search

Tantalor93 / dnspyre

CLI tool for a high QPS DNS benchmark
https://tantalor93.github.io/dnspyre/
MIT License
107 stars 10 forks source link

TSIG support? #243

Open PenelopeFudd opened 5 months ago

PenelopeFudd commented 5 months ago

Describe the feature We'd like to benchmark using TSIG on requests to see if it's faster that DoH or any of the other encrypted protocols.

Why do you need this feature We've got a client who's worried about replay attacks, and requests that we support 200,000 requests per second with 100ms latency. We've achieved that with plain UDP, now we just have to get some sort of replay protection set up. DoH, DoT, DoQ and DNSSEC all provide that, but we're having problems reaching the necessary speed, and are hoping that TSIG will do the trick.

Since "Hope is Not a Plan", we're going to have to benchmark it.

The equivalent dig command is:

$ pdnsutil generate-tsig-key foobar hmac-sha512
Create new TSIG key foobar hmac-sha512 asdfasdfYpM2nUHdJtC3mDJnbBIXzUGgDU2/dwz8cDAfEQQ1O9OEON3+5aqTjQlHzXTyZwU

$ pdnsutil activate-tsig-key example.com foobar primary

$ cat > /tmp/foobar.tsig <<< 'EOF'
key "foobar" {
    algorithm hmac-sha512;
    secret "asdfasdfYpM2nUHdJtC3mDJnbBIXzUGgDU2/dwz8cDAfEQQ1O9OEON3+5aqTjQlHzXTyZwU";
};
EOF

$ dig +short -k /tmp/foobar.tsig txt testing.example.com @127.0.0.4
"this is a test"
"this is another test"

$ dig +short -k /tmp/snafu.tsig txt testing.example.com @127.0.0.4
;; Couldn't verify signature: expected a TSIG or SIG(0)
PenelopeFudd commented 5 months ago

Benchmarking one client:

$ time dig +short +nokeepopen -k /tmp/foobar.tsig @127.0.0.2 txt $(yes hello.doh-test.com |head -20000) | wc -l

20000

real    0m12.557s
user    0m7.154s
sys 0m4.883s

Benchmarking 100 clients with 2000 requests each:

$ time parallel -j 100 dig +short +nokeepopen -k /tmp/foobar.tsig @127.0.0.2 txt $(yes hello.doh-test.com |head -2000) > /dev/null  ::: $(seq 1 100)

real    0m21.112s
user    0m30.589s
sys 1m21.671s

Looks like 9473 QPS