Open ghost opened 3 years ago
Pretty sure we see this a lot too, but with IQUERY. We actually just drop all non-QUERY in dnsdist now - which I think would only affect the global counters and not the per-server ones which you might be more concerned about, so that could be an option.
According to the way Cloudflare does, "igonores the OPCODE=2 and defaults to OPCODE=0" Is there any way to rewrite the OPCODE in recursor phase, and then send the "normal" query to auth servers? Further in similar, is there any way to set edns options in recursor phase, and then send the modified query to auth servers? Maybe we can add a lua_ffi function to achieve this.
According to the way Cloudflare does, "igonores the OPCODE=2 and defaults to OPCODE=0" Is there any way to rewrite the OPCODE in recursor phase, and then send the "normal" query to auth servers? Further in similar, is there any way to set edns options in recursor phase, and then send the modified query to auth servers? Maybe we can add a lua_ffi function to achieve this.
Hello! You are asking several questions in a comment on a mostly unrelated ticket. Our GitHub issue tracking is not a support system.
If you have individual feature requests or bug reports, tickets are welcome.
Otherwise:
our GitHub issue tracker is for bug reports and feature requests. Your question looks like a support question. Support questions are handled in our other online communities: IRC and our mailing lists. Please see https://www.powerdns.com/opensource.html for information about those.
According to the way Cloudflare does, "igonores the OPCODE=2 and defaults to OPCODE=0" Is there any way to rewrite the OPCODE in recursor phase, and then send the "normal" query to auth servers? Further in similar, is there any way to set edns options in recursor phase, and then send the modified query to auth servers? Maybe we can add a lua_ffi function to achieve this.
Hello! You are asking several questions in a comment on a mostly unrelated ticket. Our GitHub issue tracking is not a support system.
If you have individual feature requests or bug reports, tickets are welcome.
Otherwise:
our GitHub issue tracker is for bug reports and feature requests. Your question looks like a support question. Support questions are handled in our other online communities: IRC and our mailing lists. Please see https://www.powerdns.com/opensource.html for information about those.
OK, thanks for your reminds. I will do as your suggestions.
Short description
Make recursor reply to queries with OPCODE=2
Usecase
Found this while debugging why we had a frequent increase in drop counters in Dnsdist. We have quite a lot clients sending google.com queries with OPCODE=2 set. What and why they do it is out of this scope.
Pdns-recursor will timeout these questions which makes the drop counters increase. Another side effect is that other metric in Dnsdist looks bad/odd.
Description
For example in topSlow it looks like google.com is the slowest domain.
In grepq it looks like queries are bypassing the local dnsdist cache and backend is failing to respond to google.com queries.
On public DNS servers 8.8.8.8 are responding to OPCODE=2 queries with NOTIMP
~$ dig google.com +opcode=2 @8.8.8.8
; <<>> DiG 9.17.13-2+ubuntu20.10.1+isc+1-Ubuntu <<>> google.com +opcode=2 @8.8.8.8 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: STATUS, status: NOTIMP, id: 17866 ;; flags: qr rd; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available
;; WARNING: EDNS query returned status NOTIMP - retry with '+noedns'
;; Query time: 8 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP) ;; WHEN: Mon Aug 02 11:29:57 CEST 2021 ;; MSG SIZE rcvd: 12
OpenDNS does the same and replies with NOTIMP.
Cloudflare igonores the OPCODE=2 and defaults to OPCODE=0
~$ dig google.com +opcode=2 @1.1.1.1
; <<>> DiG 9.10.3-P4-Debian <<>> google.com +opcode=2 @1.1.1.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23062 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;google.com. IN A
;; ANSWER SECTION: google.com. 129 IN A 172.217.16.78
;; Query time: 2 msec ;; SERVER: 1.1.1.1#53(1.1.1.1) ;; WHEN: Mon Aug 02 11:32:38 CEST 2021 ;; MSG SIZE rcvd: 55