Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FR] Ability to use Redis unix sockets #835

Closed
alpominth opened this issue Jan 23, 2023 · 4 comments
Closed

[FR] Ability to use Redis unix sockets #835

alpominth opened this issue Jan 23, 2023 · 4 comments

Comments

@alpominth
Copy link

Redis has two options for setting communication over unix sockets:

unixsocket /var/lib/redis/redis-server.sock
unixsocketperm 700

Such a feature would be useful as unix sockets have a better throughput than AF_INET/AF_INET6 sockets.
wcawijngaards added a commit that referenced this issue Jan 23, 2023
@wcawijngaards
- Add #835: [FR] Ability to use Redis unix sockets.
77f1542
@wcawijngaards
Copy link
Member

The commits add the option redis-server-path: "/var/lib/redis/redis-server.sock" and if you set this it should work. Could you test this? It calls the unix socket redis context setup routine when the option is set. With timeout, from the redis-timeout option.

@alpominth
Copy link
Author

Configuration:

server:
  interface: 127.0.0.1
  interface: ::1
  port: 1053
  cache-max-ttl: 5184000
  cache-min-ttl: 5184000
  cache-max-negative-ttl: 604800
  val-bogus-ttl: 0
  delay-close: 10000
  chroot: ""
  username: permcache
  directory: ""
  pidfile: ""
  do-not-query-localhost: no
  module-config: "validator cachedb iterator"

cachedb:
  backend: redis
  redis-server-path: "/dev/shm/sock1"
  redis-timeout: 5000

forward-zone:
  name: "."
  forward-addr: ::1@10053

/\ [::1]:10053 is the port of my local DNSCrypt.

# time dig @127.0.0.1 -p 1053 startpage.com
; <<>> DiG 9.18.10-2-Debian <<>> @127.0.0.1 -p 1053 startpage.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62091
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;startpage.com.			IN	A
;; ANSWER SECTION:
startpage.com.		5184000	IN	A	37.0.87.15
;; Query time: 307 msec
;; SERVER: 127.0.0.1#1053(127.0.0.1) (UDP)
;; WHEN: Mon Jan 23 05:00:01 EST 2023
;; MSG SIZE  rcvd: 58
real	0m0.328s
user	0m0.004s
sys	0m0.007s

# /dev/shm/unbound-master/unbound -dd -c /dev/shm/u1.conf 
[1674468066] unbound[1502628:0] notice: init module 0: validator
[1674468066] unbound[1502628:0] notice: init module 1: cachedb
[1674468066] unbound[1502628:0] warning: cachedb: serve-expired-reply-ttl is set but not working for data originating from the external cache; 0 TLL is used for those.
[1674468066] unbound[1502628:0] notice: init module 2: iterator
[1674468066] unbound[1502628:0] info: start of service (unbound 1.17.2).
^C[1674468075] unbound[1502628:0] info: service stopped (unbound 1.17.2).
[1674468075] unbound[1502628:0] info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
[1674468075] unbound[1502628:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0

# /dev/shm/unbound-master/unbound -dd -c /dev/shm/u1.conf 
[1674468095] unbound[1504185:0] notice: init module 0: validator
[1674468095] unbound[1504185:0] notice: init module 1: cachedb
[1674468095] unbound[1504185:0] warning: cachedb: serve-expired-reply-ttl is set but not working for data originating from the external cache; 0 TLL is used for those.
[1674468095] unbound[1504185:0] notice: init module 2: iterator
[1674468095] unbound[1504185:0] info: start of service (unbound 1.17.2).

# time dig @127.0.0.1 -p 1053 startpage.com
; <<>> DiG 9.18.10-2-Debian <<>> @127.0.0.1 -p 1053 startpage.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15159
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;startpage.com.			IN	A
;; ANSWER SECTION:
startpage.com.		5183862	IN	A	37.0.87.15
;; Query time: 2 msec
;; SERVER: 127.0.0.1#1053(127.0.0.1) (UDP)
;; WHEN: Mon Jan 23 05:02:19 EST 2023
;; MSG SIZE  rcvd: 58
real	0m0.021s
user	0m0.008s
sys	0m0.003s

===========================================

It's fully working, as you can see, the cache persists across invocations of Unbound.

@alpominth
Copy link
Author

If it isn't asking too much, could you implement ability to specify the Redis password? ===> #833

@gthess
Copy link
Member

gthess commented Jan 23, 2023

Hi @alpominth, #833 is now addressed on the master branch. Could you try and report if it works for you on the issue?

jedisct1 added a commit to jedisct1/unbound that referenced this issue Feb 15, 2023
@jedisct1
Merge remote-tracking branch 'nlnet/master'
ca5eb7a 
* nlnet/master:
  Regenerate configure for the fix acx_nlnetlabs.m4 for -Wstrict-prototypes.
  - Fix acx_nlnetlabs.m4 for -Wstrict-prototypes.
  Fix NLnetLabs#833: [FR] Ability to set the Redis password.
  - Fix NLnetLabs#835: [FR] Ability to use Redis unix sockets.
  - Add NLnetLabs#835: [FR] Ability to use Redis unix sockets.
  Changelog note for NLnetLabs#819, generate configparser.c and comment syntax change. - Merge NLnetLabs#819: Added new static zone type block_a to suppress all A   queries for specific zones.
  - Fix test for new default.
  - Set default for harden-unknown-additional to no. So that it does   not hamper future protocol developments.
  - Add harden-unknown-additional option. Default on and it removes   unknown records from the authority section and additional section.   Thanks to Xiang Li, from NISL Lab, Tsinghua University.
  - Set max-udp-size default to 1232. This is the same default value as   the default value for edns-buffer-size. It restricts client edns   buffer size choices, and makes unbound behave similar to other DNS   resolvers. The new choice, down from 4096 means it is harder to get   large responses from Unbound. Thanks to Xiang Li, from NISL Lab,   Tsinghua University.
  - Fix not following cleared RD flags potentially enables amplification   DDoS attacks, reported by Xiang Li and Wei Xu from NISL Lab,   Tsinghua University. The fix stops query loops, by refusing to send   RD=0 queries to a forwarder, they still get answered from cache.
  Added new static zone type block_a to suppress all A queries for specific zones
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@wcawijngaards @gthess @alpominth