Re: [knot-dns-users] Is it possible to inhibit a response?

5 Zář 2017

Daniel,

I see what the issue is. At the load stage, my module is setting:

...
  knotd_mod_hook(mod, KNOTD_STAGE_BEGIN, my_query)

That function sometimes decides to drop a query rather than process it.  
It then sets pkt->size to 0 and returns KNOTD_STATE_DONE.

In the RRL code at load time, this is done:

...
  knotd_mod_hook(mod, KNOTD_STAGE_END, ratelimit_apply)

When I changed my code to hook the function at the end stage instead, no 
empty msgs were received by dig.

Conversely, when I altered the RRL code to associate ratelimit_apply 
with KNOTD_STAGE_BEGIN, then dig complained about the empty messages.

Is there some way to make the decision to drop the request before it's 
processed and immediately drop it at that point?  (I can write my own 
code to make this happen, but I'm wondering if there is some way of 
doing this within the knot framework.)

Thanks,

Lisa

On 9/3/2017 3:08 PM, daniel.salzman(a)nic.cz wrote:
...
  Lisa,

 If you use recvmmsg, also sendmmsg is used. And an empty response is
 handled in a different way for each of these functions. It's possible
 that sendmmsg sends also empty response in your case. What is your
 environment/operation system? But with sendmsg there is an explicit check
 in the code which prevents sending empty response (--enable-recvmmsg=no).

 Could you test the empty_packet_test branch with some debug messages
 and with a simple RRL module modification which inhibits every 
 response message?

 -----------------------------------
 # My test config

 server:
         listen: "127.0.0.1@28296"

 mod-rrl:
       - id: "test"
         rate-limit: "100"

 zone:
       - domain: "spare."
         file: "spare.rndzone"
         module: [mod-rrl/test]
 -----------------------------------

 $ knotd -c ./test.conf
 2017-09-03T20:59:50 info: Knot DNS 2.6.0-dev starting
 2017-09-03T20:59:50 info: binding to interface 127.0.0.1@28296
 ...
 2017-09-03T20:59:51 info: [spare.] loaded, serial 2737793557
 ...
 DBG: sendmmsg, empty packet check
 DBG: sendmmsg, empty packet check

 $ kdig @127.0.0.1 -p28296 spare. any +retry=0
 ;; WARNING: response timeout for 127.0.0.1@28296(UDP)
 ;; WARNING: failed to query server 127.0.0.1@28296(UDP)

 $ dig @127.0.0.1 -p28296 spare. any +retry=0
 ; <<>> DiG 9.10.3-P4-Ubuntu <<>> @127.0.0.1 -p28296 spare. any
+retry=0
 ; (1 server found)
 ;; global options: +cmd
 ;; connection timed out; no servers could be reached

 Btw, could you please show me your module implementation?

 Daniel

 On 2017-09-03 03:00, Lisa Bahler wrote:
  Daniel,

 I tried with both recvmmsg set to yes and to no.Â  Made no difference.Â
 Not sure why it would.

 When I use the dig client to send to the server, I can see from the
 module log that dig tries three times to receive a valid response
 before giving up.

 It appears that knot is still sending a response each time, but
 because pkt->size was set to 0 in an attempt to have the server drop
 the message, dig complains about the length.

 What I see is(actual address obscured with XXX.XXX.XXX.XXX):

  dig ANY test.com @XXX.XXX.XXX.XXX
 ;; Warning: short (< header size) message received
 ;; Warning: short (< header size) message received
 ;; Warning: short (< header size) message received

 ; <<>> DiG 9.10.3-P4-Ubuntu <<>> ANY test.com @XXX.XXX.XXX.XXX
 ;; global options: +cmd
 ;; connection timed out; no servers could be reached 
 It would be great if the server would send nothing at all and truly
 drop the message.Â Â  Are you seeing a true drop?Â  Again, I'm working
 with the latest 2.6 code from the git repo.

 Thanks,

 Lisa

 On 9/2/2017 2:38 AM, daniel.salzman(a)nic.cz wrote:
> Hi Lisa,
>
> Setting packet size to 0 and returning KNOTD_STATE_DONE is the 
> proper way
> how to inhibit a response. It also work in my simple test. Which 
> version
> of Knot do you have? Is recvmmsg utilized (see configure summary)?
>
> Daniel
>
> On 2017-09-01 19:45, Lisa Bahler wrote:
>> I've written aknot module, which is functioning well.Ã‚Â  I've been 
>> asked
>> to add functionality to it that would inhibit any response from knot,
>> based upon the client's identity.Ã‚Â  I know the identity; I just 
>> need to
>> figure out how to inhibit a response.
>>
>> I just noticed the rrl module, and I looked at what it does.Ã‚Â  I
>> emulated what I saw and set pkt->size = 0 and returned
>> KNOTD_STATE_DONE.
>>
>> When I ran host -a, it returned that no servers could be reached.Ã‚
>> When I ran dig ANY, I ultimately got the same response, but dig
>> complained three times about receiving a message that was too short in
>> length.
>>
>> I really want NO message to be returned.Ã‚Â  How do I force this?
>>
>>
>>
>> _______________________________________________
>> knot-dns-users mailing list
>> knot-dns-users(a)lists.nic.cz
>> https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users
> _______________________________________________
> knot-dns-users mailing list
> knot-dns-users(a)lists.nic.cz
> https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users 
_______________________________________________
 knot-dns-users mailing list
 knot-dns-users(a)lists.nic.cz
 https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users 

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

Re: [knot-dns-users] Is it possible to inhibit a response?