[dnsdist] Keep Client IP across dnsdist and PDNSRecursor

Alejandro Adroher Mellado alejandro.adroher at omniaccess.com
Fri Sep 9 08:51:43 UTC 2016 

Hi all, Hi Daniel ...

Recursor  3.7.3
Dnsdist  1.0.0


I'm trying but I can't get the source IP between dnsdist and recursor.
I've added on my dnsdist.conf:
    newServer({ ... useClientSubnet=true .. })
    setECSOverride(true)
    setECSSourcePrefixV4(32)
    setECSSourcePrefixV6(128)

but I still getting the IP of dnsdist on my recursor side. (same server on different ports)
I were checking recursor options trying to find something ... but no luck.

I'm start thinking I'm doing bad tests ... what I'm doing?
Using dnsblast tool to send lots of random queries to my dnsdist, dnsdist forward those queries to the recursor  and the recursor replies back to dnsdist the SERVFAIL with the dnsdist IP.

There is a better way know if dnsdist and recursor are using the " EDNS0 client subnet extension"???

Trillion of thanks! 

Ale


-----Original Message-----
From: Daniel Stirnimann [mailto:daniel.stirnimann at switch.ch] 
Sent: miƩrcoles, 4 de mayo de 2016 13:40
To: Alejandro Adroher Mellado <alejandro.adroher at omniaccess.com>; dnsdist at mailman.powerdns.com
Subject: Re: [dnsdist] Keep Client IP across dnsdist and PDNSRecursor

Hello Alejandro,

You can pass the full client IP address using EDNS0 client subnet extension (https://tools.ietf.org/html/draft-ietf-dnsop-edns-client-subnet-08).

newServer({ ... useClientSubnet=true .. })
setECSOverride(true)
setECSSourcePrefixV4(32)
setECSSourcePrefixV6(128)

I'm not sure if pdns-recursor 4.0 supports EDNS0 client subnet in any form yet. I have not found any hint in https://doc.powerdns.com/md/recursor/settings/

Daniel


On 04.05.16 12:43, Alejandro Adroher Mellado wrote:
> Hi all,
> 
> I'm doing various researches in the last few days trying to find a way 
> which let me pass the client query across dnsdist and pdns-recursor 
> without losing the client source ip.  I have dnsdist and recursor 
> working on same server. (newest versions of dnsdist v
> 1.0.0 and recursor 4.0)
> 
> The most clean example is when someone queries for a domain, dnsdist 
> send the query to the recursor, the recursor gets a SERVFAIL and get 
> back to the dnsdist something like.
> 
> Sending SERVFAIL to 127.0.0.1 during resolve of '58cl.com.' because:
> Too much time waiting for 58cl.com.|A, timeouts: 5, throttles: 0,
> queries: 7, 7898msec
> 
> It has sense because dnsdist is not sending customer source ip to the 
> recursor... but, there must be a way. I've tried adding to dnsdist 
> "useClientSubnet=true" but is not enough.
> 
> Anyone have a better idea?
> 
> Thanks a lot.
> 
> Alejandro.  _______________________________________________ dnsdist 
> mailing list dnsdist at mailman.powerdns.com 
> https://mailman.powerdns.com/mailman/listinfo/dnsdist
> 

--
SWITCH
Daniel Stirnimann, SWITCH-CERT
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland phone +41 44 268 15 15, direct +41 44 268 16 24 daniel.stirnimann at switch.ch, http://www.switch.ch

More information about the dnsdist mailing list