[Pdns-users] pdns recursor edns-client-subnet caching problems
Shawn Zhou
shawnzhou00 at yahoo.com
Wed Aug 2 05:52:26 UTC 2017
Hi,
I am trying out pdns recursor 4.0.6 on Ubuntu Xenial and cache lookup for same record with and without client subnet give me the same result which is not expected. I expect [3] to return a different value as the cache should have different value based on client subnet. I wonder if that's bug with edns-client-subnet implementation with pdns or I miss something in the configuration file.
Also, I noticed dig doesn't show "CLIENT-SUBNET: 52.57.28.138/32/16" when I dig against pdns but I get that when I dig it against the authoritative directly. see [4].
root at DFW01-CPS01:~# /etc/init.d/pdns-recursor restart
* Restarting PowerDNS recursor pdns-recursor
Aug 02 05:23:14 PowerDNS Recursor 4.0.6 (C) 2001-2016 PowerDNS.COM BV
Aug 02 05:23:14 Using 64-bits mode. Built using gcc 5.4.0 20160609 on Jul 4 2017 15:43:52 by root at 5ee67e1ed1a4.
Aug 02 05:23:14 PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2.
Aug 02 05:23:14 Reading random entropy from '/dev/urandom'
Aug 02 05:23:14 If using IPv6, please raise sysctl net.ipv6.route.max_size, currently set to 4096 which is < 16384
Aug 02 05:23:14 NOT using IPv6 for outgoing queries - set 'query-local-address6=::' to enable
Aug 02 05:23:14 Only allowing queries from: 127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fc00::/7, fe80::/10
Aug 02 05:23:14 Will not send queries to: 127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fc00::/7, fe80::/10, 0.0.0.0/8, 192.0.0.0/24, 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24, 240.0.0.0/4, ::/96, ::ffff:0:0/96, 100::/64, 2001:db8::/32, 0.0.0.0, ::
Aug 02 05:23:14 PowerDNS Recursor itself will distribute queries over threads
Aug 02 05:23:14 Inserting rfc 1918 private space zones
Aug 02 05:23:14 Listening for UDP queries on 127.0.0.1:53
Aug 02 05:23:14 Enabled TCP data-ready filter for (slight) DoS protection
Aug 02 05:23:14 Listening for TCP queries on 127.0.0.1:53
Aug 02 05:23:14 Calling daemonize, going to background
...done.
root at DFW01-CPS01:~# dig @127.0.0.1 +subnet=52.57.28.138 morpheus-ien.insnw.net
; <<>> DiG 9.11.0-P3 <<>> @127.0.0.1 +subnet=52.57.28.138 morpheus-ien.insnw.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26479
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;morpheus-ien.insnw.net. IN A
;; ANSWER SECTION:
morpheus-ien.insnw.net. 3600 IN CNAME ien01-fra02.svc.insnw.net.
ien01-fra02.svc.insnw.net. 600 IN A 35.156.66.126
;; Query time: 142 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Aug 02 05:24:06 GMT 2017
;; MSG SIZE rcvd: 97
root at DFW01-CPS01:~# dig @127.0.0.1 morpheus-ien.insnw.net
; <<>> DiG 9.11.0-P3 <<>> @127.0.0.1 morpheus-ien.insnw.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 437
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;morpheus-ien.insnw.net. IN A
;; ANSWER SECTION:
morpheus-ien.insnw.net. 3600 IN CNAME ins-091.inscname.net.
ins-091.inscname.net. 3600 IN CNAME a-sg08sl07.insnw.net.
a-sg08sl07.insnw.net. 3600 IN A 192.33.31.183
;; Query time: 25 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Aug 02 05:24:18 GMT 2017
;; MSG SIZE rcvd: 123
[3]
root at DFW01-CPS01:~# dig @127.0.0.1 +subnet=52.57.28.138 morpheus-ien.insnw.net
; <<>> DiG 9.11.0-P3 <<>> @127.0.0.1 +subnet=52.57.28.138 morpheus-ien.insnw.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19051
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;morpheus-ien.insnw.net. IN A
;; ANSWER SECTION:
morpheus-ien.insnw.net. 3594 IN CNAME ins-091.inscname.net.
ins-091.inscname.net. 3594 IN CNAME a-sg08sl07.insnw.net.
a-sg08sl07.insnw.net. 3594 IN A 192.33.31.183
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Aug 02 05:24:24 GMT 2017
;; MSG SIZE rcvd: 123
[4]szhou at DFW01-CPS01:~$ dig @ns1.insnw.net +subnet=52.57.28.138 morpheus-ien.insnw.net
; <<>> DiG 9.11.0-P3 <<>> @ns1.insnw.net +subnet=52.57.28.138 morpheus-ien.insnw.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35637
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: bd357c1c04caaf44f7b0369b59816753474676b8d8dc2509 (good)
; CLIENT-SUBNET: 52.57.28.138/32/16
;; QUESTION SECTION:
;morpheus-ien.insnw.net. IN A
;; ANSWER SECTION:
morpheus-ien.insnw.net. 3600 IN CNAME ien01-fra02.svc.insnw.net.
ien01-fra02.svc.insnw.net. 600 IN A 35.156.66.126
;; AUTHORITY SECTION:
insnw.net. 86400 IN NS ns2.insnw.net.
insnw.net. 86400 IN NS ns1.insnw.net.
;; ADDITIONAL SECTION:
ns1.insnw.net. 86400 IN A 192.33.29.21
ns2.insnw.net. 86400 IN A 192.33.29.22
;; Query time: 0 msec
;; SERVER: 192.33.29.21#53(192.33.29.21)
;; WHEN: Wed Aug 02 05:46:59 GMT 2017
;; MSG SIZE rcvd: 205
root at DFW01-CPS01:/etc/powerdns# grep -v \# /etc/powerdns/recursor.conf | sed -e '/^$/d'
config-dir=/etc/powerdns
ecs-ipv4-bits=16
edns-subnet-whitelist=insnw.net
local-address=127.0.0.1
loglevel=9
setgid=pdns
setuid=pdns
use-incoming-edns-subnet=yes
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20170802/23a1ce9e/attachment.html>
More information about the Pdns-users
mailing list