Modifying answer with the Python API

Christophe_Labonne · October 24, 2014, 3:46am

Hello,

I work for a japanese internet provider and I would like to get some help with the Python module I am currently working on.

Because of the way internet works in Japan, I need to filter the DNS requests so that it doesn’t show AAAA except for a few websites (as such, I can’t just use the parameter in the config file).

So I decided to build a Python module that would make it possible. Problem is, it seems like I can modify the return_msg only when in event == MODULE_EVENT_NEW.

I do not wish to create data from the ground up, I would just like to modify the existing answer.
The only way to do that would be to create a DNSMessage during event == MODULE_EVENT_MODDONE.

But if I do that, set_return_msg fails and returns 0.

Is there a way to create a DNSMessage during MODULE_EVENT_MODDONE?
Or is there a way to get original data during MODULE_EVENT_NEW so that I can parse it?

I’ve been working on it for a day now and I just don’t seem to find a good way to do this.
(And yes, I know it’s a weird thing to do but can’t argue with the national way of doing things)

I hope you guys can give me an answer and I wish you a good day.

Christophe

A_Schulze · October 24, 2014, 7:49am

Christophe Labonne:

no answer to you real question, sorry.

but:

Because of the way internet works in Japan, I need to filter the DNS
requests so that it doesn't show AAAA except for a few websites

I me it reads as "we in japan have a broken internet, we cannot handle IPv6"
Could you explain more about the /problem/ then describing your idea of a solution?

Thanks

Christophe_Labonne · October 24, 2014, 8:20am

I was able to find an answer to my problem, so I guess my new question would be: “Do you have any helpers in the Python API to decode Wireformat?”
Currently doing them and I’m nowhere near finished if I have to do them all by hand.

Now, to answer to your other question about internet being broken in Japan.
Short answer: Yes.

Long answer: NTT has implemented a country-wide broken service that relies on a completely “in-house rule” use of IPv6.
They give default IPv6 routes to subscribers of specific on-demand video services, that only work in IPv6 and within their closed network.

When a user subscribed to such a service, the end result is that upon resolving a website, like, say google.com,
their OS first tries accessing the v6 version (as it should), but since this is not an actual internet service (even though they use public v6 addresses …),
the connection attempt ends up timeouting.

When the user is lucky, the program will then fallback to IPv4… only after the IPv6 attempt timeouted.
Every ISP and admin in Japan is angry at NTT for deciding this one-sidedly, but this has been shoved down their throats and it’s impossible to go against the flow.

This has forced everyone to use extremely bad practices for DNS management until this service gets phased out :

If a user makes an explicit AAAA record query :
→ Does the target domain have both A and AAAA ?
→ If they do, return an empty answer (drop the AAAA record)
→ If they only have AAAA, then return AAAA
If a user makes any other query (including ANY query) :
→ Drop the AAAA record

This is what is called commonly a Quad-A filter (AAAA Filter), and there exists patches for BIND.
However, in our work scenario, we can not afford to use BIND as we are exposed to reflection attacks (customers having poorly configured routers, that act as DNS open resolvers) and it performs too poorly under stress scenarios.
Unbound happens to be able to handle the traffic in a smart way, and provide adequate performance, but we would have a need to implement a AAAA-filter to even use it without breaking NTT services…

I am alas perfectly aware that this goes against the goals of IPv6 implementation, that it breaks DNSSEC and does a lot of Bad Things™…
However, we have to make do while they prepare the new services that will allow easier and cleaner native IPv6 connections…

Again, thanks for your time.

bill_manning · October 24, 2014, 3:00pm

There is nothing wrong with NTTs model. The “Internet” is a group of several networks that interconnect AND apply policy on its boarders. NTT has applied a policy which prevents you from your desired goal. Its not that the “Internet” is broken, its that your provider has chosen to restrict access. Either take the problem up with
your provider or change providers.

/bill

hdais · October 24, 2014, 7:11pm

Hi, Christophe -

In unbound.conf:

  private-address: ::/0
  private-domain: iptvf.jp
  private-domain: flets-east.jp

returns no AAAA unless query name is iptvf.jp or flets-east.jp.

Note that it also removes AAAA from IPv6(AAAA)-only domain name.
This is slighly differs from BIND9's AAAA-ftiler's behavior.

Regards,

Christophe_Labonne · October 27, 2014, 1:00am

Bill Manning << You don’t understand. It’s not a problem for me as a client, it’s a problem for me as a worker at an internet provider. I have to implement something totally broken because of what NTT did.

Daisuke Higashi << There is one little problem though: We would have to write all IPv6 domains by hand in the configuration file.

In the end, I found that the only way to do this is to use the Python API. But because Unbound doesn’t offer any method to actually get the result of the original query, I have to wait for the MODULE_EVENT_MODDONE to get the result of the query and to be able to modify it. But then, because RRData is all in wireformat, I have to convert all of them by hand which will take a lot of effort to implement…

Ondrej_Sury · November 2, 2014, 4:52pm

Christophe,

perhaps you can use python-ldns bindings to manipulate wireformat?

Cheers,

Ondrej