Re: [Pdns-users] Slow downloads google drive

2022-07-11 Thread abang--- via Pdns-users 
It *might* be worth to give this setting a try:

edns-subnet-whitelist=0.0.0.0/0, ::/0

But it depends on whether the client is talking to the Recursor over public or 
private IP addresses.

https://doc.powerdns.com/recursor/settings.html#edns-subnet-allow-list

https://en.m.wikipedia.org/wiki/EDNS_Client_Subnet

https://datatracker.ietf.org/doc/html/rfc7871#section-7.1.1

Winfried 


Am 11. Juli 2022 22:06:13 MESZ schrieb Alex Trevisol via Pdns-users 
:
>Hello,
>
>I have an issue with dns resourcer when I use local dns resource I have
>problems with slowness with google drive drive downloads do not exceed 600
>kbps/s, when we switch to google dns the download speed is normal,
>something between 5-6 mbps/s, I reinstalled a new vm with ubuntu 22 and the
>new version powerdns-recursor 4.7 redid the configuration but it remains
>the same.
>
>We also tested it with a friend's DNS resource that is unbound and it
>worked perfectly as well as with google dns
>
>any suggestions ?

-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS Recursor RPZ issues

2022-08-01 Thread abang--- via Pdns-users 
Hi Luke,

You have to host the RPZ zone on a authoritative nameserver (PowerDNS 
Authoritative for example) in order to load it using the rpzPrimary function.

The Recursor does not provide zonetransfers.

Winfried ___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Overlay or pass-through support in PDNS?

2022-08-04 Thread abang--- via Pdns-users 
Hi Eli,

To keep it simple, you could implement the solution outside the DNS server by 
generating the different zones from a unified source, that contains both 
information about each RR.

Winfried 


Am 3. August 2022 01:43:38 MESZ schrieb eli glynn via Pdns-users 
:
>I've recently inherited a really ugly mess at my company, involving a
>muddle of PowerDNS, Route53, NS1, and just about every mixed up interaction
>you could imagine between them all.
>
>The biggest part of the jumble is the way PowerDNS was used as a poor-mans
>split horizon - we have a large number of records which point at internal
>(e.g. 10.x) ranges, with duplicate entries in Route53 AND/OR NS1 (don't
>ask) usually pointing at routable IPs.  There's a lot of badness beyond
>just that, but the majority of my pain is from that basic situation.
>
>Because the client systems are pointed at PDNS, and it considers itself
>authoritative, we're forced to duplicate ALL external records (overridden
>or not) within PDNS, or NXDOMAINs result.  This of course leads to two (or
>sometimes three) sources of truth for all RRs, and historically the needed
>due diligence has not been performed to keep them in sync.
>
>Long story short, in order to clean up the mess, I'm hoping to implement an
>"overlay" in PowerDNS, whereby PDNS only contains the RRs which it needs to
>override.  If a record would normally be identical to the external value
>(Route53 or NS1) then rather than duplicating it, I'd like PowerDNS to fail
>through and do a recursive lookup externally, returning that value to the
>client.  So basically, if an NXDOMAIN or NODATA would be returned for a
>zone PDNS considers itself authoritative for, it instead recurses and emits
>whatever comes back from there.
>
>It seems this should be doable using a `postresolve()` hook, or even better
>`nxdomain()` combined with `nodata()` to minimize Lua roundtrips.  But I'm
>having a heckuva time implementing the recursion part.  I can't find any
>canned tooling within Lua to do something theoretically simple (e.g. what
>in python you'd do with `import socket ; return
>socket.gethostbyname("blah")`).  I've also considered writing a custom
>backend but would prefer to keep things simple if at all possible
>
>I know this is an unusual use-case (though I can see where such an
>"overlay" could be very useful in a number of scenarios).
>
>Any feedback would be appreciated - suggestions, alternate approaches, or
>even a flat "you can't do that in PowerDNS" if such is the case - it will
>save me a lot of cycles if so :)
>
>Thanks all!
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] [dnsdist] Dnsdist not reading from the cache

2022-09-09 Thread abang--- via Pdns-users 
> getPool("resolverTopnet"):getCache():printStats()

In one of your previous mails the pool name was "resolver".

Am 9. September 2022 17:38:10 MESZ schrieb SAMI RAHAL via Pdns-users 
:
>Hi Remi
>
>The server is in production it receives requests as shown in this summary
>
>Uptime: 17 days, Number of queries: 2326402346 (2385.00 qps), ACL drops: 0, 
>Dynamic drops: 27076173, Rule drops: 6451838
>Average response time: 9.40 ms, CPU Usage: 26.50%, Cache hitrate: 85.37%, 
>Server selection policy: leastOutstanding
>Listening on: 0.0.0.0:53, ACL: 0.0.0.0/0
>
>
>thanks Rahal
>
>
>
>
>
>Cordialement, Sami Rahal Service Hosting DNS et Cloud Direction Technique & SI 
>Siège Social TOPNET, Centre Urbain Nord Tél. :71185000 GSM :99 459 812
>
>
>
>De : Pdns-users  de la part de 
>pdns-users-requ...@mailman.powerdns.com 
>
>Envoyé : vendredi 9 septembre 2022 14:00
>À : pdns-users@mailman.powerdns.com
>Objet : [EXTERNE]Pdns-users Digest, Vol 236, Issue 5
>
>ATTENTION:Cet e-mail provient d'une personne externe à TOPNET. Ne pas cliquer 
>sur des liens ou ouvrir des pièces jointes à moins que vous êtes absolument 
>sûr de l'origine de l'e-mail.
>'
>
>Send Pdns-users mailing list submissions to
>pdns-users@mailman.powerdns.com
>
>To subscribe or unsubscribe via the World Wide Web, visit
>https://mailman.powerdns.com/mailman/listinfo/pdns-users
>or, via email, send a message with subject or body 'help' to
>pdns-users-requ...@mailman.powerdns.com
>
>You can reach the person managing the list at
>pdns-users-ow...@mailman.powerdns.com
>
>When replying, please edit your Subject line so it is more specific
>than "Re: Contents of Pdns-users digest..."
>
>
>Today's Topics:
>
>   1. Re: [dnsdist] Dnsdist not reading from the cache (Remi Gacogne)
>   2. Re: [EXTERNE]Re: [dnsdist] Dnsdist not reading from the cache
>  (SAMI RAHAL)
>   3. Re: [EXT] RE: [EXTERNE]Re: [dnsdist] Dnsdist not reading from
>  the cache (Remi Gacogne)
>
>
>--
>
>Message: 1
>Date: Fri, 9 Sep 2022 09:24:57 +0200
>From: Remi Gacogne 
>To: SAMI RAHAL ,
>"pdns-users@mailman.powerdns.com" 
>Subject: Re: [Pdns-users] [dnsdist] Dnsdist not reading from the cache
>Message-ID: <00726a29-c73a-59e0-c901-a9109f114...@powerdns.com>
>Content-Type: text/plain; charset="utf-8"; Format="flowed"
>
>Hi,
>
>On 07/09/2022 14:02, SAMI RAHAL via Pdns-users wrote:
>> for those running dnsdist I'm wondering is anyone has set up cache.
>>
>> If you have, I'd appreciate pointers in your strategies (and/or some
>> examples?).
>
>A lot of installations are using caching in dnsdist, yes. I don't see
>anything immediately wrong after looking at your configuration. What
>makes you think caching is not working?
>
>--
>Remi Gacogne
>PowerDNS.COM BV - https://www.powerdns.com/
>
>-- next part --
>A non-text attachment was scrubbed...
>Name: OpenPGP_signature
>Type: application/pgp-signature
>Size: 488 bytes
>Desc: OpenPGP digital signature
>URL: 
>
>
>--
>
>Message: 2
>Date: Fri, 9 Sep 2022 09:34:19 +
>From: SAMI RAHAL 
>To: Remi Gacogne ,
>"pdns-users@mailman.powerdns.com" 
>Subject: Re: [Pdns-users] [EXTERNE]Re: [dnsdist] Dnsdist not reading
>from the cache
>Message-ID: <5a536fb77d7a42039c9e5009341df...@topnetpro.tn>
>Content-Type: text/plain; charset="iso-8859-1"
>
>Hi Remi
>
>Thank you for your answer
>I test the cache as follows:
>getPool("resolverTopnet"):getCache():printStats()
>
>I get empty values:
>
>Entries: 0/200
>Hits: 0
>Misses: 0
>Deferred inserts: 0
>Deferred lookups: 0
>Lookup Collisions: 0
>Insert Collisions: 0
>TTL Too Shorts: 0
>
>before updating dnsdist from 1.5 to 1.7 i can see the values
>
>Thanks a lot
>
>
>
>
>
>
>
>
>
>
>
>De : Remi Gacogne 
>Envoy? : vendredi 9 septembre 2022 09:24
>? : SAMI RAHAL; pdns-users@mailman.powerdns.com
>Objet : [EXTERNE]Re: [Pdns-users] [dnsdist] Dnsdist not reading from the cache
>
>Hi,
>
>On 07/09/2022 14:02, SAMI RAHAL via Pdns-users wrote:
>> for those running dnsdist I'm wondering is anyone has set up cache.
>>
>> If you have, I'd appreciate pointers in your strategies (and/or some
>> examples?).
>
>A lot of installations are using caching in dnsdist, yes. I don't see
>anything immediately wrong after looking at your configuration. What
>makes you think caching is not working?
>
>--
>Remi Gacogne
>PowerDNS.COM BV - https://www.powerdns.com/
>
>-- next part --
>An HTML attachment was scrubbed...
>URL: 
>
>
>--
>
>Message: 3
>Date: Fri, 9 Sep 2022 11:37:51 +0200
>From: Remi Gacogne 
>To: "pdns-users@mailman.powerdns.com"
>
>Subject

Re: [Pdns-users] pdns-recursor (4.6) empty response after expiration of the TTL of the cached record

2022-09-22 Thread abang--- via Pdns-users 
The "NSEC3 proving non-existence" of this zone is broken. See
 https://dnsviz.net/d/riecis.nl/dnssec/?rr=all&a=all&ds=all&doe=on&ta=.&tk=

You can workaround this issue by setting a NTA for it on your Recursors. It is 
recommended to inform the owner of the zone in order to fix the root cause.

Winfried 



Am 22. September 2022 09:27:20 MESZ schrieb Leeflangetje via Pdns-users 
:
>Hi,
>
>Since we upgraded to pdns-recursor 4.6 we sometimes experience some
>weird behaviour with queries via pdns-recursor.
>
>Sometimes, when a previously queried record expires through it's TTL,
>the recursor does not provide an answer anymore, until it's restarted.
>
>Unfortunately I am not able to reproduce this. It happens occasionally.
>When it happens, we see this: 
>
>Faulty server:
>
>dig @ns1 riecis.nl A
>
>; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8 <<>> @ns1 riecis.nl A
>; (1 server found)
>;; global options: +cmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27148
>;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>
>;; OPT PSEUDOSECTION:
>; EDNS: version: 0, flags:; udp: 512
>;; QUESTION SECTION:
>;riecis.nl. IN  A
>
>;; AUTHORITY SECTION:
>riecis.nl.  2828IN  SOA ns1.minvenj.nl. hostmaster.solvinity.com. 
>2022010301 1800 300 604800 3600
>
>;; Query time: 2 msec
>;; SERVER: xxx.xxx.xxx.xxx#53(xxx.xxx.xxx.xxx)
>;; WHEN: Tue Sep 20 12:16:55 CEST 2022
>;; MSG SIZE  rcvd: 110
>
>other server:
>
>dig @ns2  riecis.nl A
>
>; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8 <<>> @ns2 riecis.nl A
>; (1 server found)
>;; global options: +cmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61517
>;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
>;; OPT PSEUDOSECTION:
>; EDNS: version: 0, flags:; udp: 512
>;; QUESTION SECTION:
>;riecis.nl. IN  A
>
>;; ANSWER SECTION:
>riecis.nl.  224 IN  A   159.46.204.40
>
>;; Query time: 1 msec
>;; SERVER: xxx.xxx.xxx.xxx#53(xxx.xxx.xxx.xxx)
>;; WHEN: Tue Sep 20 12:17:03 CEST 2022
>;; MSG SIZE  rcvd: 54
>
>
>We have a fairly simple configuration, just on what address and port to
> listen on, to use the same address for outgoing queries, en a short li
>st of addresses that are allowed to query.
>
>I have confirmed this problem upto and including version 4.6.3
>
>Anyone an idea on how to approach this matter?
>
>Regards
>
>
>
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns-recursor (4.6) empty response after expiration of the TTL of the cached record

2022-09-22 Thread abang--- via Pdns-users 
True, TCP is broken as well.

Am 22. September 2022 10:01:58 MESZ schrieb Otto Moerbeek :
>On Thu, Sep 22, 2022 at 09:41:57AM +0200, abang--- via Pdns-users wrote:
>
>> The "NSEC3 proving non-existence" of this zone is broken. See
>>  https://dnsviz.net/d/riecis.nl/dnssec/?rr=all&a=all&ds=all&doe=on&ta=.&tk=
>> 
>> You can workaround this issue by setting a NTA for it on your Recursors. It 
>> is recommended to inform the owner of the zone in order to fix the root 
>> cause.
>> 
>> Winfried 
>
>Agreed, but given my findings in the other post I'm not convinced it
>will solve *all* issues with that domain.
>
>   -Otto
>
>> 
>> 
>> 
>> Am 22. September 2022 09:27:20 MESZ schrieb Leeflangetje via Pdns-users 
>> :
>> >Hi,
>> >
>> >Since we upgraded to pdns-recursor 4.6 we sometimes experience some
>> >weird behaviour with queries via pdns-recursor.
>> >
>> >Sometimes, when a previously queried record expires through it's TTL,
>> >the recursor does not provide an answer anymore, until it's restarted.
>> >
>> >Unfortunately I am not able to reproduce this. It happens occasionally.
>> >When it happens, we see this: 
>> >
>> >Faulty server:
>> >
>> >dig @ns1 riecis.nl A
>> >
>> >; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8 <<>> @ns1 riecis.nl A
>> >; (1 server found)
>> >;; global options: +cmd
>> >;; Got answer:
>> >;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27148
>> >;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>> >
>> >;; OPT PSEUDOSECTION:
>> >; EDNS: version: 0, flags:; udp: 512
>> >;; QUESTION SECTION:
>> >;riecis.nl. IN  A
>> >
>> >;; AUTHORITY SECTION:
>> >riecis.nl.  2828IN  SOA ns1.minvenj.nl. hostmaster.solvinity.com. 
>> >2022010301 1800 300 604800 3600
>> >
>> >;; Query time: 2 msec
>> >;; SERVER: xxx.xxx.xxx.xxx#53(xxx.xxx.xxx.xxx)
>> >;; WHEN: Tue Sep 20 12:16:55 CEST 2022
>> >;; MSG SIZE  rcvd: 110
>> >
>> >other server:
>> >
>> >dig @ns2  riecis.nl A
>> >
>> >; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8 <<>> @ns2 riecis.nl A
>> >; (1 server found)
>> >;; global options: +cmd
>> >;; Got answer:
>> >;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61517
>> >;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>> >
>> >;; OPT PSEUDOSECTION:
>> >; EDNS: version: 0, flags:; udp: 512
>> >;; QUESTION SECTION:
>> >;riecis.nl. IN  A
>> >
>> >;; ANSWER SECTION:
>> >riecis.nl.  224 IN  A   159.46.204.40
>> >
>> >;; Query time: 1 msec
>> >;; SERVER: xxx.xxx.xxx.xxx#53(xxx.xxx.xxx.xxx)
>> >;; WHEN: Tue Sep 20 12:17:03 CEST 2022
>> >;; MSG SIZE  rcvd: 54
>> >
>> >
>> >We have a fairly simple configuration, just on what address and port to
>> > listen on, to use the same address for outgoing queries, en a short li
>> >st of addresses that are allowed to query.
>> >
>> >I have confirmed this problem upto and including version 4.6.3
>> >
>> >Anyone an idea on how to approach this matter?
>> >
>> >Regards
>> >
>> >
>> >
>
>> ___
>> Pdns-users mailing list
>> Pdns-users@mailman.powerdns.com
>> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Increased CPU usage after upgrade to MariaDB 10.6.11

2022-11-26 Thread abang--- via Pdns-users 
Hi, 

We recently had a similar problem when we updated from 10.5.12 to 10.6.10.

The cause was that the default behavior changed from

innodb_flush_method = fsync

to

innodb_flush_method = O_DIREC

Which means, no kernel file caching.

If you have a too small 

innodb_buffer_pool_size

in this case, there is a lot of disk I/O and thus a lot of CPU wait time.

Setting

innodb_buffer_pool_size = 8G

helped in our case.

Winfried


Am 26. November 2022 14:45:26 MEZ schrieb William Edwards via Pdns-users 
:
>Hi,
>
>Are people on this mailing list seeing increased CPU usage when using MariaDB 
>10.6.11 with PowerDNS 4.5.4?
>
>Context:
>
>I use PowerDNS with the gmysql backend. Last Wednesday, I upgraded MariaDB 
>10.6.10 to 10.6.11 on 8 machines running PowerDNS. Since then, MySQL's average 
>CPU usage has increased from 2,5% to 55%. This happens on all upgraded 
>machines. However, this issue does not occur on machines running MariaDB 
>10.6.11 without PowerDNS. PowerDNS itself was not upgraded.
>
>I am aware that this issue is (most likely) not caused by PowerDNS. I am 
>therefore only wondering whether others have seen the same behaviour. If so, 
>that would save me some debugging time.
>
>Thank you,
>
>William Edwards
>
>___
>Pdns-users mailing list
>Pdns-users@mailman.powerdns.com
>https://mailman.powerdns.com/mailman/listinfo/pdns-users
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Recursor Cache entries per record

2022-11-28 Thread abang--- via Pdns-users 
Hi Giovanni,

As far as I know, the Recursor is exactly doing what you want. IP addresses are 
not part of the hash. Only the query name is base of the hash.

Identical query names are routed to the same thread and thus to the same cache.

Winfried


Am 28. November 2022 18:37:19 MEZ schrieb Giovanni Vecchi via Pdns-users 
:
>Hi guys,
>
>I'm doing some tests on recursor 4.7.4 and I would some confirmation from
>you about caching behaviour: I understood that
>enabling pdns-distributes-queries, cached entries are served only in case
>of matching query hash, so different clients (with different source ip)
>will not hit cache for the same record in their first queries, isn't it?
>
>Let's do an example, starting from time 0:
>- time 0+1 -> client1 ask for my.domain -> cache miss
>- time 0+2 -> client2 ask for my.domain -> cache miss
>- time 0+3 -> client1 ask for my.domain -> cache hit
>- time 0+4 -> client2 ask for my.domain -> cache hit
>If it's true, is it possible to configure recursor cache by record and not
>by hash?
>My ultimate goal is to take advantage from cached entries regardless client
>query hash, in this way:
>- time 0+1 -> client1 ask for my.domain -> cache miss
>- time 0+2 -> client2 ask for my.domain -> cache hit
>- time 0+3 -> client1 ask for my.domain -> cache hit
>- time 0+4 -> client2 ask for my.domain -> cache hit
>
>Thanks
>
>
>
>-- 
>
>Giovanni Vecchi
>Infrastructure Lead Engineer, Certego
>+39-059-735
>
>  
>
>
>Use of the information within this document constitutes acceptance for use
>in an "as is" condition. There are no warranties with regard to this
>information; Certego has verified the data as thoroughly as possible. Any
>use of this information lies within the user's responsibility. In no event
>shall Certego be liable for any consequences or damages, including direct,
>indirect, incidental, consequential, loss of business profits or special
>damages, arising out of or in connection with the use or spread of this
>information.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Warning in syslog after upgrade to PowerDNS Authoritative Server 4.7

2023-01-06 Thread abang--- via Pdns-users 
Possibly related:

https://github.com/PowerDNS/pdns/issues/9112

Winfried
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Blocklist file format

2023-03-07 Thread abang--- via Pdns-users 


Am 7. März 2023 18:17:32 MEZ schrieb Adrian Minta via Pdns-users 
:
>Thank you Otto !
>
>RPZ seems to be a very nice feature for malware domains blocking and other 
>legal blocking requirements.
>
>Do you have a link with some examples on how it should be used ?

https://raw.githubusercontent.com/PowerDNS/pdns/master/pdns/basic.rpz

Winfried 
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users