DelphinusDNS Blog
(the latest about delphinusdnsd)||
|
Previous Page
February 25th, 2021
I have tagged the STABLE_1_5 branch for the 1.5.1 release. It is a bug fixes
only release. Some memory leaks were removed. Development continues on
-current.
0 comments
February 20th, 2021
I have over the last few months created a stats collection script (utilizing
AWK and shell scripting). I want to share it.
#!/bin/sh
#
# dnsstats.sh collect some statistics from a /var/log/delphinusdnsd logfile
#
echo DNS stats so far collected `date`
echo -------------------------------------------------------
echo
awk ' \
{ for (i = 1; i <= NF; i++) if ($i ~ /type=/) { print $i; next; } } \
' /var/log/delphinusdnsd | sort | uniq -c | sort -rn
awk '\
/VERSION/ { version[$1] += 1; } \
/NXDOMAIN/ { nxdomain[$1] += 1; } \
/NOERROR/ { noerror[$1] += 1; } \
/NODATA/ { nodata[$1] += 1; } \
/REFUSED/ { refused[$1] += 1; } \
END { \
printf("\n\nMonth,\tVERSION,\tNXDOMAIN,\tNOERROR,\tNODATA,\tREFUSED\n"); \
printf("----------------------------------------------------------------------
--\n"); \
for (i in version) { total[i] = i "\t" version[i] "\t\t" nxdomain[i] \
"\t\t" noerror[i] "\t\t" nodata[i] "\t" refused[i]; \
printf("%s\n", total[i]); \
} \
printf("----------------------------------------------------------------------
--\n"); } \
' /var/log/delphinusdnsd
echo
echo
echo TOP TEN
echo -------
awk '\
{ if ($0 ~ /answering/) print $(NF - 1); } \
' /var/log/delphinusdnsd | sort | uniq -c | sort -rn | head
echo -------------------------------------------------------
exit 0
Enjoy.
0 comments
February 20th, 2021
I was going to release 1.5.1 this week but it will be delayed a week. The
reason is that my developing workstation (a raspberry pi) was offline due to
a hardware failure. Now everything is fixed and I'm hoping to release 1.5.1
by next friday. 1.5.1 is just a bit of bugfixes on the -stable branch. It
also addresses some leakage in memory, though not fixing all leakage it seems.
I'm calling the leak pluggage good enough for now.
0 comments
February 7th, 2021
I got a lot of packets in the past that I suspected of being abused for a
reflection attack. The attack would use me to send REFUSED answers to a
unknown source. I am testing a patch currently that will mitigate this:
Feb 7 12:16:04 spectral delphinusdnsd[54227]: request on descriptor 12 interfac
e "49.12.10.87" from 98.219.134.50 (ttl=238, region=1, tta=0.438ms) for "." type
=ANY(255) class=1, edns0, answering "REFUSED" (33/28)
Feb 7 12:16:04 spectral delphinusdnsd[54227]: short circuiting multiple refused
from 98.219.134.50, drop
Feb 7 12:16:04 spectral last message repeated 8 times
It basically detects that there is multiple queries that would let one through
and drops the other 9 packets. I don't know why it was always in bursts of
10 packets but only 1 is getting through now. I may commit this patch next
week.
0 comments
February 4th, 2021
I have just put the final version on my test servers. I suspect there is still
a tiny memory leak but it's reasonable (ie. minimal). I ran this server for
two weeks or so and didn't have a problem, that was with a -current server.
Now I'll try to do the same with a -stable server and watch the memory
signature intently. After that I want to make a tarball for 1.5.1 and release
it. Thanks for your patience in this.
0 comments
January 30th, 2021
The european commission is hard at work trying to stifle freedom on the
Internet. I'd like to point you to annex 5 of the NIS2 directive
found here. The annex states:
Electronic communications networks or services are subject to security and incident notification obligations laid down in Article 40 of the European Electronic Communication Code. At the same time, these providers are subject to almost identical type of obligations under the NIS Directive as far as they also provide services included in the NIS scope such as Internet Exchange Points, Domain Name Servers or cloud computing services.
The repeal of these obligations from the European Electronic Communication Code and their inclusion under the revised NIS Directive would streamline the legal obligations for those entities.
This basically says that you have follow obligations such as registering your
domain name server (authoritative and recursive) with the EU's security body,
and reporting abuse.
You may even be denied usage of your own DNS servers, and may be forced to
relinquish control of your servers. As someone who loves freedom, programs
an authoritative nameserver I am dead set against this. This can't be happening!
For record keeping here is the original NIS directive from 2016 which it has been said in the so-called NIS2
directive to be embodied into the laws of each Union member country.
I am against the EU commission of "tightening the chokehold" on netizens
freedom, in fact I'm pro-exit of this European Union and it's Security (read
Soviet) Union Strategy.
1 comment
January 25th, 2021
I strongly urge people to upgrade to tomorrows snapshot if they use the
forwarding in 1.5.0. The followup 1.5.1 release is still a month away
or so and I need to give it testing. I finally found the reason for the
spurious TSIG failures in the forwarding code. While there I found a
pretty bad security hole. Basically a packet could be queried and a
non-authenticated packet could be sneaked into the cache before it was
checked against TSIG. I'm somewhat disappointed I released so early, but
it was because I tried to get funding. It was a stressful time for me in
november and since then I pretty well calmed myself down. So that's
an update on things. DNS is hard to get right, as we've seen with the
dnspooq exploit on dnsmasq. It's complex code. Let's look forward.
0 comments
January 18th, 2021
I noticed filters crashed the delphinudsnsd server. I thought a little about
whether these are still needed, but remained with them. This
commit fixes it.
0 comments
January 5th, 2021
With this
commit
a long standing bug may have been fixed. In 1.5.0 I made it mandatory to give
each zone "zonename.tld" {} a name (such as zonename.tld). I took this further
and gave these zonenames a unique number which gets compared when it gives
answers. With this it is able to differentiate between glue data and normal
data at detriment of a few cpu cycles. Right now a test zone of mine with
1.2 million AAAA records and many many zones (1440) took 3 minutes to process
on one core (it's single threaded) before the daemon started up answering
queries. An individual zone took about 5 seconds to answer. This is
acceptable to me. If you run delphinusdnsd in an operation/production then
you may want to use several servers in a sort of high available setup. There
isn't too many zones out there for 1.2 million AAAA records so this is somewhat
out of the ordinary.
0 comments
January 4th, 2021
Possibly in a month or two. I have identified the memory leak last year. This
year I found a pretty big chunk that wasn't released. I need to test that over
time and hope that that was it. It will cause a bit of inconvenience but let
me assure you, it's only in expiring records thus in the forwarding cache.
0 comments
Next Page
|
Search
RSS Feed
 Click here for RSS
On this day in
Other links
Have feedback?
By clicking on the header of an article you will be
served a cookie. If you do not agree to this do not
click on the header. Thanks!
Using a text-based webbrowser?
... such as lynx? Welcome back it's working again for the time being.
Older Blog Entries
May, 2023
April, 2023
March, 2023
January, 2023
December, 2022
November, 2022
October, 2022
September, 2022
August, 2022
July, 2022
June, 2022
May, 2022
April, 2022
March, 2022
February, 2022
January, 2022
December, 2021
November, 2021
March, 2021
February, 2021
January, 2021
December, 2020
November, 2020
October, 2020
September, 2020
August, 2020
July, 2020
June, 2020
May, 2020
April, 2020
March, 2020
February, 2020
January, 2020
December, 2019
November, 2019
October, 2019
September, 2019
Powered by BCHS
|