<div dir="ltr">
<div>
<div dir="ltr">
<div>Thanks Otto,</div>
<div><br>
</div>
<div>I agree with the docs, but then the actual operation/result is
not consistent unless I'm misunderstanding the operation or
purpose of proxy-protocol-from.<br>
</div>
<div><br>
</div>
<div><i>Product:</i></div>
<div><br>
</div>
<div>pdns-recursor<br>
</div>
<div><br>
</div>
<div><i>Version:</i></div>
<div><br>
</div>
<div>4.8.1<br>
</div>
<div><br>
</div>
<div><i>Full recursor.conf config:</i></div>
<div><br>
</div>allow-from=<src-subnet><br>api-key=xxxx<br>#config-dir=/usr/etc<br>daemon=no<br>#disable-syslog=no<br>edns-subnet-allow-list=<a href="http://0.0.0.0/0">0.0.0.0/0</a>.<br>etc-hosts-file=/etc/hosts<br># export-etc-hosts=off<br>#local-address=<br>local-port=53<br>loglevel=6<br>log-common-errors=yes<br># max-cache-entries=1000000<br># max-concurrent-requests-per-tcp-connection=10<br>max-tcp-clients=128<br># max-tcp-per-client=0<br># max-tcp-queries-per-connection=0<br># network-timeout=1500<br>new-domain-log=yes<br>quiet=no<br>threads=2<br>use-incoming-edns-subnet=yes<br>webserver=yes<br>webserver-address=0.0.0.0<br>webserver-allow-from=<a href="http://0.0.0.0/0">0.0.0.0/0</a><br>webserver-loglevel=none<br>webserver-password=xxxx<br>webserver-port=8082<br>write-pid=yes<br>hint-file=/etc/named.root.txt<br>log-common-errors=no<br>lua-config-file=/etc/proxy-map.lua<br>max-busy-dot-probes=50<br>proxy-protocol-from=<mapped public IP per below><br><div><br>
</div>
<div><i>LUA script for proxy maps:</i></div>
<div><br>
</div>
<div>addProxyMapping("private subnet 1", "mapped public IP")</div><div><br>
</div>
<div>There are 2 requirements:</div>
<div><br>
</div>
<div>1. accurately enable ACLs via allow-from</div>
<div>2. use proxy-mapped public address from addProxyMapping for ecs/edns queries</div>
<div><br>
</div>
<div>Currently, the proxy mapped address is being used to match
against allow-from rather than the source/original address.<br>
</div>
<div><br>
</div>
<div>I'm hoping proxy-protocol-from does not affect ecs/edns
function but the docs don't discuss anything around this - I
would assume not.<br>
<br>
Update and per your replies:<br>
<br>
<span style="font-family:arial,sans-serif">"I think proxyMapping and the use of ECS is</span><span style="font-family:arial,sans-serif"> explained in</span><span style="font-family:arial,sans-serif"> <a href="https://docs.powerdns.com/recursor/lua-config/proxymapping.html" target="_blank">https://docs.powerdns.com/recursor/lua-config/proxymapping.html</a>."</span><pre><span style="font-family:arial,sans-serif">I understand proxymapping - this is not my issue, I'm just mentioning it to provide context.
(My logging is still not working in my docker container. I'll request separate assistance with this.)
</span><br><span style="font-family:arial,sans-serif">Regards and thank you</span> </pre></div>
<div><br>
</div>
<div>Robby<br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Fri, 20 Jan 2023 at 17:58,
Otto Moerbeek <<a href="mailto:otto@drijf.net" target="_blank">otto@drijf.net</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Please
show your full configuration, including versions etc. Also, it<br>
is not clear which product you are using.<br>
<br>
The recursor docs say:<br>
<br>
"Note that once a Proxy Protocol header has been received, the
source<br>
address from the proxy header instead of the address of the
proxy will<br>
be checked against the allow-from ACL."<br>
<br>
<a href="https://docs.powerdns.com/recursor/settings.html#proxy-protocol-from" rel="noreferrer" target="_blank">https://docs.powerdns.com/recursor/settings.html#proxy-protocol-from</a><br>
<br>
-Otto<br>
<br>
<br>
On Fri, Jan 20, 2023 at 05:48:31PM +0200, Robby Pedrica via
Pdns-users wrote:<br>
<br>
> Hi all,<br>
> <br>
> I'm not sure if this is a change in behaviour or I simply
haven't noticed<br>
> this before but after upgrading my docker image today, I've
seen queries<br>
> being dropped due to the mapped address in my proxy
mappings being used for<br>
> allow-from rather than the src/original address. I use a
private-public<br>
> address mapping in the proxy maps because I use the mapped
public IP as<br>
> part of ecs/edns.<br>
> <br>
> I've now set:<br>
> <br>
> proxy-protocol-from=<mapped ip> (or should this be
the src IP?)<br>
> <br>
> but this doesn't appear to have changed anything and
queries are still<br>
> being dropped.<br>
> <br>
> Can anyone advise where I'm going wrong? I don't mind
putting the mapped<br>
> (public) IP in allow-from but would prefer not to do it if
not required.<br>
> <br>
> Regards<br>
> <br>
> -- <br>
> Robby Pedrica<br>
> <br>
> c: +27 82 416 8696<br>
<br>
> _______________________________________________<br>
> Pdns-users mailing list<br>
> <a href="mailto:Pdns-users@mailman.powerdns.com" target="_blank">Pdns-users@mailman.powerdns.com</a><br>
> <a href="https://mailman.powerdns.com/mailman/listinfo/pdns-users" rel="noreferrer" target="_blank">https://mailman.powerdns.com/mailman/listinfo/pdns-users</a><br>
<br>
</blockquote>
</div>
<br clear="all">
<br>
-- <br>
<div dir="ltr">Robby Pedrica<br>
XStore<br>
c: +27 82 416 8696<br>
f: +27 86 538 5810<br>
m: <a href="mailto:rpedrica@xstore.co.za" target="_blank">rpedrica@xstore.co.za</a><br>
w: <a href="http://wwww.xstore.co.za/" target="_blank">http://wwww.xstore.co.za/</a></div>
</div>
</div>