profile
viewpoint
If you are wondering where the data of this site comes from, please visit https://api.github.com/users/PowerDNS/events. GitMemory does not store any data, but only uses NGINX to cache data for a period of time. The idea behind GitMemory is simply to give users a better reading experience.

PowerDNS/dnsdist-ansible 18

An ansible role for dnsdist

PowerDNS/ipcipher 14

ipcipher is a specification for encrypting IP{v4,v6} addresses 'in place'.

PowerDNS/exabgp 8

The BGP swiss army knife of networking

PowerDNS/dnsmasq 6

Mirror of official thekelleys repo, with extra work on branches

PowerDNS/elasticsearch-lua 6

Lua client for Elasticsearch

PowerDNS/go-dnsdist-client 4

A Go client library for the dnsdist console

PowerDNS/dns-violations 1

List of DNS violations by implementations, software and/or systems

issue openedPowerDNS/pdns

rec: policyEventFilter ignored by followCNAMERecords

  • Program: Recursor
  • Issue type: Bug report

Short description

lua policyEventFilter method is not checked when recursor hits RPZ from "followCNAMERecords".

Environment

  • Operating system: Ubuntu 20.04
  • Software version: PowerDNS Recursor 4.5.5
  • Software source: PowerDNS repo <!-- e.g. Operating system repository, PowerDNS repository, compiled yourself -->

Steps to reproduce

# recursor.conf
lua-config-file=/etc/powerdns/config.lua
lua-dns-script=/etc/powerdns/dns.lua

# config.lua
rpzFile('/etc/powerdns/rpz/list.rpz', { policyName="rpz1" })

# list.rpz
$TTL 10m;
$ORIGIN rpz1.
@               SOA localhost. root.localhost. ( 1 12h 15m 3w 2h)
@               NS localhost.  
restrict.youtube.com   CNAME .

# dns.lua
function preresolve(dq)
    dq:addAnswer(pdns.CNAME, "restrict.youtube.com")
    dq.followupFunction="followCNAMERecords"
    dq.rcode = pdns.NOERROR
    return true
end

function policyEventFilter(event)
  pdnslog(' = policyEventFilter fired')
  return false
end

Expected behaviour

lua policyEventFilter method gets fired and "= policyEventFilter fired" log shows up

[2/1] question for 'restrict.youtube.com|A' from 10.1.1.13:36635 (proxied by 127.0.0.1:56102)
= policyEventFilter fired
restrict.youtube.com|A: RPZ Hit; PolicyName=rpz1; Trigger=restrict.youtube.com; Hit=restrict.youtube.com; Type=QName; Kind=.
[2/1] answer to question 'restrict.youtube.com|A': 0 answers, 1 additional, took 0 packets, 0 netw ms, 0 tot ms, 0 throttled, 0 timeouts, 0 tcp connections, rcode=3, dnssec=Indeterminate

Actual behaviour

lua policyEventFilter method not running, no log

[2/1] question for 'www.youtube.com|A' from 10.1.1.13:51272 (proxied by 127.0.0.1:56102)
restrict.youtube.com|A: RPZ Hit; PolicyName=rpz1; Trigger=restrict.youtube.com; Hit=restrict.youtube.com; Type=QName; Kind=.
[2/1] answer to question 'www.youtube.com|A': 1 answers, 1 additional, took 0 packets, 0 netw ms, 0 tot ms, 0 throttled, 0 timeouts, 0 tcp connections, rcode=3, dnssec=Indeterminate

Other information

After removing or commenting lua preresolve method, request is processed correctly and policyEventFilter method is checked like in excepted behaviour

created time in 9 hours

issue commentPowerDNS/weakforced

[BUG] setACL() doesn't replaces current networks list

Yes I can achieve all of the above simply by moving where the default is set to before the config is read.

slavkoja

comment created time in 13 hours

issue commentPowerDNS/weakforced

[BUG] setACL() doesn't replaces current networks list

I have no problem with any defaults when there is way to override it.

IMO, you can apply this logic at start:

  1. set default ACLs list (as it is now)
  2. if there is setACL() in config, replace current list with provided (as it does in console now)
  3. if there is addACL() in config, add item to list
  4. if needed, repeat from step 2.
  5. report (log) actual items in ACLs at end of config read

Do not bother with checks of order of setACL() nor addACL() config directives/commands, simple apply as they are coming, eg. multiple replaces, replace after add, etc.

slavkoja

comment created time in 13 hours

issue commentPowerDNS/weakforced

[BUG] setACL() doesn't replaces current networks list

I think one thing I could do is to only add the private IP ranges if no ACLs have been set. If they have been set, then I assume the admin knows what they are doing, and don't add the private IP ranges.

slavkoja

comment created time in 14 hours

issue commentPowerDNS/weakforced

[BUG] GeoIP2 is not build without legacy GeoIP lib

OK, i tested patch from PR, seems to build OK now

slavkoja

comment created time in 14 hours

issue commentPowerDNS/weakforced

[BUG] setACL() doesn't replaces current networks list

To you better understand my motivation in it:

My ISP uses 10.0.0.0/X (i do not know exact mask nor range) addresses for his clients, that is not bad at all, but it doesn't NAT them, when they are routed to my public IP, and from time to time i saw these addresses in some of my log (mostly web). In other words, i cannot believe that the private IPs are from known hosts and i need to be more strict in ACL.

While i block them on router already, i want/need a way to remove them from ACL, as this blocking prevents my "neighbors" to access my services and i afraid of time, when they decide to use another private range (eg. ULA, when they learn IPv6)...

...it's to stop people creating ACLs which accidentally lock themselves out of their own wforce servers.

and how do you prevent them do not block itself on firewall?

slavkoja

comment created time in 14 hours

issue commentPowerDNS/weakforced

[BUG] setACL() doesn't replaces current networks list

Ok just to be clear, this is what wforce does:

  • It takes the ACLs as set by the setACL() command
  • When it starts up it always adds a list of private IPs to whatever ACLs are defined by the setACL() command, specifically: "127.0.0.0/8", "10.0.0.0/8", "100.64.0.0/10", "169.254.0.0/16", "192.168.0.0/16", "172.16.0.0/12", "::1/128", "fc00::/7", "fe80::/10"

This behaviour is expected - it's to stop people creating ACLs which accidentally lock themselves out of their own wforce servers.

slavkoja

comment created time in 15 hours

IssuesEvent

PR opened PowerDNS/weakforced

Various packaging and compilation fixes
  • Fix pthread link issue on debian bullseye (#344)
  • Ensure geoip2 function inclusion is not dependent on geoip legacy lib availability (#345)
  • Tidy up debian control files so that they work for debian stretch through bullseye
  • Add packaging target for debian bullseye
+16 -9

0 comment

6 changed files

pr created time in 17 hours

pull request commentPowerDNS/pdns

Handle waiting for a descriptor to become readable OR writable

It looks like ports should provide much better performance than /dev/poll 1, so I think we should ponder updating the priorities of our multiplexers:

  • poll from 1 to 2
  • /dev/poll from 0 to 1
  • ports, epoll, kqueue would remain at 0

It would be consistent with what libevent is doing 2, for what it's worth.

rgacogne

comment created time in 20 hours

pull request commentPowerDNS/pdns

Handle waiting for a descriptor to become readable OR writable

So OpenIndiana has both the /dev/poll and ports multiplexer, and they register themselves with the same priority (0) so I'm not sure which one is actually tested.. I pushed a fix to test all available multiplexers in our unit tests.

rgacogne

comment created time in 20 hours

push eventPowerDNS/pdns

Andreas Jakum

commit sha 814e29afa1aef6b3332e6fff46b1e2ec99b052ec

dnsdist: Document that setECSOverride has drawbacks under certain conditions.

view details

Remi Gacogne

commit sha c2b5543859ae9197ca37ee7aa965f1bd2a736c5d

Merge pull request #10626 from aj-gh/doc-dnsdist-setecsoverride dnsdist: Document that setECSOverride has its drawbacks

view details

push time in 21 hours

PR merged PowerDNS/pdns

dnsdist: Document that setECSOverride has its drawbacks dnsdist docs enhancement

Short description

Document that using setECSOverride in front of Auth servers responding with ECS info can lead to downstream SERVFAIL responses when scopes no longer match and confuse clients (nameservers).

Checklist

<!-- please indicate if any of these things are done/included with this Pull Request. Not all boxes need to be checked for the Pull Request to be accepted --> I have:

  • [x] read the CONTRIBUTING.md document
  • [ ] compiled this code
  • [ ] tested this code
  • [ ] included documentation (including possible behaviour changes)
  • [ ] documented the code
  • [ ] added or modified regression test(s)
  • [ ] added or modified unit test(s)
  • [ ] <!-- remove this line if your PR is against master --> checked that this code was merged to master
+2 -1

0 comment

1 changed file

aj-gh

pr closed time in 21 hours

PullRequestReviewEvent
PullRequestReviewEvent
PullRequestReviewEvent

startedPowerDNS/pdns

started time in a day

pull request commentPowerDNS/pdns

Auth: add zone to zonecache on flush endpoint

I have a question about the cache-flush: does it flush single domain names or all domain names belonging to a zone? For example, can I flush www.example.com? Or only example.com which will flush also www.example.com? In the first case, if someone flushes www.example.com I will not that www.example.com will be added to the zone-list cache.

Maybe an additional URL parameter to the flush endpoint can be used to add the zone to the zone-list cache.

zeha

comment created time in a day

pull request commentPowerDNS/pdns

Handle waiting for a descriptor to become readable OR writable

OpenIndiana:

PASS: testrunner
============================================================================
Testsuite summary for dnsdist 0.0.21878.0.mplexerreadwrite.g2ee30ed745
============================================================================
# TOTAL: 1
# PASS:  1
# SKIP:  0
# XFAIL: 0
# FAIL:  0
# XPASS: 0
# ERROR: 0
============================================================================
rgacogne

comment created time in a day

pull request commentPowerDNS/pdns

Handle waiting for a descriptor to become readable OR writable

Thanks! I pushed a commit that will (hopefully) fix these.

rgacogne

comment created time in 2 days

pull request commentPowerDNS/pdns

Handle waiting for a descriptor to become readable OR writable

this PR does not compile on openindiana:

configure: Configuration summary
configure: =====================
configure:
configure: dnsdist configured with:  '--enable-unit-tests'
configure:
configure: CC: gcc
configure: CXX: g++ -std=c++17
configure: LD: /usr/bin/ld -64
configure: CFLAGS:  -fPIE -DPIE -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 --param ssp-buffer-size=4 -fstack-protector -g -O3 -Wall -Wextra -Wshadow -Wno-unused-parameter -g -O2
configure: CPPFLAGS:
configure: CXXFLAGS:  -fPIE -DPIE -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 --param ssp-buffer-size=4 -fstack-protector -D_REENTRANT -g -O3 -Wall -Wextra -Wshadow -Wno-unused-parameter -Wmissing-declarations -Wredundant-decls -g -O2
configure: LDFLAGS:   -rdynamic
configure: LIBS: -lsocket -lnsl -lposix4 -lpthread
configure: BOOST_CPPFLAGS: -I/usr/include
configure:
configure: Features enabled
configure: ----------------
configure: Lua: luajit
configure: Protobuf: yes
configure: systemd: no
configure: ipcipher: yes
configure: libsodium: no
configure: DNSCrypt: no
configure: dnstap: no
configure: re2: no
configure: SNMP: yes
configure: DNS over TLS: no
configure: DNS over HTTPS (DoH): no
configure: cdb: no
configure: lmdb: no
configure:

warnings

iputils.cc: In function 'size_t sendMsgWithOptions(int, const char*, size_t, const ComboAddress*, const ComboAddress*, unsigned int, int)':
iputils.cc:392:8: warning: variable 'firstTry' set but not used [-Wunused-but-set-variable]
  392 |   bool firstTry = true;
      |        ^~~~~~~~
devpollmplexer.cc: In function 'int convertEventKind(FDMultiplexer::EventKind)':
devpollmplexer.cc:96:1: warning: control reaches end of non-void function [-Wreturn-type]
   96 | }
      | ^
portsmplexer.cc: In function 'int convertEventKind(FDMultiplexer::EventKind)':
portsmplexer.cc:78:1: warning: control reaches end of non-void function [-Wreturn-type]
   78 | }
      | ^

errors

portsmplexer.cc: In member function 'virtual void PortsFDMultiplexer::getAvailableFDs(std::vector<int>&, int)':
portsmplexer.cc:128:78: error: 'POLLER' was not declared in this scope; did you mean 'POLLET'?
  128 |     if ((d_pevents[n].portev_events & POLLIN || d_pevents[n].portev_events & POLLER || d_pevents[n].portev_events & POLLHUP)) {
      |                                                                              ^~~~~~
      |                                                                              POLLET
portsmplexer.cc: In member function 'virtual int PortsFDMultiplexer::run(timeval*, int)':
portsmplexer.cc:186:77: error: 'POLLER' was not declared in this scope; did you mean 'POLLET'?
  186 |     if (d_pevents[n].portev_events & POLLIN || d_pevents[n].portev_events & POLLER || d_pevents[n].portev_events & POLLHUP) {
      |                                                                             ^~~~~~
      |                                                                             POLLET
portsmplexer.cc:195:78: error: 'POLLER' was not declared in this scope; did you mean 'POLLET'?
  195 |     if (d_pevents[n].portev_events & POLLOUT || d_pevents[n].portev_events & POLLER) {
      |                                                                              ^~~~~~
      |                                                                              POLLET

rgacogne

comment created time in 2 days

startedPowerDNS/pdns

started time in 2 days

pull request commentPowerDNS/pdns

Auth: add zone to zonecache on flush endpoint

I can split it into a new endpoint, but:

  • naming it is hard. Certainly needs the “most people should not call this” explanation. Recommendations on the name?
  • people who want to call this will also end up calling flush, to clear any old entries in packetcache

Therefore I am not sure it’s worth splitting really.

zeha

comment created time in 2 days

pull request commentPowerDNS/pdns

Handle waiting for a descriptor to become readable OR writable

Running the dnsdist unit tests (testrunner) from that PR on the following systems would be great:

  • [ ] FreeBSD (kqueue)
  • [ ] OpenBSD (kqueue)
  • [ ] SmartOS/Illumos (/dev/poll, ports)
  • [ ] Mac OS X (kqueue? not sure our Makefile handles that right)
rgacogne

comment created time in 2 days

PR opened PowerDNS/pdns

Reviewers
Handle waiting for a descriptor to become readable OR writable dnsdist enhancement rec

Short description

<!-- Write a small description of what this Pull Request fixes or provides, including the issue #s --> This commit refactors our multiplexers to be able to wait for a descriptor to become readable OR writable at the same time.

I kept the two separate maps for an easier handling of the separate TTD and to limit the amount of changes, but we might want to mergethem into a single map in the future. The accounting is moved into the parent class instead of being dealt with by the multiplexers themselves.

I noticed that the poll multiplexer allocates and fills a vector of pollfd for every call to run(), which seems wasteful, but I did not want to touch that in this commit.

I did not compile or test the kqueue, ports and /dev/poll multiplexers yet, so don't merge this without testing them first.

Checklist

<!-- please indicate if any of these things are done/included with this Pull Request. Not all boxes need to be checked for the Pull Request to be accepted --> I have:

  • [x] read the CONTRIBUTING.md document
  • [x] compiled this code
  • [x] tested this code
  • [ ] included documentation (including possible behaviour changes)
  • [x] documented the code
  • [ ] added or modified regression test(s)
  • [x] added or modified unit test(s)
+555 -367

0 comment

9 changed files

pr created time in 2 days

PR opened PowerDNS/irccat

PR vs issue

Untested

+672 -33

0 comment

8 changed files

pr created time in 2 days

issue commentPowerDNS/pdns

Make recursor reply to queries with OPCODE=2

Pretty sure we see this a lot too, but with IQUERY. We actually just drop all non-QUERY in dnsdist now - which I think would only affect the global counters and not the per-server ones which you might be more concerned about, so that could be an option.

frevoc

comment created time in 2 days

pull request commentPowerDNS/pdns

Dev/no tcp

Error merging in wrong repo

gothremote

comment created time in 2 days

PR closed PowerDNS/pdns

Dev/no tcp

Short description

Load key from ISCMap (pub and priv) based on changed openssl lib. Change size to fit bit size of falcon

+536 -53

0 comment

25 changed files

gothremote

pr closed time in 2 days

PR opened PowerDNS/pdns

Dev/no tcp

Short description

Load key from ISCMap (pub and priv) based on changed openssl lib. Change size to fit bit size of falcon

+536 -53

0 comment

25 changed files

pr created time in 2 days