These are chat archives for CZ-NIC/knot-resolver

3rd
Dec 2018
Elctro
@Elctro
Dec 03 2018 20:32
Hello, how can I instruct a resolver to switch communication with a client to TCP within module? Is there an explicit call or is there a way using query plan?
Question #2 - is there a way to instruct a resolver to stop processing current request in begin callback (e.g. KR_STATE_DROP or KR_STATE_GIVEUP) and not respond to client at all.
Vladimír Čunát
@vcunat
Dec 03 2018 22:02
  1. policy.FLAGS({'TCP'}) action should do that. For policy docs see https://knot-resolver.readthedocs.io/en/stable/modules.html#query-policies
  2. Probably not ATM. I'd suggest some minimal answer, e.g. policy.REFUSE or policy.DROP(which surprisingly does SERVFAIL). It's quite against standards not to respond at all, though I guess there might be some specific cases where it's suitable (like for traffic that's certainly some kind of intentional attack).
@Elctro ^^
Elctro
@Elctro
Dec 03 2018 22:15
  1. My apoligies, I was not specific enough. I want to achieve that using a custom knot module written in C.
  2. Goal is to mitigate the attack when attacker ignores previously requested switch to TCP. Can I raise a feature request?
Vladimír Čunát
@vcunat
Dec 03 2018 22:55
  1. knot-resolver, right? :-) Well it's basically the same as in lua, as they're thin wrappers - in begin phase you check whether it's the request you want, and you set request->current_query->qflags.TCP = true;.
  2. what we did discuss recently: to always empty all sections when setting the TC flag, because we've seen no resolver utilizing this data from truncated packets. ATM I don't think I can make promises about implementing either of these. (What you propose also needs additional "cache" to estimate which requests should be dropped.)
Elctro
@Elctro
Dec 03 2018 23:38
  1. it was request->current_query->flags.TCP = true;, thanks. Shall I remove all packet sections when setting this or just setting the flag is sufficient (for the next request).
  2. Idea is that the module contains the cache which decides what shall be dropped. I only need resolver to abruptly terminate the response to the request on particular state from a module.