Discussion:
[Unbound-users] Modifying answer with the Python API
Christophe Labonne
2014-10-24 03:46:36 UTC
Permalink
Hello,

I work for a japanese internet provider and I would like to get some help
with the Python module I am currently working on.

Because of the way internet works in Japan, I need to filter the DNS
requests so that it doesn't show AAAA except for a few websites (as such, I
can't just use the parameter in the config file).

So I decided to build a Python module that would make it possible. Problem
is, it seems like I can modify the return_msg only when in event ==
MODULE_EVENT_NEW.

I do not wish to create data from the ground up, I would just like to
modify the existing answer.
The only way to do that would be to create a DNSMessage during event ==
MODULE_EVENT_MODDONE.

But if I do that, set_return_msg fails and returns 0.

Is there a way to create a DNSMessage during MODULE_EVENT_MODDONE?
Or is there a way to get original data during MODULE_EVENT_NEW so that I
can parse it?

I've been working on it for a day now and I just don't seem to find a good
way to do this.
(And yes, I know it's a weird thing to do but can't argue with the national
way of doing things)

I hope you guys can give me an answer and I wish you a good day.

Christophe
A. Schulze
2014-10-24 07:49:10 UTC
Permalink
Christophe Labonne:

no answer to you real question, sorry.
Post by Christophe Labonne
Because of the way internet works in Japan, I need to filter the DNS
requests so that it doesn't show AAAA except for a few websites
I me it reads as "we in japan have a broken internet, we cannot handle IPv6"
Could you explain more about the /problem/ then describing your idea
of a solution?

Thanks
Christophe Labonne
2014-10-24 08:20:14 UTC
Permalink
I was able to find an answer to my problem, so I guess my new question
would be: "Do you have any helpers in the Python API to decode Wireformat?"
Currently doing them and I'm nowhere near finished if I have to do them all
by hand.

Now, to answer to your other question about internet being broken in Japan.
Short answer: Yes.

Long answer: NTT has implemented a country-wide broken service that relies
on a completely "in-house rule" use of IPv6.
They give default IPv6 routes to subscribers of specific on-demand video
services, that only work in IPv6 and within their closed network.

When a user subscribed to such a service, the end result is that upon
resolving a website, like, say google.com,
their OS first tries accessing the v6 version (as it should), but since
this is not an actual internet service (even though they use public v6
addresses ...),
the connection attempt ends up timeouting.

When the user is lucky, the program will then fallback to IPv4... only
after the IPv6 attempt timeouted.
Every ISP and admin in Japan is angry at NTT for deciding this one-sidedly,
but this has been shoved down their throats and it's impossible to go
against the flow.

This has forced everyone to use extremely bad practices for DNS management
until this service gets phased out :
- If a user makes an explicit AAAA record query :
-> Does the target domain have both A and AAAA ?
-> If they do, return an empty answer (drop the AAAA record)
-> If they only have AAAA, then return AAAA
- If a user makes any other query (including ANY query) :
-> Drop the AAAA record

This is what is called commonly a Quad-A filter (AAAA Filter), and there
exists patches for BIND.
However, in our work scenario, we can not afford to use BIND as we are
exposed to reflection attacks (customers having poorly configured routers,
that act as DNS open resolvers) and it performs too poorly under stress
scenarios.
Unbound happens to be able to handle the traffic in a smart way, and
provide adequate performance, but we would have a need to implement a
AAAA-filter to even use it without breaking NTT services...

I am alas perfectly aware that this goes against the goals of IPv6
implementation, that it breaks DNSSEC and does a lot of Bad Things(tm)... :(
However, we have to make do while they prepare the new services that will
allow easier and cleaner native IPv6 connections...

Again, thanks for your time.
Post by A. Schulze
no answer to you real question, sorry.
Post by Christophe Labonne
Because of the way internet works in Japan, I need to filter the DNS
requests so that it doesn't show AAAA except for a few websites
I me it reads as "we in japan have a broken internet, we cannot handle IPv6"
Could you explain more about the /problem/ then describing your idea of a
solution?
Thanks
_______________________________________________
Unbound-users mailing list
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
--
LABONNE Christophe
bill manning
2014-10-24 15:00:06 UTC
Permalink
Long answer: NTT has implemented a country-wide broken service that relies on a completely "in-house rule" use of IPv6.
They give default IPv6 routes to subscribers of specific on-demand video services, that only work in IPv6 and within their closed network.
When a user subscribed to such a service, the end result is that upon resolving a website, like, say google.com,
their OS first tries accessing the v6 version (as it should), but since this is not an actual internet service (even though they use public v6 addresses ...),
the connection attempt ends up timeouting.
There is nothing wrong with NTTs model. The “Internet” is a group of several networks that interconnect AND apply policy on its boarders. NTT has applied a policy which prevents you from your desired goal. Its not that the “Internet” is broken, its that your provider has chosen to restrict access. Either take the problem up with
your provider or change providers.

/bill
Daisuke HIGASHI
2014-10-24 19:11:46 UTC
Permalink
Hi, Christophe -

In unbound.conf:

private-address: ::/0
private-domain: iptvf.jp
private-domain: flets-east.jp

returns no AAAA unless query name is iptvf.jp or flets-east.jp.

Note that it also removes AAAA from IPv6(AAAA)-only domain name.
This is slighly differs from BIND9's AAAA-ftiler's behavior.

Regards,
--
Daisuke HIGASHI
Post by Christophe Labonne
Hello,
I work for a japanese internet provider and I would like to get some help
with the Python module I am currently working on.
Because of the way internet works in Japan, I need to filter the DNS
requests so that it doesn't show AAAA except for a few websites (as such, I
can't just use the parameter in the config file).
So I decided to build a Python module that would make it possible. Problem
is, it seems like I can modify the return_msg only when in event ==
MODULE_EVENT_NEW.
I do not wish to create data from the ground up, I would just like to modify
the existing answer.
The only way to do that would be to create a DNSMessage during event ==
MODULE_EVENT_MODDONE.
But if I do that, set_return_msg fails and returns 0.
Is there a way to create a DNSMessage during MODULE_EVENT_MODDONE?
Or is there a way to get original data during MODULE_EVENT_NEW so that I can
parse it?
I've been working on it for a day now and I just don't seem to find a good
way to do this.
(And yes, I know it's a weird thing to do but can't argue with the national
way of doing things)
I hope you guys can give me an answer and I wish you a good day.
Christophe
_______________________________________________
Unbound-users mailing list
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
Christophe Labonne
2014-10-27 01:00:22 UTC
Permalink
Bill Manning << You don't understand. It's not a problem for me as a
client, it's a problem for me as a worker at an internet provider. I have
to implement something totally broken because of what NTT did.

Daisuke Higashi << There is one little problem though: We would have to
write all IPv6 domains by hand in the configuration file.

In the end, I found that the only way to do this is to use the Python API.
But because Unbound doesn't offer any method to actually get the result of
the original query, I have to wait for the MODULE_EVENT_MODDONE to get the
result of the query and to be able to modify it. But then, because RRData
is all in wireformat, I have to convert all of them by hand which will take
a lot of effort to implement...
Post by Daisuke HIGASHI
Hi, Christophe -
private-address: ::/0
private-domain: iptvf.jp
private-domain: flets-east.jp
returns no AAAA unless query name is iptvf.jp or flets-east.jp.
Note that it also removes AAAA from IPv6(AAAA)-only domain name.
This is slighly differs from BIND9's AAAA-ftiler's behavior.
Regards,
--
Daisuke HIGASHI
Post by Christophe Labonne
Hello,
I work for a japanese internet provider and I would like to get some help
with the Python module I am currently working on.
Because of the way internet works in Japan, I need to filter the DNS
requests so that it doesn't show AAAA except for a few websites (as
such, I
Post by Christophe Labonne
can't just use the parameter in the config file).
So I decided to build a Python module that would make it possible.
Problem
Post by Christophe Labonne
is, it seems like I can modify the return_msg only when in event ==
MODULE_EVENT_NEW.
I do not wish to create data from the ground up, I would just like to
modify
Post by Christophe Labonne
the existing answer.
The only way to do that would be to create a DNSMessage during event ==
MODULE_EVENT_MODDONE.
But if I do that, set_return_msg fails and returns 0.
Is there a way to create a DNSMessage during MODULE_EVENT_MODDONE?
Or is there a way to get original data during MODULE_EVENT_NEW so that I
can
Post by Christophe Labonne
parse it?
I've been working on it for a day now and I just don't seem to find a
good
Post by Christophe Labonne
way to do this.
(And yes, I know it's a weird thing to do but can't argue with the
national
Post by Christophe Labonne
way of doing things)
I hope you guys can give me an answer and I wish you a good day.
Christophe
_______________________________________________
Unbound-users mailing list
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
--
LABONNE Christophe
Ondřej Surý
2014-11-02 16:52:10 UTC
Permalink
Christophe,

perhaps you can use python-ldns bindings to manipulate wireformat?

Cheers, Ondrej
Post by Christophe Labonne
Bill Manning << You don't understand. It's not a problem for me as a
client, it's a problem for me as a worker at an internet provider. I
have to implement something totally broken because of what NTT did.
Daisuke Higashi << There is one little problem though: We would have
to write all IPv6 domains by hand in the configuration file.
In the end, I found that the only way to do this is to use the Python
API. But because Unbound doesn't offer any method to actually get the
result of the original query, I have to wait for the
MODULE_EVENT_MODDONE to get the result of the query and to be able to
modify it. But then, because RRData is all in wireformat, I have to
convert all of them by hand which will take a lot of effort to
implement...
Post by Daisuke HIGASHI
Hi, Christophe -
In unbound.conf:
private-address: ::/0
private-domain: iptvf.jp
private-domain: flets-east.jp
returns no AAAA unless query name is iptvf.jp or flets-east.jp.
Note that it also removes AAAA from IPv6(AAAA)-only domain name.
This is slighly differs from BIND9's AAAA-ftiler's behavior.
Regards,
--
Daisuke HIGASHI
Post by Christophe Labonne
Hello,
I work for a japanese internet provider and I would like to get some help
with the Python module I am currently working on.
Because of the way internet works in Japan, I need to filter the DNS
requests so that it doesn't show AAAA except for a few websites (as such, I
can't just use the parameter in the config file).
So I decided to build a Python module that would make it
possible. Problem
is, it seems like I can modify the return_msg only when in event ==
MODULE_EVENT_NEW.
I do not wish to create data from the ground up, I would just like to modify
the existing answer.
The only way to do that would be to create a DNSMessage during
event ==
MODULE_EVENT_MODDONE.
But if I do that, set_return_msg fails and returns 0.
Is there a way to create a DNSMessage during MODULE_EVENT_MODDONE?
Or is there a way to get original data during MODULE_EVENT_NEW so that I can
parse it?
I've been working on it for a day now and I just don't seem to
find a good
way to do this.
(And yes, I know it's a weird thing to do but can't argue with the national
way of doing things)
I hope you guys can give me an answer and I wish you a good day.
Christophe
Post by Daisuke HIGASHI
Post by A. Schulze
_______________________________________________
Unbound-users mailing list
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
--
LABONNE Christophe
_________________________________________________
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
--
Ondřej SurÃœ <***@sury.org> Knot DNS (https://www.knot-dns.cz/) – a
high-performance DNS server

Loading...