu, Jan 20, 2022 at 09:51:51AM +0330, Hamed Haghshenas via Pdns-users wrote:

> >> How can I secure my dns Recursor? I try read document about dnssec in
> powerdns wiki but can't understand what should I do ?
> 
> >>  
> https://doc.powerdns.com/recursor/dnssec.html
> 
> > In short:
> 
> > dnssec=validat
> 
>  
> 
> I set dnssec=validate, but one error exist  (Invalid signature: connected)
> 
>  
> 
> #
> 
> Your dns security:
> 
> DNSSEC (FAIL)
> 
> * Valid signature: connected
> * Invalid signature: connected
> * Expired signature: not connected
> * Missing signature: not connected
> 
>  
> 
> Best Regards,

This is interesting. AFAKS, the query used for this test is

dig badsig.go.dnscheck.tools TXT

According to the website, it should not validate. I will investigate.

-Otto
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS Recursor Performance and Tuning

2022-01-19 Thread Hamed Haghshenas via Pdns-users 
>> How can I secure my dns Recursor? I try read document about dnssec in
powerdns wiki but can't understand what should I do ?

>>  
https://doc.powerdns.com/recursor/dnssec.html

> In short:

> dnssec=validat

 

I set dnssec=validate, but one error exist  (Invalid signature: connected)

 

#

Your dns security:

DNSSEC (FAIL)

*   Valid signature: connected
*   Invalid signature: connected
*   Expired signature: not connected
*   Missing signature: not connected

 

Best Regards,

 

 

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS Recursor Performance and Tuning

2022-01-19 Thread Brian Candler via Pdns-users 

On 19/01/2022 09:54, Hamed Haghshenas via Pdns-users wrote:
How can I secure my dns Recursor? I try read document about dnssec in 
powerdns wiki but can’t understand what should I do ?


https://doc.powerdns.com/recursor/dnssec.html

In short:

dnssec=validate
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] PowerDNS Recursor Performance and Tuning

2022-01-19 Thread Hamed Haghshenas via Pdns-users 
Hello Dears,

 

I Configure PowerDNS Recursor with below configuration :

 

allow-from-file=/etc/pdns-recursor/IP-Iran-List.txt

setuid=pdns-recursor

setgid=pdns-recursor

local-address=127.0.0.1 x.x.x.x

any-to-tcp=yes

distribution-load-factor=1.25

pdns-distributes-queries=yes

distributor-threads=1

logging-facility=0

max-tcp-queries-per-connection=10

quiet=no

reuseport=yes

threads=3

 

 

When I check with https://dnscheck.tools/, I have some errors like:

 

##

Oh no! Your dns responses are NOT properly authenticated! You may be
susceptible to certain attacks such as dns cache poisoning.

 

And

 

Your dns security:

DNSSEC (FAIL)

*   Valid signature: connected
*   Invalid signature: connected
*   Expired signature: connected
*   Missing signature: connected

#

But when try using 8.8.8.8 different :

 

Great! Your dns responses are authenticated, protecting you from certain
attacks

 

Your dns security:

DNSSEC (PASS)

*   Valid signature: connected
*   Invalid signature: not connected
*   Expired signature: not connected
*   Missing signature: not connected

How can I secure my dns Recursor? I try read document about dnssec in
powerdns wiki but can't understand what should I do ?

 

Best Regards,

Hamed Haghshenas

 

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS Recursor Performance and Tuning

2022-01-16 Thread Otto Moerbeek via Pdns-users 
On Sun, Jan 16, 2022 at 10:01:42AM +, Brian Candler wrote:

> On 16/01/2022 09:41, Hamed Haghshenas via Pdns-users wrote:
> > > quiet=no
> > I need the logs and should export domains to my analyzer platform .
> 
> There are more scalable ways of doing this.  The "standards-compliant" way
> is dnstap:
> 
> https://dnstap.info/
> https://docs.powerdns.com/recursor/lua-config/protobuf.html#logging-in-dnstap-format-using-framestreams
> 
> You'll need to install a separate dnstap collector to receive the messages.
> 
> Note that powerDNS has a dependency on the "fstrm" library:
> 
> https://mailman.powerdns.com/pipermail/pdns-users/2020-June/026725.html
> 
> If you have an older version of fstrm then you can only log to a local unix
> domain socket (which may be fine, it just means running your dnstap
> collector on the same host).  A newer version is required if you want to log
> to a remote host over TCP.
> 
> I don't know about versions in RHEL/CentOS, but Ubuntu 18.04 has libfstrm0
> version 0.3.0, and that only does unix domain sockets.

Note that at the moment, dnstap does not export client queries or
replies sent to clients, only queries and/or answers to/from
authoritative servers.

-Otto
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS Recursor Performance and Tuning

2022-01-16 Thread Otto Moerbeek via Pdns-users 
On Sun, Jan 16, 2022 at 01:11:55PM +0330, Hamed Haghshenas wrote:

> Hello,
> Thanks for your help. I changed them .
> 
> > If you have 8G of RAM, likely the default cache sizes could be enlarged
> (max-cache-entries for the record cache and max-packetcache-entries for the
> packet cache)
> 
> how calculate the best number for "max-packetcache-entries" and
> "max-cache-entries"

This is very mch dependent on usage. Study memory usage and cache
hit ratios.

> 
> >Virtulization *could* be an issue, for example when the network interface
> is virtualized in a way thet hinders performance. 
> 
> I can't change my Platform for now !!!
> 
> >If you are using NAT: this *kills* the performance. See
> https://docs.powerdns.com/recursor/performance.html
> 
> I move it to my Edge Network and set Public IP .
> 
> >Depending on kernel version and other factors resuseports and multiple
> distributor thread might work better or not, best to start with
> reuserport=no and distributor-threads=1, test & measure and then change to
> yes and 4 and compare performance on your actual setup.
> 
> My Kernel is 3.10.0-862.el7.x86_64, i set reuserport=no and
> "distributor-threads=1", "threads=3"
> 
> >If you see a lot ot bogus results this might impact performance
> 
> "dnssec-log-bogus=yes" removed.
> 
> > entropy-source=/dev/random
> 
> changed to default
> 
> > lowercase-outgoing=yes
> 
> I ignore it.
> 
> > quiet=no
> 
> I need the logs and should export domains to my analyzer platform .

There are much better ways to do that, see
https://powerdns.com/recursor/lua-config/protobuf.html for logging via
protobufs. Again, text logging of all queries is not a good idea.

-Otto


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS Recursor Performance and Tuning

2022-01-16 Thread Brian Candler via Pdns-users 

On 16/01/2022 09:41, Hamed Haghshenas via Pdns-users wrote:

quiet=no

I need the logs and should export domains to my analyzer platform .


There are more scalable ways of doing this.  The "standards-compliant" 
way is dnstap:


https://dnstap.info/
https://docs.powerdns.com/recursor/lua-config/protobuf.html#logging-in-dnstap-format-using-framestreams

You'll need to install a separate dnstap collector to receive the messages.

Note that powerDNS has a dependency on the "fstrm" library:

https://mailman.powerdns.com/pipermail/pdns-users/2020-June/026725.html

If you have an older version of fstrm then you can only log to a local 
unix domain socket (which may be fine, it just means running your dnstap 
collector on the same host).  A newer version is required if you want to 
log to a remote host over TCP.


I don't know about versions in RHEL/CentOS, but Ubuntu 18.04 has 
libfstrm0 version 0.3.0, and that only does unix domain sockets.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS Recursor Performance and Tuning

2022-01-16 Thread Hamed Haghshenas via Pdns-users 
Hello,
Thanks for your help. I changed them .

> If you have 8G of RAM, likely the default cache sizes could be enlarged
(max-cache-entries for the record cache and max-packetcache-entries for the
packet cache)

how calculate the best number for "max-packetcache-entries" and
"max-cache-entries"

>Virtulization *could* be an issue, for example when the network interface
is virtualized in a way thet hinders performance. 

I can't change my Platform for now !!!

>If you are using NAT: this *kills* the performance. See
https://docs.powerdns.com/recursor/performance.html

I move it to my Edge Network and set Public IP .

>Depending on kernel version and other factors resuseports and multiple
distributor thread might work better or not, best to start with
reuserport=no and distributor-threads=1, test & measure and then change to
yes and 4 and compare performance on your actual setup.

My Kernel is 3.10.0-862.el7.x86_64, i set reuserport=no and
"distributor-threads=1", "threads=3"

>If you see a lot ot bogus results this might impact performance

"dnssec-log-bogus=yes" removed.

> entropy-source=/dev/random

changed to default

> lowercase-outgoing=yes

I ignore it.

> quiet=no

I need the logs and should export domains to my analyzer platform .


Best Regards,
Hamed Haghshenas


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS Recursor Performance and Tuning

2022-01-16 Thread Otto Moerbeek via Pdns-users 
On Sun, Jan 16, 2022 at 09:05:55AM +0100, Otto Moerbeek via Pdns-users wrote:

> On Sun, Jan 16, 2022 at 09:39:01AM +0330, Hamed Haghshenas via Pdns-users 
> wrote:
> 
> > Hello Dears,
> > 
> >  
> > 
> > I install PowerDNS Recursor 4.6.0 on CentOS Linux release 7.9.2009. and
> > configure it as bellow for Iran IP address. I want use it in my ISP
> > environment for large scale and lots of DNS requests. 
> 
> A more modern distribution might be better. What do you call lots?
> 
> > My Server have 4 core 2.6 Ghz (x64) and 8GB Ram (KVM Virtualization), I can
> > apply more cpu or ram.
> 
> If you have 8G of RAM, likely the default cache sizes could be
> enlarged (max-cache-entries for the record cache and
> max-packetcache-entries for the packet cache)
> 
> Virtulization *could* be an issue, for example when the network
> interface is virtualized in a way thet hinders performance. 
> 
> > Could you please help me that is my configuration correct? How many
> > distributor-threads and threads should I use? (same as number of cpu cores
> > or more).
> 
> Some comments inline below.
> 
> > 
> > Need something to change, or any kernel optimization ?
> >  
> > 
> > allow-from-file=/etc/pdns-recursor/IP-Iran-List.txt
> > 
> > setuid=pdns-recursor
> > 
> > setgid=pdns-recursor
> > 
> > local-address=127.0.0.1 172.16.1.186
> 
> If you are using NAT: this *kills* the performance. See
> https://docs.powerdns.com/recursor/performance.html
> 
> > 
> > any-to-tcp=yes
> > 
> > distribution-load-factor=1.25
> > 
> > pdns-distributes-queries=yes
> > 
> > distributor-threads=4
> 
> Depending on kernel version and other factors resuseports and multiple
> distributor thread might work better or not, best to start with
> reuserport=no and distributor-threads=1, test & measure and then
> change to yes and 4 and compare performance on your actual setup.
> 
> > 
> > dnssec=validate
> > 
> > dnssec-log-bogus=yes
> 
> If you see a lot ot bogus results this might impact performance
> 
> > entropy-source=/dev/random
> 
> This is likely slow, better use the default setting (leave it out).

Correction: this *is* the default. Normally it only is used if
rng=urandom, so it does not matter at all. It's best to leave out
default settings anyway.

> 
> > 
> > logging-facility=0
> > 
> > lowercase-outgoing=yes
> 
> why? 
> 
> > max-tcp-queries-per-connection=10
> > 
> > quiet=no
> 
> This amount of logging will kill performance
> 
> > reuseport=yes
> 
> See above
> 
> > 
> > threads=4
> 
> You might want to reduce it to 3 if you use 1 distribnutor thread, as
> the total number of threads doing lots of work is distributor threads +
> worker threads.  This is depedent on your cach hit ratios. Again:
> try and measure.
> 
>   -Otto
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS Recursor Performance and Tuning

2022-01-16 Thread Otto Moerbeek via Pdns-users 
On Sun, Jan 16, 2022 at 09:39:01AM +0330, Hamed Haghshenas via Pdns-users wrote:

> Hello Dears,
> 
>  
> 
> I install PowerDNS Recursor 4.6.0 on CentOS Linux release 7.9.2009. and
> configure it as bellow for Iran IP address. I want use it in my ISP
> environment for large scale and lots of DNS requests. 

A more modern distribution might be better. What do you call lots?

> My Server have 4 core 2.6 Ghz (x64) and 8GB Ram (KVM Virtualization), I can
> apply more cpu or ram.

If you have 8G of RAM, likely the default cache sizes could be
enlarged (max-cache-entries for the record cache and
max-packetcache-entries for the packet cache)

Virtulization *could* be an issue, for example when the network
interface is virtualized in a way thet hinders performance. 

> Could you please help me that is my configuration correct? How many
> distributor-threads and threads should I use? (same as number of cpu cores
> or more).

Some comments inline below.

> 
> Need something to change, or any kernel optimization ?
>  
> 
> allow-from-file=/etc/pdns-recursor/IP-Iran-List.txt
> 
> setuid=pdns-recursor
> 
> setgid=pdns-recursor
> 
> local-address=127.0.0.1 172.16.1.186

If you are using NAT: this *kills* the performance. See
https://docs.powerdns.com/recursor/performance.html

> 
> any-to-tcp=yes
> 
> distribution-load-factor=1.25
> 
> pdns-distributes-queries=yes
> 
> distributor-threads=4

Depending on kernel version and other factors resuseports and multiple
distributor thread might work better or not, best to start with
reuserport=no and distributor-threads=1, test & measure and then
change to yes and 4 and compare performance on your actual setup.

> 
> dnssec=validate
> 
> dnssec-log-bogus=yes

If you see a lot ot bogus results this might impact performance

> entropy-source=/dev/random

This is likely slow, better use the default setting (leave it out).

> 
> logging-facility=0
> 
> lowercase-outgoing=yes

why? 

> max-tcp-queries-per-connection=10
> 
> quiet=no

This amount of logging will kill performance

> reuseport=yes

See above

> 
> threads=4

You might want to reduce it to 3 if you use 1 distribnutor thread, as
the total number of threads doing lots of work is distributor threads +
worker threads.  This is depedent on your cach hit ratios. Again:
try and measure.

-Otto
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] PowerDNS Recursor Performance and Tuning

2022-01-15 Thread Hamed Haghshenas via Pdns-users 
Hello Dears,

 

I install PowerDNS Recursor 4.6.0 on CentOS Linux release 7.9.2009. and
configure it as bellow for Iran IP address. I want use it in my ISP
environment for large scale and lots of DNS requests. 

 

My Server have 4 core 2.6 Ghz (x64) and 8GB Ram (KVM Virtualization), I can
apply more cpu or ram.

 

Could you please help me that is my configuration correct? How many
distributor-threads and threads should I use? (same as number of cpu cores
or more).

 

Need something to change, or any kernel optimization ?

 

 

allow-from-file=/etc/pdns-recursor/IP-Iran-List.txt

setuid=pdns-recursor

setgid=pdns-recursor

local-address=127.0.0.1 172.16.1.186

any-to-tcp=yes

distribution-load-factor=1.25

pdns-distributes-queries=yes

distributor-threads=4

dnssec=validate

dnssec-log-bogus=yes

entropy-source=/dev/random

logging-facility=0

lowercase-outgoing=yes

max-tcp-queries-per-connection=10

quiet=no

reuseport=yes

threads=4

 

Best Regards,

Hamed Haghshenas

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users