[Pdns-users] Doubt about "edns-subnet-whitelist" directive
WANG Cui 王璀
wangc at essilorchina.com
Thu Aug 4 15:45:09 UTC 2016
I installed pdns-recursor 4.0.0~alpha2-2 on Ubuntu server 16.04.1, and
want to try the EDNS Client Subnet function. I added below directive:
where 220.127.116.11/8 is my client subnet. But pdns-recursor always send
query to 18.104.22.168 *WITHOUT* subnet option.
I researched in the source code and find out in file: pdns_recursor.cc,
function: getEDNSSubnetMask(), there is an if test:
* if(g_ednsdomains.check(dn) || g_ednssubnets.match(rem)) where the
“rem” is actually is the forwarder IP that I set by:
Of course the if test won’t pass, therefore pdns-recursor never append
subnet option in query.
I change my directive as:
* edns-subnet-whitelist=22.214.171.124/16, 126.96.36.199/8 Then pdns-recursor will
match the 188.8.131.52/16 netmask as in whitelist, and append subnet option to
query as expected, then 184.108.40.206 respect the subnet option and respond
proper result per the subnet.
But the " edns-subnet-whitelist " directive looks weird to me.
I further modified source code as below:
* if(g_ednsdomains.check(dn) || g_ednssubnets.match(local)) Where
“local” is the source IP of requestor.
After “make install”, it works as I want with original directive:
So I am asking, is it a bug? Or intentional design to have to add the
“forward-zones-recurse” subnet in the “edns-subnet-whitelist”?
For me, I believe the original “edns-subnet-whitelist” directive make
Thanks for clarification.
This e-mail and its attachments are confidential and intended for use by
the above named recipient(s) only. If you are not the intended recipient,
please note that any use, modification, dissemination, edition or
reproduction (either in whole or partially) of this e-mail and/or its
attachments, or of the information contained herein, is strictly
prohibited. If you have received this e-mail by mistake, please notify the
sender immediately, and immediately delete this e-mail with its attachments
and any copy of it from your computer system. We do not ensure the security
of electronically transmitted information. Therefore, we take no
responsibility in the event this email and/or its attachments may have been
for example modified, altered and/or in the case of transmission of a
virus. Your communication with us through such means shall signify your
acceptance of such risks. We kindly advise you to check whether this email
or its attachments are free of viruses
More information about the Pdns-users