Monday Dec 16, 2013

DSCP QoS tagging of DNS traffic in Solaris

A huge telco customer recently shared their desire to support DSCP marking of their core network infrastructure, specifically they asked if there's a way to do this in Solaris? Sure there is! Since DSCP marking is enforced by the router,  they wanted to know how to make their Solaris 10 systems conform to this. (Why Solaris 10 and not Solaris 11? Because their current roll-out reflects systems deployed before Solaris 11 came out) - AND they wanted to do this by the end of the year.  Given the opportunity and the fast-approaching deadline, I looked into this further by jointly teaming up with Krishna Yenduri of our Solaris network developer team, a team that focuses on network protocols and related cloud/virtualization technologies. Wanted to share what needs to be configured - and how easy it actually is.

So the customer inputs were:

  • Application: ISC BIND 
  • Requirement: Every DNS packet has to be tagged with value of 32, every DNS query needs to be tagged. 
  • Platform: x86 systems, Sun x4270 M2 servers running Solaris 10 

DSCP marking is supported in Solaris's implementation of support of IPQoS.  It is one of the most used features of IPQoS -- we have a number of scenarios of uses of Sun Ray servers where this has been deployed.   The way to configure IPQoS in Solaris 10 is thru the ipqosconf(1M)  interface.  Solaris 10 comes with a couple of sample config files located in /etc/inet/ipqosconf*, which show how to use the DSCP marking rules.  

If the need is to limit the marking to just the outgoing DNS queries, use the 'dport' parameter (that indicates the destination port), and set it to 53, as shown in the complete example that follows. Alternatively, if the need is to limit the marking to the outgoing DNS response, use the 'sport' parameter in the filter definition.

Contents of /etc/inet/ipqosinit.conf

fmt_version 1.0

# Mark the DSCP with code point AF32, 011100 = 28
action {
       module dscpmk
       name markAF32

       params {
               global_stats true
               next_action continue
               dscp_map {
               dscp_detailed_stats false

action {
       module ipgpc
       name ipgpc.classify

       params {
               global_stats true

       class {
               name myclass
               next_action markAF32
               enable_stats true

       class {
               name default
               next_action continue
               enable_stats false

       filter {
               name myfilter
               class myclass
               # DNS response
               sport 53
               direction { LOCAL_OUT }

The file gets saved as:   /etc/inet/ipqosinit.conf

Then the following operation instantiates the contents of the config file: 

# /usr/sbin/ipqosconf -s -a /etc/inet/ipqosinit.conf

and there is NO need to reboot.

How would you verify this?

If you're looking at the IPv4 network traffic, you would use:

#snoop -V -d <ipif-name> dst 53

This would show the IP header with the TOS value of '0x70', since the TOS value of 0x70 is the DSCP value of decimal 28).

Here's an example: 

host1 -> IP  D=XXX.XX.XXX.XX S=YY.YYY.YY.YYY LEN=74, ID=19461, TOS=0x70, TTL=255

Kindly note that 'TOS' is the same as the DSCP field - it happens to be an older RFC format and snoop(1M) does not know how to interpret it as DSCP, however ethereal/wireshark/tshark can perform such an interpretation properly (in case you'd be looking to verify the DSCP field value).

If you're handling IPv6 network traffic, beware that DSCP appears as a different field name: 'Traffic class' and if you're using wireshark, you should expect to see something like this:

Internet Protocol Version 6, Src: fe80::21b:21ff:fe88:fcd4 (fe80::21b:21ff:fe88:fcd4), Dst: fe80::21b:21ff:fe87:8d78 (fe80::21b:21ff:fe87:8d78)
    0110 .... = Version: 6
        [0110 .... = This field makes the filter "ip.version == 6" possible: 6]
    .... 0111 0000 .... .... .... .... .... = Traffic class: 0x00000070
        .... 0111 00.. .... .... .... .... .... = Differentiated Services Field: Assured Forwarding 32 (0x0000001c)
        .... .... ..0. .... .... .... .... .... = ECN-Capable Transport (ECT): Not set
        .... .... ...0 .... .... .... .... .... = ECN-CE: Not set
    .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
    Payload length: 33
    Next header: TCP (6)
    Hop limit: 60
    Source: fe80::21b:21ff:fe88:fcd4 (fe80::21b:21ff:fe88:fcd4)
    [Source SA MAC: IntelCor_88:fc:d4 (00:1b:21:88:fc:d4)]
    Destination: fe80::21b:21ff:fe87:8d78 (fe80::21b:21ff:fe87:8d78)
    [Destination SA MAC: IntelCor_87:8d:78 (00:1b:21:87:8d:78)]

For more information, please consult the System Administration Guide for IP Services - for Solaris 10 that book is located here:

For more general Oracle Solaris 11 How-To examples and content, please check this site out:

Monday Dec 02, 2013

NYC Tech Party 2013

Hey all, 

We are happy to help sponsor this year's NYC Tech holiday party, in co-operation with some of New York's technical users communities.

- The Annual NYC Tech Meta-Party - 

When: 7:00 PM until exit(-1), Monday, December 9, 2013

Where: the entire Suspenders Bar and Restaurant

111 Broadway, in downtown Manhattan

Various NYC technical user groups are joining forces to hold another holiday party to remember!

Check out the RSVP info at the tech event meetup page 

Various groups include:

- DebianNYC (New York Debian Local Group)
- DrupalNYC (Drupal New York City)
- Erlang NYC (Erlang New York City)
- Lopsa-NYC (League of Professional System Administrators New York City Chapter)
- LispNYC (New York City Lisp User Group)
- NYC*BUG (New York City *BSD User Group)
- NYC-Clojure (NYC Clojure Users Group)
- nycdevops (New York City Devops Meetup Group)
- NYC-OCaml (The NYC OCaml Meetup)
- NY-Haskell (New York Haskell Users Group)
- NY-Scala (New York Scala)
- PuppetNYC (New York Puppet User Group)
- SFLC (Software Freedom Law Center)
- TA3M (Techo Activist Third Mondays)
- UNIGROUP (New York City's Unix User's Group)

Everyone of all types of expertise and interests are welcome.  The party starts at 7 PM and will continue until at least 10 PM.  It is the ideal networking opportunity of the season, and a chance to connect with old friends and make new ones.

Here's to celebrating accomplishments of 2013 and welcoming new successes in 2014!

See you there!


Isaac Rozenfeld has been a Principal Product Manager for Oracle Solaris; responsibilities have included bettering the portfolio of networking and installation technologies - all with a focus on easing application deployments

You can follow Isaac on Twitter @izfromsun


« December 2013 »
Tech Reference

No bookmarks in folder