<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>What I do not understand is, why is not matching always port 53
either on source ports or destination ports as enough to set dscp
marks. Unless you need to differentiate dscp based on domain
names, used views or something similar, iptables rules should be
able to set dscp very similar way. Without special code needed
inside named. Source or destination port 853 would be very
similar.<br>
</p>
<p>For example dnsmasq can set fwmark based on used domain names. It
can set different marks to different domain name tree parts, which
cannot be replaced by simple rules in firewall. I am not aware of
similar functionality in named, related to dscp.<br>
</p>
<p>Perhaps the only thing, where addresses are not explicitly known,
is setting catalog zones dscp numbers. There you do not have in
advance addresses used.</p>
<p>When reading bind 9.11 ARM [1], I haven't found much, which
should not be trivial to replace in firewall outside of named. I
understand that is extra work for any users of DSCP. But I fail to
see serious reason, why bind9 should implement it internally.
Other resolvers lack it as well.</p>
<p>It seems just simple source or destination address paired with
source or destination ports would be enough to set correct dscp
values for leaving packets.</p>
<p>Is that correct observation?<br>
</p>
<p>1.
<a class="moz-txt-link-freetext" href="https://downloads.isc.org/isc/bind9/9.11.37/doc/arm/Bv9ARM.ch06.html">https://downloads.isc.org/isc/bind9/9.11.37/doc/arm/Bv9ARM.ch06.html</a><br>
</p>
<div class="moz-cite-prefix">On 2/29/24 09:59, Wolfgang Riedel
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:E0F82D6B-5FFA-4A23-AA8B-570D4318E90B@f1-consult.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
Hi Folks,
<div><br>
</div>
<div>OK let me help you a bit as it’s really essential for DNS
traffic which need to be go through in all situations!!!</div>
<div><br>
</div>
<div>Within the OS networking stack as also within the network
there is always a prioritisation of packets within the queues to
serialise the packets of an application to go on the wire. This
prioritisation is being done based on DSCP within a L3 domain
and on COS when in a L2 domain.</div>
<div><br>
</div>
<div>It’s not easy for the network to guess the requirements of an
application, therefore best case the application is setting the
DSCP itself and the network is just trusting the DSCP or if
smart enough the checking and in case of violation doing
reclassification.</div>
<div><br>
</div>
<div>In my case it’s<span
style="color: rgb(64, 64, 64); white-space: pre; background-color: rgb(255, 255, 255);"> dscp </span><span
style="white-space: pre; background-color: rgb(255, 255, 255); color: rgb(63, 151, 223);">24</span> in
named.conf options but the value may be different based on
deployment scenarios and therefore needs to be a configureable
option.</div>
<div><br>
</div>
<div>If you don't set it, it will default to 0 and all other
traffic will get higher priority. Saying if you do an ftp
download with large frames, your DNS request which will be
running in parallel will not be making it through and either get
delayed or typically drooped.</div>
<div><br>
</div>
<div>Maybe have a look at the following classification scheme:</div>
<div><br>
</div>
<div>
<div style="display: block;">
<div
style="-webkit-user-select: all; -webkit-user-drag: element; display: inline-block;"
class="apple-rich-link" draggable="true" role="link"
data-url="https://www.f1-consult.com/qos/rfc4594/"><a
style="border-radius:10px;font-family:-apple-system, Helvetica, Arial, sans-serif;display:block;-webkit-user-select:none;width:300px;user-select:none;-webkit-user-modify:read-only;user-modify:read-only;overflow:hidden;text-decoration:none;"
class="lp-rich-link" rel="nofollow"
href="https://www.f1-consult.com/qos/rfc4594/" dir="ltr"
role="button" draggable="false" width="300"
moz-do-not-send="true">
<table
style="table-layout:fixed;border-collapse:collapse;width:300px;background-color:#E5E6E9;font-family:-apple-system, Helvetica, Arial, sans-serif;"
class="lp-rich-link-emailBaseTable" width="300"
cellspacing="0" cellpadding="0" border="0">
<tbody>
<tr>
<td vertical-align="center" align="center"><img
style="width:300px;filter:brightness(0.97);height:159px;"
draggable="false"
class="lp-rich-link-mediaImage"
alt="640px-IETF_Logo.svg.png"
src="cid:part1.qhzKhIRa.AkNGsaSD@redhat.com"
width="300" height="159"></td>
</tr>
<tr>
<td vertical-align="center">
<table
style="font-family:-apple-system, Helvetica, Arial, sans-serif;table-layout:fixed;background-color:rgba(229, 230, 233, 1);"
class="lp-rich-link-captionBar" width="300"
cellspacing="0" cellpadding="0"
bgcolor="#E5E6E9">
<tbody>
<tr>
<td style="padding:8px 0px 8px 0px;"
class="lp-rich-link-captionBar-textStackItem">
<div
style="max-width:100%;margin:0px 16px 0px 16px;overflow:hidden;"
class="lp-rich-link-captionBar-textStack">
<div
style="word-wrap:break-word;font-weight:500;font-size:12px;overflow:hidden;text-overflow:ellipsis;text-align:left;"
class="lp-rich-link-captionBar-textStack-topCaption-leading"><a
rel="nofollow"
href="https://www.f1-consult.com/qos/rfc4594/"
style="text-decoration: none"
draggable="false"
moz-do-not-send="true"><font
style="color: rgba(0, 0, 0, 0.847059);" color="#272727">RFC 4594-Based
12-Class QoS Model</font></a></div>
<div
style="word-wrap:break-word;font-weight:400;font-size:11px;overflow:hidden;text-overflow:ellipsis;text-align:left;"
class="lp-rich-link-captionBar-textStack-bottomCaption-leading"><a
rel="nofollow"
href="https://www.f1-consult.com/qos/rfc4594/"
style="text-decoration: none"
draggable="false"
moz-do-not-send="true"><font
style="color: rgba(0, 0, 0, 0.498039);" color="#808080">f1-consult.com</font></a></div>
</div>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</a></div>
</div>
</div>
<div><br id="lineBreakAtBeginningOfMessage">
<div>
<meta charset="UTF-8">
<span
style="font-family: Consolas; font-size: 11px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); float: none; display: inline !important;">—</span><br
style="font-family: Consolas; font-size: 11px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">
<span
style="font-family: Consolas; font-size: 11px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); float: none; display: inline !important;">Hope
that helps,</span><br
style="font-family: Consolas; font-size: 11px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">
<span
style="font-family: Consolas; font-size: 11px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); float: none; display: inline !important;">Wolfgang</span><br
style="font-family: Consolas; font-size: 11px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">
<span
style="font-family: Consolas; font-size: 11px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); float: none; display: inline !important;">_____________________________________</span><span
style="font-family: Consolas; font-size: 11px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); float: none; display: inline !important;">_____________________________________</span><span
style="font-family: Consolas; font-size: 11px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); float: none; display: inline !important;">____________________</span><br
style="font-family: Consolas; font-size: 11px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">
<span
style="font-family: Consolas; font-size: 11px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); float: none; display: inline !important;">Wolfgang
Riedel | Distinguished</span><span
style="font-family: Consolas; font-size: 11px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); float: none; display: inline !important;"> </span><span
style="font-family: Consolas; font-size: 11px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); float: none; display: inline !important;">Engineer
| CCIE #13804 | VCP #42559</span><br
style="font-family: Consolas; font-size: 11px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">
<br>
</div>
<div><br>
<blockquote type="cite">
<div>On 28. Feb 2024, at 22:01, Petr Menšík
<a class="moz-txt-link-rfc2396E" href="mailto:pemensik@redhat.com"><pemensik@redhat.com></a> wrote:</div>
<br class="Apple-interchange-newline">
<div>
<div>We may want to help fixing DSCP features, but I
personally do not know any usage, where this feature
would be used and what for exactly. Recent bind9 uses
libuv to back its network core, instead of custom
networking core maintained by ISC. But I haven't found
any trace of DSCP support at libuv docs [1]. I haven't
found a way to set at least type of service on UDP [2].<br>
<br>
I think that would be the first place to support DSCP
values for connections or sockets. Then, once libuv can
use it, its support could be added back into named.<br>
<br>
It would help though if you were more verbose about why
iptables cannot replace it and what is use-case, when it
is useful. Without simple alternatives present. If you
would describe it, it might motivate more people to work
on DSCP support. I haven't seen important reason, why it
needs to be done by the daemon itself. Perhaps we can
find alternative way to set DSCP tags for you, if you
are more verbose about how you use it?<br>
<br>
Regards,<br>
Petr<br>
<br>
1.
<a class="moz-txt-link-freetext" href="https://docs.libuv.org/en/v1.x/search.html?q=dscp&check_keywords=yes&area=default">https://docs.libuv.org/en/v1.x/search.html?q=dscp&check_keywords=yes&area=default</a><br>
2. <a class="moz-txt-link-freetext" href="https://docs.libuv.org/en/v1.x/udp.html">https://docs.libuv.org/en/v1.x/udp.html</a><br>
<br>
On 28. 02. 24 13:50, Balazs Hinel (Nokia) via bind-users
wrote:<br>
<blockquote type="cite">Hi,<br>
I am working on a product in Nokia, and we currently
use BIND provided by Rocky Linux 8 with security
patches. Recently the requirement came that we should
upgrade to at least 9.16. During the testing of this
version we realized that a feature we used, DSCP, has
stopped working. Reading about the topic, we found the
article about it non-operational in 9.16, and removal
in 9.18.<br>
We also saw the email on this mailing list, stating
that "so far, nobody has noticed" it is missing. Well,
we noticed it just now, and I would like to state that
our product and most probably other telecom equipments
using BIND would miss it greatly. As I read in that
mail, there was an alternative plan which would
re-implement this functionality. If it is feasible,
please consider doing it. The alternative options,
e.g. setting it via iptables cannot work in our
use-case.<br>
Best regards,<br>
Balazs Hinel<br>
</blockquote>
<br>
-- <br>
Petr Menšík<br>
Software Engineer, RHEL<br>
Red Hat, <a class="moz-txt-link-freetext" href="http://www.redhat.com/">http://www.redhat.com/</a><br>
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB<br>
<br>
-- <br>
Visit <a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a>
to unsubscribe from this list<br>
<br>
ISC funds the development of this software with paid
support subscriptions. Contact us at
<a class="moz-txt-link-freetext" href="https://www.isc.org/contact/">https://www.isc.org/contact/</a> for more information.<br>
<br>
<br>
bind-users mailing list<br>
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<pre class="moz-signature" cols="72">--
Petr Menšík
Software Engineer, RHEL
Red Hat, <a class="moz-txt-link-freetext" href="https://www.redhat.com/">https://www.redhat.com/</a>
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB</pre>
</body>
</html>