[Pdns-users] Ask for solution recommendation to setup DNS Reursor with EDNS-Client-Subnet support

[WANG Cui 王璀]

Hi,

I am working in a French multinational company, in charge of Greater China
region, sit in Shanghai China.



We are using Google Apps (Gmail, Contacts, Calendar, Drive, Sites, etc.)
for office application. Meanwhile need to access may other international
web resources (of course…).

As we all know the China GFW (Greater Firewall) in place, which blocks
access to many web resources (Google, Facebook, Twitter, SalesForce,
GitHub, and many…). So we implemented tunnels to Hong Kong/Taiwan to cross
it.



The network layer topology is simple:

·        We setup 1 VPN tunnel to Hong Kong (with 1 other tunnel to Taiwan
as redundancy).

·        We created routing rules based on China’s country IP range. If
destination is China, traffic go out through local link directly; if
destination is Non-China, traffic go out though VPN tunnel.

·        2 tunnels will be switched in case 1 is down.



On DNS part, since China DNS providers are doing DNS poisoning, we choose a
France DNS provider as resolver.

The solution works ok, except France DNS always reply record according to
the breakout IP. This causes slowness when we access China website, e.g.
open www.taobao.com, but in fact access a Taobao’s CDN node in Iceland.



My idea is to change to Google DNS (or maybe OpenDNS) and utilize
EDNS-Client-Subnet.

·        When local client doing DNS query, the on premise Recursive Name
Server (currently using Windows Server 2008 R2’ DNS role) should pass the
query to 8.8.8.8 with location indication of Shanghai (in reality, the
traffic will go through Hong Kong tunnel and expose Hong Kong IP to
8.8.8.8.)

·        8.8.8.8 should reply record with a node most optimized for
Shanghai.

·        Client then access the node with local Internet link, with best
speed.



After my research, I don’t think Windows Server support EDNS-Client-Subnet
yet. Another stable DNS Recursor should be adopted to replace it for local
DNS service.



I spend some time on PowerDNS Recursor and see since 4.0 it officially
support EDNS-Client-Subnet, but when I read documents, hardly can find how
to make it work as I expected.

So I am asking is there any recommended solution to achieve such goal? Any
special considerations?



Thanks in advance,

-- 
This e-mail and its attachments are confidential and intended for use by 
the above named recipient(s) only. If you are not the intended recipient, 
please note that any use, modification, dissemination, edition or 
reproduction (either in whole or partially) of this e-mail and/or its 
attachments, or of the information contained herein, is strictly 
prohibited. If you have received this e-mail by mistake, please notify the 
sender immediately, and immediately delete this e-mail with its attachments 
and any copy of it from your computer system. We do not ensure the security 
of electronically transmitted information. Therefore, we take no 
responsibility in the event this email and/or its attachments may have been 
for example modified, altered and/or in the case of transmission of a 
virus. Your communication with us through such means shall signify your 
acceptance of such risks. We kindly advise you to check whether this email 
or its attachments are free of viruses
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20160729/546c9877/attachment.html>