<div dir="ltr">I'm working though upgrading from 4.4 to the latest version. Tackling issues one at a time. I'm trying to get usable log info on who I'm getting queries from. I've never used ECS/EDNS before, I think it's what I need to use to get what I want. I use dnsdist in front of both my recursor and auth server all on the name server, same for my secondary. Please look at my config and tell me what you think. I understand that the logs are showing what's actually happening, as the query is from 127.0.0.1. I'd just like to be able to get the originator ip too if possible.<div><br></div><div>Another thing, I'm not sure zone updates are being accepted by the secondary. Is there anything different you have to do that changed since 4.4? It's like it sees the update from the loopback rather than from the primary. Not sure if it's related to any of the ECS/EDNS options.</div><div><br></div><div>Thanks.</div><div><br></div><div>Running:</div><div><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote">openbsd-7.2<br>dnsdist-1.7.2<br>powerdns-4.6.3<br>powerdns-recursor-4.7.3</blockquote><div> </div></div><div>Log showing dnsdist IP rather than originating client:</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">pdns_recursor[67506]: 3 [1230/1] question for '<a href="http://chat-e2ee-mini.c10r.facebook.com">chat-e2ee-mini.c10r.facebook.com</a>|A' from <a href="http://127.0.0.1:34556">127.0.0.1:34556</a><br></blockquote><div><br></div><div>pdns.conf:</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">setuid=_powerdns</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">launch=gsqlite3<br>gsqlite3-database=/var/db/pdns/pdns.sqlite3<br>gsqlite3-dnssec<br>allow-axfr-ips=192.168.100.14<br>also-notify=192.168.100.14<br>daemon=yes<br>edns-subnet-processing=yes<br>guardian=yes<br>local-address=<a href="http://127.0.0.1:5300">127.0.0.1:5300</a><br>loglevel=5<br>primary=yes<br>secondary=no</blockquote><div><br></div><div>recursor.conf:</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">setuid=_pdns_recursor<br>setgid=_pdns_recursor<br>chroot=/var/pdns_recursor<br>allow-from=<a href="http://127.0.0.0/8">127.0.0.0/8</a>, <a href="http://10.0.0.0/8">10.0.0.0/8</a>, <a href="http://100.64.0.0/10">100.64.0.0/10</a>, <a href="http://169.254.0.0/16">169.254.0.0/16</a>, <a href="http://192.168.0.0/16">192.168.0.0/16</a>, <a href="http://172.16.0.0/12">172.16.0.0/12</a>, ::1/128, fc00::/7, fe80::/10<br>daemon=yes<br>disable-syslog=no<br>dnssec-log-bogus=yes<br>forward-zones=<a href="http://mydomain.com">mydomain.com</a>=<a href="http://127.0.0.1:5300">127.0.0.1:5300</a><br>forward-zones+=<a href="http://sub.mydomain.com">sub.mydomain.com</a>=<a href="http://127.0.0.1:5300">127.0.0.1:5300</a><br>forward-zones+=<a href="http://sub.otherdomain.org">sub.otherdomain.org</a>=<a href="http://127.0.0.1:5300">127.0.0.1:5300</a><br>local-address=<a href="http://127.0.0.1:5301">127.0.0.1:5301</a><br>log-common-errors=yes<br>log-rpz-changes=yes<br>logging-facility=0<br>loglevel=4<br>quiet=no</blockquote><div><br></div><div>dnsdist.conf:</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">setLocal('<a href="http://192.168.100.13:53">192.168.100.13:53</a>')<br>addLocal('<a href="http://127.0.0.1:53">127.0.0.1:53</a>')<br>setACL({'<a href="http://0.0.0.0/0">0.0.0.0/0</a>', '::/0'}) -- Allow all IPs access</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">setECSOverride(true)<br>setECSSourcePrefixV4(32)<br>setECSSourcePrefixV6(128)<br>newServer({address='<a href="http://127.0.0.1:5300">127.0.0.1:5300</a>', pool='auth', useClientSubnet=true})<br>newServer({address='<a href="http://127.0.0.1:5301">127.0.0.1:5301</a>', pool='recursor', useClientSubnet=true})<br>recursive_ips = newNMG()<br>recursive_ips:addMask('<a href="http://10.0.0.0/8">10.0.0.0/8</a>') -- These network masks are the ones from allow-recursion in the Authoritative Server<br>recursive_ips:addMask('<a href="http://192.168.0.0/16">192.168.0.0/16</a>')<br>recursive_ips:addMask('<a href="http://172.16.0.0/12">172.16.0.0/12</a>')<br>recursive_ips:addMask('<a href="http://127.0.0.0/24">127.0.0.0/24</a>')<br>addAction(NetmaskGroupRule(recursive_ips), PoolAction('recursor'))<br>addAction(AllRule(), PoolAction('auth'))</blockquote></div>