eBPF Dynblocks based on Qname

[joelasagne]

Hey, I'm using dnsdist 2.0.1, and I've been trying to enable some dynblocks based on Qnames thanks to setSuffixMatchRule, for the blocks to then be performed using BPFFilters I defined.

Here are my configs :

local function suffixVisitor(parent, current, currentPlusChildren)

    if current.queries > 100 then
      return true
    end

    return false
  end


local dbr = dynBlockRulesGroup()

dbr:setSuffixMatchRule(2, "Domain exceeds 200 QP", 30, DNSAction.Drop,suffixVisitor)

function maintenance()
    dbr:apply()
end


bpf = newBPFFilter({
    ipv4MaxItems=1024,
    ipv4PinnedPath="/var/run/dnsdist/v4filter",
    ipv6MaxItems=1024,
    ipv6PinnedPath="/var/run/dnsdist/v6filter",
    qnamesMaxItems=1024,
    qnamesPinnedPath="/var/run/dnsdist/qnamefilter",
    external=true
})
setDefaultBPFFilter(bpf)

Now the issue I get is that the dynblocks are added in userspace, and not by eBPF.

> showDynBlocks()
What                      Seconds   Blocks Warning    Action               eBPF       Reason
test.com.                24     4080 false      Drop                            Domain exceeds 100QPS

> bpf:getStats()

> 

&

# bpftool map dump pinned /var/run/dnsdist/qnamefilter
Found 0 elements

I'm not so sure on what the setFilterMatchRule is supposed to do, is it normal that the Qname is blocked using userspace and not the qnamefilter eBPF map ?

Some info : when I use a setQueryRate, I get no issue and the client is blocked using eBPF ; I also get the same issue even if I use the default eBPF settings of dnsdist.

Is there another way to achieve some eBPF dynamic blocks based on the requested Qnames ?

Thanks !

[rgacogne]

This is intended: we unfortunately have not been able to do suffix-based blocking on names via eBPF, because of limitations imposed by the eBPF verifier (number of instructions, complexity of the program). We can block an exact name, but not a name and everything under it, which is what we would need to keep feature parity with the non-eBPF blocks.

[joelasagne]

Allright thank you for your answer ! I'll stay with userspace filtering then :)