[Pdns-users] Doubt about "edns-subnet-whitelist" directive

WANG Cui 王璀 wangc at essilorchina.com
Thu Aug 4 15:45:09 UTC 2016 

Hi,
I installed pdns-recursor 4.0.0~alpha2-2 on Ubuntu server 16.04.1, and
want to try the EDNS Client Subnet function. I added below directive:
* edns-subnet-whitelist=112.65.191.0/8
where 112.65.191.0/8 is my client subnet. But pdns-recursor always send
query to 8.8.8.8 *WITHOUT* subnet option.

I researched in the source code and find out in file: pdns_recursor.cc,
function: getEDNSSubnetMask(), there is an if test:
* if(g_ednsdomains.check(dn) || g_ednssubnets.match(rem)) where the
“rem” is actually is the forwarder IP that I set by:
* forward-zones-recurse=.=8.8.8.8
Of course the if test won’t pass, therefore pdns-recursor never append
subnet option in query.

I change my directive as:
* edns-subnet-whitelist=8.8.0.0/16, 112.65.191.0/8 Then pdns-recursor will
match the 8.8.0.0/16 netmask as in whitelist, and append subnet option to
query as expected, then 8.8.8.8 respect the subnet option and respond
proper result per the subnet.
But the " edns-subnet-whitelist " directive looks weird to me.

I further modified source code as below:
* if(g_ednsdomains.check(dn) || g_ednssubnets.match(local)) Where
“local” is the source IP of requestor.
After “make install”, it works as I want with original directive:
* edns-subnet-whitelist=112.65.191.0/8

So I am asking, is it a bug? Or intentional design to have to add the
“forward-zones-recurse” subnet in the “edns-subnet-whitelist”?
For me, I believe the original “edns-subnet-whitelist” directive make
more sense.

Thanks for clarification.

-- 
This e-mail and its attachments are confidential and intended for use by 
the above named recipient(s) only. If you are not the intended recipient, 
please note that any use, modification, dissemination, edition or 
reproduction (either in whole or partially) of this e-mail and/or its 
attachments, or of the information contained herein, is strictly 
prohibited. If you have received this e-mail by mistake, please notify the 
sender immediately, and immediately delete this e-mail with its attachments 
and any copy of it from your computer system. We do not ensure the security 
of electronically transmitted information. Therefore, we take no 
responsibility in the event this email and/or its attachments may have been 
for example modified, altered and/or in the case of transmission of a 
virus. Your communication with us through such means shall signify your 
acceptance of such risks. We kindly advise you to check whether this email 
or its attachments are free of viruses

More information about the Pdns-users mailing list