-
Notifications
You must be signed in to change notification settings - Fork 904
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dnsdist: Allow randomly selecting a backend UDP socket and query ID #11163
Conversation
@check-spelling-bot ReportUnrecognized words, please review:
Previously acknowledged words that are now absentdnsheaderTo accept these unrecognized words as correct (and remove the previously acknowledged and now absent words), run the following commands... in a clone of the git@github.com:rgacogne/pdns.git repository
If the flagged items do not appear to be textIf items relate to a ...
|
I'm now thinking it would make to use a unbounded map instead of a pre-allocated vector when that option is in use. The map needs to be locked, of course, and will thus be less efficient than the current vector, but it's likely a better trade-off when memory availability is tight and the number of QPS is low, which is often the case in these setups. |
17485de
to
7686bce
Compare
Done! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some general comments/questions. I also tested the code to see if there was any obvious bias in chosen sockets or random IDs and found none.
/* if the state is already in use we will retry, | ||
up to 5 five times. The last selected one is used | ||
even if it was already in use */ | ||
size_t remainingAttempts = 5; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the state table is quite full and/or if you have bad luck this will start reusing IDs. What are the consequences of that? Should that be documented?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That already happens in master since we have a fixed number of possible states for in-flight queries, and is tracked in our stats as reused
. Basically it means that your query will appear to have had a time out much faster than expected. I do not think it is a real issue for the use case this feature tries to address.
…d setRandomizedOutgoingSockets
@rgacogne I am curious what value of |
You are right, I would not advise creating 2^16 sockets (although in theory it should work pretty well) :) I think the exact number depends on the environment you are running in: on a regular server I would advise at least 1000 sockets, which should already make any spoofing attempt significantly harder, and probably 10k if you are really worried about that threat. Although if the network is really hostile I would personally turn to outgoing DoT or DoH, but of course that might not be always possible. On a low-end device 100 sockets should be fine, depending on the memory constraints. |
@rgacogne Maybe a dumb observation, but this seems like a partial implementation of Recommendations for Transport-Protocol Port Randomization RFC 6056? Was there any particular objection to having implemented the RFC for UDP? I noticed in this PRs docs the stance seems to be dnsdist doesn't care and operators should just switch to TCP backend only instead. |
The long story is that dnsdist has been designed as a reverse-proxy, so the path between dnsdist and the backend was supposed to be trusted. We are seeing more and more people using it as a regular proxy these days, and this PR was a step in making that safer, even though we clearly would advise using outgoing DoT or DoH is the network is really an untrusted one. |
[Removed to reclarify as I had a misunderstanding that the PR took an actual port range] |
Short description
This PRs add two options that can be used to reduce the risk of UDP exchanges when the path between dnsdist and its backend is not trusted:
setRandomizedIdsOverUDP()
allows picking up a random IDsetRandomizedOutgoingSockets()
allows selecting a random outgoing socket if several are available, effectively improving the entropy of the source port.Checklist
I have: