[Pdns-users] pdns recursor edns-client-subnet caching problems

Shawn Zhou shawnzhou00 at yahoo.com
Wed Aug 2 06:42:39 UTC 2017 

Hi Bert,
Thanks for your quick response. 4.1 didn't work and I already set use-incoming-edns-subnet but I was getting timeouts. From what I could see from my tcpdump, the authoritative server didn't return the correct answer 
root at DFW01-CPS01:~# service pdns-recursor restart
 * Restarting PowerDNS recursor pdns-recursor
Aug 02 06:33:34 PowerDNS Recursor 4.1.0-alpha1 (C) 2001-2017 PowerDNS.COM BV
Aug 02 06:33:34 Using 64-bits mode. Built using gcc 5.4.0 20160609 on Jul 18 2017 13:15:53 by root at 24d7ea40a89f.
Aug 02 06:33:34 PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2.
Aug 02 06:33:34 Reading random entropy from '/dev/urandom'
Aug 02 06:33:34 If using IPv6, please raise sysctl net.ipv6.route.max_size, currently set to 4096 which is < 16384
Aug 02 06:33:34 NOT using IPv6 for outgoing queries - set 'query-local-address6=::' to enable
Aug 02 06:33:34 Only allowing queries from: 127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fc00::/7, fe80::/10
Aug 02 06:33:34 Will not send queries to: 127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fc00::/7, fe80::/10, 0.0.0.0/8, 192.0.0.0/24, 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24, 240.0.0.0/4, ::/96, ::ffff:0:0/96, 100::/64, 2001:db8::/32, 0.0.0.0, ::
Aug 02 06:33:34 PowerDNS Recursor itself will distribute queries over threads
Aug 02 06:33:34 Inserting rfc 1918 private space zones
Aug 02 06:33:34 Listening for UDP queries on 127.0.0.1:53
Aug 02 06:33:34 Enabled TCP data-ready filter for (slight) DoS protection
Aug 02 06:33:34 Listening for TCP queries on 127.0.0.1:53
Aug 02 06:33:34 Calling daemonize, going to background
   ...done.
root at DFW01-CPS01:~#
root at DFW01-CPS01:~# dig @127.0.0.1 +subnet=52.57.28.138 morpheus-ien.insnw.net

; <<>> DiG 9.11.0-P3 <<>> @127.0.0.1 +subnet=52.57.28.138 morpheus-ien.insnw.net
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
root at DFW01-CPS01:~# dig @127.0.0.1 insnw.net

; <<>> DiG 9.11.0-P3 <<>> @127.0.0.1 insnw.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38401
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;insnw.net.            IN    A

;; AUTHORITY SECTION:
insnw.net.        60    IN    SOA    ns1.insnw.net. sysadmin.instart.co. 286989 3600 600 604800 60

;; Query time: 48 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Aug 02 06:35:04 GMT 2017
;; MSG SIZE  rcvd: 97

root at DFW01-CPS01:/etc/powerdns# grep -v \# /etc/powerdns/recursor.conf  | sed -e '/^$/d'
config-dir=/etc/powerdns
edns-subnet-whitelist=insnw.net
local-address=127.0.0.1
quiet=yes
setgid=pdns
setuid=pdns
use-incoming-edns-subnet=yes
On Tuesday, August 1, 2017, 11:21:24 PM PDT, bert hubert <bert.hubert at powerdns.com> wrote:

On Wed, Aug 02, 2017 at 05:52:26AM +0000, Shawn Zhou wrote:
> Hi,
> I am trying out pdns recursor 4.0.6 on Ubuntu Xenial and cache lookup for same record with and without client subnet give me the same result which is not expected. I expect [3] to return a different value as the cache should have different value based on client subnet. I wonder if that's bug with edns-client-subnet implementation with pdns or I miss something in the configuration file.
> Also, I noticed dig doesn't show "CLIENT-SUBNET: 52.57.28.138/32/16" when I dig against pdns but I get that when I dig it against the authoritative directly. see [4].

Hi Shawn,

We did a lot of work on EDNS Client Subnet in 4.1, for which a trial release
can be found in https://blog.powerdns.com/2017/07/18/powerdns-recursor-4-1-0-alpha1-released/

Before we analyse your issue to deeply, can you check what 4.1 does in your
case?

Have you set use-incoming-edns-subnet?

Good luck!

    Bert
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20170802/812b2444/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: edns.pcap
Type: application/octet-stream
Size: 6481 bytes
Desc: not available
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20170802/812b2444/attachment-0001.obj>

More information about the Pdns-users mailing list