Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dnsdist: Use 65535 instead of 255 to block all types via eBPF #15199

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

dnsdist: Use 65535 instead of 255 to block all types via eBPF #15199

wants to merge 1 commit into from

Conversation

rgacogne
Copy link
Member

Short description

Our eBPF filtering code used to treat the 255 (ANY) qtype as a special value meaning to block queries for all types. Unfortunately it prevented blocking queries for the ANY type only, which is a legitimate use-case.
After this commit 255 is no longer a special value, and 65535 (a reserved value) is used instead to represent all types.

This is a breaking change that should NOT be backported.

Fixes #13172

Checklist

I have:

  • read the CONTRIBUTING.md document
  • compiled this code
  • tested this code
  • included documentation (including possible behaviour changes)
  • documented the code
  • added or modified regression test(s)
  • added or modified unit test(s)

@rgacogne
dnsdist: Use 65535 instead of 255 to block all types via eBPF
33e1cc6 
Our eBPF filtering code used to treat the `255` (`ANY`) qtype as a
special value meaning to block queries for all types. Unfortunately
it prevented blocking queries for the `ANY` type only, which is a
legitimate use-case.
After this commit `255` is no longer a special value, and `65535`
(a reserved value) is used instead to represent all types.

This is a breaking change that should NOT be backported.
@rgacogne rgacogne added this to the dnsdist-2.0.0 milestone Feb 21, 2025
miodvallat
miodvallat approved these changes Feb 21, 2025
View reviewed changes
Copy link
Contributor

@miodvallat miodvallat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see no downside in this.

I wonder how easy it would be to accept -1 as a value - this way existing configurations could switch from 255 to -1 rather than 65535 and that will be future-proof...

@coveralls
Copy link

Pull Request Test Coverage Report for Build 13458110412

Warning: This coverage report may be inaccurate.

This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.

Details

  • 4 of 4 (100.0%) changed or added relevant lines in 3 files are covered.
  • 43 unchanged lines in 12 files lost coverage.
  • Overall coverage decreased (-0.001%) to 64.509%
Files with Coverage Reduction New Missed Lines %
modules/gpgsqlbackend/gpgsqlbackend.cc 1 88.62%
pdns/recursordist/recursor_cache.cc 1 84.29%
pdns/recursordist/syncres.cc 1 80.13%
pdns/opensslsigners.cc 2 61.07%
pdns/tcpiohandler.cc 2 68.18%
pdns/misc.hh 3 83.81%
pdns/recursordist/recpacketcache.hh 3 89.55%
pdns/shuffle.cc 4 53.93%
ext/json11/json11.cpp 5 62.72%
pdns/signingpipe.cc 5 84.99%
Totals Coverage Status
Change from base Build 13457319872: -0.001%
Covered Lines: 127645
Relevant Lines: 166895
💛 - Coveralls

@rgacogne
Copy link
Member Author

I wonder how easy it would be to accept -1 as a value - this way existing configurations could switch from 255 to -1 rather than 65535 and that will be future-proof...

I see the appeal in this but right now the type is carried around as a QType in several places, so an unsigned 16-bit, and I quite like it from a consistency point of view. I'm also not worried about 65535 being used for a different purpose one day (famous last words).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@miodvallat miodvallat miodvallat approved these changes

Assignees
No one assigned
Labels
dnsdist enhancement
Projects
None yet
Milestone
dnsdist-2.0.0
Development

Successfully merging this pull request may close these issues.

dnsdist: eBPF Change Qtype ANY in BPFFilter:blockQName to not be ALL requests just Qtype ANY
3 participants
@rgacogne @coveralls @miodvallat