DelphinusDNS Blog

(the latest about delphinusdnsd)

Previous Page

Delphinusdnsd 1.5.1 released

February 25th, 2021

I have tagged the STABLE_1_5 branch for the 1.5.1 release. It is a bug fixes only release. Some memory leaks were removed. Development continues on -current.


Stats collection with delphinusdnsd

February 20th, 2021

I have over the last few months created a stats collection script (utilizing AWK and shell scripting). I want to share it.


# collect some statistics from a /var/log/delphinusdnsd logfile

echo DNS stats so far collected `date`

echo -------------------------------------------------------

awk ' \
{ for (i = 1; i <= NF; i++) if ($i ~ /type=/) { print $i; next; } } \
' /var/log/delphinusdnsd | sort | uniq -c | sort -rn

awk '\
 /VERSION/ { version[$1] += 1; } \
 /NXDOMAIN/ { nxdomain[$1] += 1; } \
 /NOERROR/ { noerror[$1] += 1; } \
 /NODATA/ { nodata[$1] += 1; } \
 /REFUSED/ { refused[$1] += 1; } \
 END { \
  printf("\n\nMonth,\tVERSION,\tNXDOMAIN,\tNOERROR,\tNODATA,\tREFUSED\n"); \
--\n"); \
  for (i in version) { total[i] = i "\t" version[i] "\t\t" nxdomain[i] \
                        "\t\t" noerror[i] "\t\t" nodata[i] "\t" refused[i]; \
                        printf("%s\n", total[i]); \
} \
--\n"); } \
' /var/log/delphinusdnsd

echo TOP TEN
echo -------
awk '\
{ if ($0 ~ /answering/)  print $(NF - 1); } \
' /var/log/delphinusdnsd | sort | uniq -c | sort -rn | head

echo -------------------------------------------------------
exit 0


1.5.1 delayed

February 20th, 2021

I was going to release 1.5.1 this week but it will be delayed a week. The reason is that my developing workstation (a raspberry pi) was offline due to a hardware failure. Now everything is fixed and I'm hoping to release 1.5.1 by next friday. 1.5.1 is just a bit of bugfixes on the -stable branch. It also addresses some leakage in memory, though not fixing all leakage it seems. I'm calling the leak pluggage good enough for now.


Countering reflection attacks (maybe)

February 7th, 2021

I got a lot of packets in the past that I suspected of being abused for a reflection attack. The attack would use me to send REFUSED answers to a unknown source. I am testing a patch currently that will mitigate this:

Feb  7 12:16:04 spectral delphinusdnsd[54227]: request on descriptor 12 interfac
e "" from (ttl=238, region=1, tta=0.438ms) for "." type
=ANY(255) class=1, edns0, answering "REFUSED" (33/28)
Feb  7 12:16:04 spectral delphinusdnsd[54227]: short circuiting multiple refused
 from, drop
Feb  7 12:16:04 spectral last message repeated 8 times
It basically detects that there is multiple queries that would let one through and drops the other 9 packets. I don't know why it was always in bursts of 10 packets but only 1 is getting through now. I may commit this patch next week.


Delphinusdnsd 1.5.1 is about 2-3 weeks away

February 4th, 2021

I have just put the final version on my test servers. I suspect there is still a tiny memory leak but it's reasonable (ie. minimal). I ran this server for two weeks or so and didn't have a problem, that was with a -current server. Now I'll try to do the same with a -stable server and watch the memory signature intently. After that I want to make a tarball for 1.5.1 and release it. Thanks for your patience in this.


I say NO to annex 5 of the EU NIS Directive (NIS2)

January 30th, 2021

The european commission is hard at work trying to stifle freedom on the Internet. I'd like to point you to annex 5 of the NIS2 directive found here. The annex states:

Electronic communications networks or services are subject to security and incident notification obligations laid down in Article 40 of the European Electronic Communication Code. At the same time, these providers are subject to almost identical type of obligations under the NIS Directive as far as they also provide services included in the NIS scope such as Internet Exchange Points, Domain Name Servers or cloud computing services. The repeal of these obligations from the European Electronic Communication Code and their inclusion under the revised NIS Directive would streamline the legal obligations for those entities.

This basically says that you have follow obligations such as registering your domain name server (authoritative and recursive) with the EU's security body, and reporting abuse. You may even be denied usage of your own DNS servers, and may be forced to relinquish control of your servers. As someone who loves freedom, programs an authoritative nameserver I am dead set against this. This can't be happening!

For record keeping here is the original NIS directive from 2016 which it has been said in the so-called NIS2 directive to be embodied into the laws of each Union member country.

I am against the EU commission of "tightening the chokehold" on netizens freedom, in fact I'm pro-exit of this European Union and it's Security (read Soviet) Union Strategy.

1 comment

1.5.0 turned out to be a bad release

January 25th, 2021

I strongly urge people to upgrade to tomorrows snapshot if they use the forwarding in 1.5.0. The followup 1.5.1 release is still a month away or so and I need to give it testing. I finally found the reason for the spurious TSIG failures in the forwarding code. While there I found a pretty bad security hole. Basically a packet could be queried and a non-authenticated packet could be sneaked into the cache before it was checked against TSIG. I'm somewhat disappointed I released so early, but it was because I tried to get funding. It was a stressful time for me in november and since then I pretty well calmed myself down. So that's an update on things. DNS is hard to get right, as we've seen with the dnspooq exploit on dnsmasq. It's complex code. Let's look forward.


Tomorrows snapshot will fix filters

January 18th, 2021

I noticed filters crashed the delphinudsnsd server. I thought a little about whether these are still needed, but remained with them. This commit fixes it.


A long standing bug may have been fixed last night

January 5th, 2021

With this commit a long standing bug may have been fixed. In 1.5.0 I made it mandatory to give each zone "zonename.tld" {} a name (such as zonename.tld). I took this further and gave these zonenames a unique number which gets compared when it gives answers. With this it is able to differentiate between glue data and normal data at detriment of a few cpu cycles. Right now a test zone of mine with 1.2 million AAAA records and many many zones (1440) took 3 minutes to process on one core (it's single threaded) before the daemon started up answering queries. An individual zone took about 5 seconds to answer. This is acceptable to me. If you run delphinusdnsd in an operation/production then you may want to use several servers in a sort of high available setup. There isn't too many zones out there for 1.2 million AAAA records so this is somewhat out of the ordinary.


There will be a 1.5.1 followup release

January 4th, 2021

Possibly in a month or two. I have identified the memory leak last year. This year I found a pretty big chunk that wasn't released. I need to test that over time and hope that that was it. It will cause a bit of inconvenience but let me assure you, it's only in expiring records thus in the forwarding cache.


Next Page


RSS Feed

Click here for RSS

On this day in

Other links

Have feedback?

By clicking on the header of an article you will be served a cookie. If you do not agree to this do not click on the header. Thanks!

Using a text-based webbrowser?

... such as lynx? Welcome back it's working again for the time being.

Older Blog Entries

Powered by BCHS