Permalink
Browse files

document pdns.DROP for recursor, add policy-drops metric for it

  • Loading branch information...
1 parent b6c4a26 commit e9c2ad3a4a0c864d35a5f593800dfc04046075c0 @ahupowerdns ahupowerdns committed May 30, 2014
Showing with 16 additions and 9 deletions.
  1. +9 −4 pdns/docs/pdns.xml
  2. +2 −2 pdns/pdns_recursor.cc
  3. +1 −0 pdns/rec_channel_rec.cc
  4. +4 −3 pdns/syncres.hh
View
@@ -15344,6 +15344,7 @@ packetcache-bytes Size of the packet cache in bytes (since 3.3.1)
packetcache-entries Size of packet cache (since 3.2)
packetcache-hits Packet cache hits (since 3.2)
packetcache-misses Packet cache misses (since 3.2)
+policy-drops Packets dropped because of (Lua) policy decision
qa-latency shows the current latency average, in microseconds
questions counts all End-user initiated queries with the RD bit set
ipv6-questions counts all End-user initiated queries with the RD bit set, received over IPv6 UDP
@@ -15358,7 +15359,7 @@ tcp-questions counts all incoming TCP queries (since starting)
throttled-out counts the number of throttled outgoing UDP queries since starting
throttle-entries shows the number of entries in the throttle map
unauthorized-tcp number of TCP questions denied because of allow-from restrictions
-unauthorized-udp number of UDP questions denied because of allow-from restrictions
+unauthorized-udp number of UDP questions denied because of allow-from restrictions
unexpected-packets number of answers from remote servers that were unexpected (might point to spoofing)
uptime number of seconds process has been running (since 3.1.5)
user-msec number of CPU milliseconds spent in 'user' mode
@@ -15367,7 +15368,10 @@ user-msec number of CPU milliseconds spent in 'user' mode
graphs of all these numbers. Use <command>rec_control get-all</command> to get all statistics in one go.
</para>
<para>
- It should be noted that answers0-1 + answers1-10 + answers10-100 + answers100-1000 + packetcache-hits + over-capacity-drops = questions.
+ It should be noted that answers0-1 + answers1-10 + answers10-100 + answers100-1000 + packetcache-hits + over-capacity-drops + policy-drops = questions.
+ </para>
+ <para>
+ Also note that unauthorized-tcp and unauthorized-udp packets do not end up in the 'questions' count.
</para>
<para>
Every half our or so, the recursor outputs a line with statistics. More infrastructure is planned so as to allow
@@ -15493,7 +15497,8 @@ end
'25 smtp.example.net.'.
</para>
<para>
- Useful return 'rcodes' include 0 for "no error" and <function>pdns.NXDOMAIN</function> for "NXDOMAIN".
+ Useful return 'rcodes' include 0 for "no error", <function>pdns.NXDOMAIN</function> for "NXDOMAIN", <function>pdns.DROP</function> to drop the question
+ from further processing (since 3.6, and such a drop is accounted in the 'policy-drops' metric).
</para>
<para>
Fields that can be set in the return table include:
@@ -16050,7 +16055,7 @@ To enable a Lua script for a particular slave zone, determine the domain_id for
containing one or more replacement records to be stored in the back-end database. If, on the other hand, your
function decides not to modify a record, it must return pdns.PASS and an empty table indicating that PowerDNS should
handle the incoming record as normal. If your function decides to drop a query and not respond whatsoever, it must return
- pdns.DROP and an empty table indicating that the recursor does not want to process the packet in Lua nor in the core recursor logic.
+ pdns.DROP and an empty table indicating that the recursor does not want to process the packet in Lua nor in the core recursor logic.
</para>
<para>
Consider the following simple example:
@@ -548,10 +548,9 @@ void startDoResolve(void *p)
if(!dc->d_mdp.d_header.rd)
sr.setCacheOnly();
-
// if there is a RecursorLua active, and it 'took' the query in preResolve, we don't launch beginResolve
if(!t_pdl->get() || !(*t_pdl)->preresolve(dc->d_remote, g_listenSocketsAddresses[dc->d_socket], dc->d_mdp.d_qname, QType(dc->d_mdp.d_qtype), ret, res, &variableAnswer)) {
- res = sr.beginResolve(dc->d_mdp.d_qname, QType(dc->d_mdp.d_qtype), dc->d_mdp.d_qclass, ret);
+ res = sr.beginResolve(dc->d_mdp.d_qname, QType(dc->d_mdp.d_qtype), dc->d_mdp.d_qclass, ret);
if(t_pdl->get()) {
if(res == RCode::NoError) {
@@ -570,6 +569,7 @@ void startDoResolve(void *p)
}
if(res == RecursorBehaviour::DROP) {
+ g_stats.policyDrops++;
delete dc;
dc=0;
return;
@@ -502,6 +502,7 @@ RecursorControlParser::RecursorControlParser()
addGetStat("resource-limits", &g_stats.resourceLimits);
addGetStat("over-capacity-drops", &g_stats.overCapacityDrops);
+ addGetStat("policy-drops", &g_stats.policyDrops);
addGetStat("no-packet-error", &g_stats.noPacketError);
addGetStat("dlg-only-drops", &SyncRes::s_nodelegated);
addGetStat("max-mthread-stack", &g_stats.maxMThreadStackUsage);
View
@@ -547,11 +547,12 @@ struct RecursorStats
uint64_t noErrors;
uint64_t answers0_1, answers1_10, answers10_100, answers100_1000, answersSlow;
double avgLatencyUsec;
- uint64_t qcounter;
+ uint64_t qcounter; // not increased for unauth packets
uint64_t ipv6qcounter;
uint64_t tcpqcounter;
- uint64_t unauthorizedUDP;
- uint64_t unauthorizedTCP;
+ uint64_t unauthorizedUDP; // when this is increased, qcounter isn't
+ uint64_t unauthorizedTCP; // when this is increased, qcounter isn't
+ uint64_t policyDrops;
uint64_t tcpClientOverflow;
uint64_t clientParseError;
uint64_t serverParseError;

0 comments on commit e9c2ad3

Please sign in to comment.