[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ratelimit-below-domain logs the wrong FROM address #1106

Closed
anxstj opened this issue Jul 16, 2024 · 1 comment
Closed

ratelimit-below-domain logs the wrong FROM address #1106

anxstj opened this issue Jul 16, 2024 · 1 comment
Assignees
@gthess

Comments

@anxstj
Copy link
anxstj commented Jul 16, 2024

Describe the bug

If ratelimit-below-domain: in-addr.arpa 2 is configured then unbound will log the following:

notice: ratelimit exceeded 8.in-addr.arpa. 2 query 4.4.8.8.in-addr.arpa. IN PTR from 192.82.134.30

It seems that the from address is referring to the server that sent the last reply and not to the client that was doing the request.

To reproduce
Steps to reproduce the behavior:

  1. Set the ratelimit
server:
  ratelimit-below-domain: in-addr.arpa 2
  1. systemctl restart unbound
  2. Query unbound:
for x in 8.8.8.8 8.8.4.4 1.1.1.1; do dig @127.0.0.1 -x $x; done
  1. Read the unbound log
info: 127.0.0.1 8.8.8.8.in-addr.arpa. PTR IN
info: generate keytag query _ta-4f66. NULL IN
info: 127.0.0.1 4.4.8.8.in-addr.arpa. PTR IN
notice: ratelimit exceeded 8.in-addr.arpa. 2 query 4.4.8.8.in-addr.arpa. IN PTR from 192.82.134.30
info: 127.0.0.1 1.1.1.1.in-addr.arpa. PTR IN

Expected behavior
I would expect that the IP address of the client that is doing the request is logged. In this case:

notice: ratelimit exceeded 8.in-addr.arpa. 2 query 4.4.8.8.in-addr.arpa. IN PTR from 127.0.0.1

System:

  • Unbound version: unbound 1.20.0
  • OS: Debian sid
  • unbound -V output:
Version 1.20.0

Configure line: --build=x86_64-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-option-checking --disable-silent-rules --libdir=${prefix}/lib/x86_64-linux-gnu --runstatedir=/run --disable-maintainer-mode --disable-dependency-tracking --with-pythonmodule --with-pyunbound --enable-subnet --enable-dnstap --enable-systemd --enable-cachedb --with-libhiredis --with-libnghttp2 --with-chroot-dir= --with-dnstap-socket-path=/run/dnstap.sock --disable-rpath --with-pidfile=/run/unbound.pid --with-libevent --enable-tfo-client --with-rootkey-file=/usr/share/dns/root.key --enable-tfo-server
Linked libs: libevent 2.1.12-stable (it uses epoll), OpenSSL 3.2.2 4 Jun 2024
Linked modules: dns64 python cachedb subnetcache respip validator iterator
TCP Fastopen feature available

BSD licensed, see LICENSE in source package for details.
Report bugs to unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues
@gthess gthess closed this as completed in 3512eae Jul 23, 2024
@gthess gthess self-assigned this Jul 23, 2024
@gthess
Copy link
Member
gthess commented Jul 23, 2024

Thanks!
It seems the wrong value was printed indeed. Now it will print the first client's address if any.
I say first because maybe more than one are waiting for an answer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gthess gthess

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gthess @anxstj