<html><head><meta http-equiv="Content-Type" content="text/html; charset=gb2312"><meta name="Generator" content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
        {font-family:Wingdings;
        panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
        {font-family:宋体;
        panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:"\@宋体";
        panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:10.5pt;
        font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:#0563C1;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:#954F72;
        text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
        {mso-style-priority:34;
        margin-top:0in;
        margin-right:0in;
        margin-bottom:0in;
        margin-left:.5in;
        margin-bottom:.0001pt;
        font-size:10.5pt;
        font-family:"Calibri",sans-serif;}
span.EmailStyle17
        {mso-style-type:personal-compose;
        font-family:"Calibri",sans-serif;
        color:windowtext;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-family:"Calibri",sans-serif;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.25in 1.0in 1.25in;}
div.WordSection1
        {page:WordSection1;}
/* List Definitions */
@list l0
        {mso-list-id:1588881851;
        mso-list-type:hybrid;
        mso-list-template-ids:-231071536 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
        {mso-level-number-format:bullet;
        mso-level-text:\F0B7;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:Symbol;}
@list l0:level2
        {mso-level-number-format:bullet;
        mso-level-text:o;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:"Courier New";}
@list l0:level3
        {mso-level-number-format:bullet;
        mso-level-text:\F0A7;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:Wingdings;}
@list l0:level4
        {mso-level-number-format:bullet;
        mso-level-text:\F0B7;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:Symbol;}
@list l0:level5
        {mso-level-number-format:bullet;
        mso-level-text:o;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:"Courier New";}
@list l0:level6
        {mso-level-number-format:bullet;
        mso-level-text:\F0A7;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:Wingdings;}
@list l0:level7
        {mso-level-number-format:bullet;
        mso-level-text:\F0B7;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:Symbol;}
@list l0:level8
        {mso-level-number-format:bullet;
        mso-level-text:o;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:"Courier New";}
@list l0:level9
        {mso-level-number-format:bullet;
        mso-level-text:\F0A7;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:Wingdings;}
@list l1
        {mso-list-id:1961183170;
        mso-list-type:hybrid;
        mso-list-template-ids:1021750872 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l1:level1
        {mso-level-number-format:bullet;
        mso-level-text:\F0B7;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:Symbol;}
@list l1:level2
        {mso-level-number-format:bullet;
        mso-level-text:o;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:"Courier New";}
@list l1:level3
        {mso-level-number-format:bullet;
        mso-level-text:\F0A7;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:Wingdings;}
@list l1:level4
        {mso-level-number-format:bullet;
        mso-level-text:\F0B7;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:Symbol;}
@list l1:level5
        {mso-level-number-format:bullet;
        mso-level-text:o;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:"Courier New";}
@list l1:level6
        {mso-level-number-format:bullet;
        mso-level-text:\F0A7;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:Wingdings;}
@list l1:level7
        {mso-level-number-format:bullet;
        mso-level-text:\F0B7;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:Symbol;}
@list l1:level8
        {mso-level-number-format:bullet;
        mso-level-text:o;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:"Courier New";}
@list l1:level9
        {mso-level-number-format:bullet;
        mso-level-text:\F0A7;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:Wingdings;}
ol
        {margin-bottom:0in;}
ul
        {margin-bottom:0in;}
--></style></head><body lang="EN-US" link="#0563C1" vlink="#954F72"><div class="WordSection1"><p class="MsoNormal"><span style="font-size:13.5pt;font-family:"Arial",sans-serif;color:#222222;background:white">Hi,</span></p><p class="MsoNormal"><span style="font-size:13.5pt;font-family:"Arial",sans-serif;color:#222222;background:white">I am working in a French multinational company, in charge of Greater China region, sit in Shanghai China.</span></p><p class="MsoNormal"><span style="font-size:13.5pt;font-family:"Arial",sans-serif;color:#222222;background:white"> </span></p><p class="MsoNormal"><span style="font-size:13.5pt;font-family:"Arial",sans-serif;color:#222222;background:white">We are using Google Apps (Gmail, Contacts, Calendar, Drive, Sites, etc.) for office application. Meanwhile need to access may other international web resources (of course…).</span></p><p class="MsoNormal"><span style="font-size:13.5pt;font-family:"Arial",sans-serif;color:#222222;background:white">As we all know the China GFW (Greater Firewall) in place, which blocks access to many web resources (Google, Facebook, Twitter, SalesForce, GitHub, and many…). So we implemented tunnels to Hong Kong/Taiwan to cross it.</span></p><p class="MsoNormal"><span style="font-size:13.5pt;font-family:"Arial",sans-serif;color:#222222;background:white"> </span></p><p class="MsoNormal"><span style="font-size:13.5pt;font-family:"Arial",sans-serif;color:#222222;background:white">The network layer topology is simple:</span></p><p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><span style="font-size:13.5pt;font-family:Symbol;color:#222222"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">        </span></span></span><span style="font-size:13.5pt;font-family:"Arial",sans-serif;color:#222222;background:white">We setup 1 VPN tunnel to Hong Kong (with 1 other tunnel to Taiwan as redundancy).</span></p><p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><span style="font-size:13.5pt;font-family:Symbol;color:#222222"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">        </span></span></span><span style="font-size:13.5pt;font-family:"Arial",sans-serif;color:#222222;background:white">We created routing rules based on China’s country IP range. If destination is China, traffic go out through local link directly; if destination is Non-China, traffic go out though VPN tunnel.</span></p><p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><span style="font-size:13.5pt;font-family:Symbol;color:#222222"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">        </span></span></span><span style="font-size:13.5pt;font-family:"Arial",sans-serif;color:#222222;background:white">2 tunnels will be switched in case 1 is down.</span></p><p class="MsoNormal"><span style="font-size:13.5pt;font-family:"Arial",sans-serif;color:#222222;background:white"> </span></p><p class="MsoNormal"><span style="font-size:13.5pt;font-family:"Arial",sans-serif;color:#222222;background:white">On DNS part, since China DNS providers are doing DNS poisoning, we choose a France DNS provider as resolver.</span></p><p class="MsoNormal"><span style="font-size:13.5pt;font-family:"Arial",sans-serif;color:#222222;background:white">The solution works ok, except France DNS always reply record according to the breakout IP. This causes slowness when we access China website, e.g. open <a href="http://www.taobao.com">www.taobao.com</a>, but in fact access a Taobao’s CDN node in Iceland.</span></p><p class="MsoNormal"><span style="font-size:13.5pt;font-family:"Arial",sans-serif;color:#222222;background:white"> </span></p><p class="MsoNormal"><span style="font-size:13.5pt;font-family:"Arial",sans-serif;color:#222222;background:white">My idea is to change to Google DNS (or maybe OpenDNS) and utilize EDNS-Client-Subnet.</span></p><p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l1 level1 lfo2"><span style="font-size:13.5pt;font-family:Symbol;color:#222222"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">        </span></span></span><span style="font-size:13.5pt;font-family:"Arial",sans-serif;color:#222222;background:white">When local client doing DNS query, the on premise Recursive Name Server (currently using Windows Server 2008 R2’ DNS role) should pass the query to 8.8.8.8 with location indication of Shanghai (in reality, the traffic will go through Hong Kong tunnel and expose Hong Kong IP to 8.8.8.8.)</span></p><p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l1 level1 lfo2"><span style="font-size:13.5pt;font-family:Symbol;color:#222222"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">        </span></span></span><span style="font-size:13.5pt;font-family:"Arial",sans-serif;color:#222222;background:white">8.8.8.8 should reply record with a node most optimized for Shanghai.</span></p><p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l1 level1 lfo2"><span style="font-size:13.5pt;font-family:Symbol;color:#222222"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">        </span></span></span><span style="font-size:13.5pt;font-family:"Arial",sans-serif;color:#222222;background:white">Client then access the node with local Internet link, with best speed.</span></p><p class="MsoNormal"><span style="font-size:13.5pt;font-family:"Arial",sans-serif;color:#222222;background:white"> </span></p><p class="MsoNormal"><span style="font-size:13.5pt;font-family:"Arial",sans-serif;color:#222222;background:white">After my research, I don’t think Windows Server support EDNS-Client-Subnet yet. Another stable DNS Recursor should be adopted to replace it for local DNS service.</span></p><p class="MsoNormal"><span style="font-size:13.5pt;font-family:"Arial",sans-serif;color:#222222;background:white"> </span></p><p class="MsoNormal"><span style="font-size:13.5pt;font-family:"Arial",sans-serif;color:#222222;background:white">I spend some time on PowerDNS Recursor and see since 4.0 it officially support EDNS-Client-Subnet, but when I read documents, hardly can find how to make it work as I expected.</span></p><p class="MsoNormal"><span style="font-size:13.5pt;font-family:"Arial",sans-serif;color:#222222;background:white">So I am asking is there any recommended solution to achieve such goal? Any special considerations?</span></p><p class="MsoNormal"><span style="font-size:13.5pt;font-family:"Arial",sans-serif;color:#222222;background:white"> </span></p><p class="MsoNormal"><span style="font-size:13.5pt;font-family:"Arial",sans-serif;color:#222222;background:white">Thanks in advance,</span></p></div></body></html>

<br>
<font face="Arial, Helvetica, sans-serif" size="1">This e-mail and its attachments are confidential and intended for use by the above named recipient(s) only. If you are not the intended recipient, please note that any use, modification, dissemination, edition or reproduction (either in whole or partially) of this e-mail and/or its attachments, or of the information contained herein, is strictly prohibited. If you have received this e-mail by mistake, please notify the sender immediately, and immediately delete this e-mail with its attachments and any copy of it from your computer system. We do not ensure the security of electronically transmitted information. Therefore, we take no responsibility in the event this email and/or its attachments may have been for example modified, altered and/or in the case of transmission of a virus. Your communication with us through such means shall signify your acceptance of such risks. We kindly advise you to check whether this email or its attachments are free of viruses</font>