Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow checkFunction perform the entire check #15062

Open
Gunni opened this issue Jan 20, 2025 · 2 comments
Open

Allow checkFunction perform the entire check #15062

Gunni opened this issue Jan 20, 2025 · 2 comments
Labels
dnsdist feature request
Milestone
dnsdist-2.1.0

Comments

@Gunni
Copy link

Gunni commented Jan 20, 2025
edited
Loading

  • Program: dnsdist
  • Issue type: Feature request

Short description

I want to override how checkFunction works, for example, i want to fail a healthcheck if a specific domain does not return a REFUSED response.

Usecase

I have an adblocking backend, but if I exceed a quota, it starts working transparently, without blocking ads, i then want to mark that pool as "offline" and move on to the next pool.

function checkAdblocking(qname, qtype, qclass, dh)
        -- magic?
        return true
end

newServer({
        name="adblocker1",
        address="2001:db8::1",
        tls="openssl",
        subjectName="a.example.com",
        validateCertificates=true,
        pool="adblocker1",
        checkFunction=checkAdblocking
})

newServer({
        name="adblocker2",
        address="2001:db8::2",
        tls="openssl",
        subjectName="b.example.com",
        validateCertificates=true,
        pool="adblocker2",
        checkFunction=checkAdblocking
})

newServer({
        name="generic1",
        address="2001:db8::3",
        tls="openssl",
        subjectName="c.example.com",
        validateCertificates=true,
        pool="generic1"
})

-- I want these pools to be marked "down" if the query for
-- bad_domain.example.com starts responding anything other than REFUSED.
addAction(PoolAvailableRule("adblocker1"), PoolAction("adblocker1"))
addAction(PoolAvailableRule("adblocker2"), PoolAction("adblocker2"))

-- Fallback pool if all of the above are "down"
addAction(PoolAvailableRule("generic1"), PoolAction("generic1"))

-- All pools down?
addAction(AllRule(), RCodeAction(DNSRCode.REFUSED))

Description

Related discussion: #15055

Seems fairly straightforwards?

Modify checkFunction to allow boolean responses, and if boolean then use that as a result instead of a qname?
@rgacogne
Copy link
Member

Hi! Thank you for filing this feature request!
We cannot modify the semantics of checkFunction without breaking existing configurations, which I would like to avoid, but we can take a new, optional function that takes information about the response and returns a boolean to indicate whether the response should be considered valid or not.

@rgacogne rgacogne added this to the dnsdist-2.1.0 milestone Jan 20, 2025
@rgacogne
Copy link
Member

Setting the milestone to 2.1 since 2.0 is already well on its way and I don't think we will have the time to tackle this, but if someone is willing to contribute the code 2.0 might be doable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dnsdist feature request
Projects
None yet
Milestone
dnsdist-2.1.0
Development

No branches or pull requests
2 participants
@Gunni @rgacogne