[Pdns-users] Performance implication of using loopback address in client subnet

Rami Al-Dalky rami.dalky at gmail.com
Wed Feb 13 21:50:36 UTC 2019 

Hi,

I observed some situations where PDNS recursor  sends a DNS query with
loopback IP address (as in [5]) in the client subnet. Sending such info.
can cause a confusion at the Auth. servers leading into suboptimal mapping
for the end-user. For instance, I resolved www.youtube.com directly against
Google's Auth. DNS server using 127.0.0.1/32[1] as a client subnet and
without ECS [2] where Google's Auth. would use the requester IP address
(which is my machine's IP in this case) to find the best near-by server.

As you can see from [1] and [2],  the set of A records returned in both
cases are different  (I did resolve www.youtube.com using my machine's IP
address in the client subnet and  I received the same answers as in [2]).
Moreover, I measured how far are those answers from my machine using ping.
As shown in [3], the server was close to my machine because the Auth.
server used my  IP address to find a near-by server. However, when a
loopback address was used, it caused a confusion at the Auth. DNS and I was
assigned to a server which is far from my machine [4] (26ms vs 130ms).

To comply with the RFC for such cases, instead of sending 127.0.0.1/32, the
recursor can either (i) send a DNS query without ECS option at all or (ii)
include its own IP address in the query.

I just wanted to point out the possible performance implication when using
loopback address in client subnet when resolving queries against Auth. DNS
servers.

Sincerely,
Rami

[1]

dig @216.239.38.10 www.youtube.com+client=127.0.0.1/32

; <<>> DiG 9.9.3 <<>> @216.239.38.10www.youtube.com +client=127.0.0.1/32
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35237
;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
; CLIENT-SUBNET: 127.0.0.1/32/32
;; QUESTION SECTION:
;www.youtube.com. IN A

;; ANSWER SECTION:
www.youtube.com. 86400 IN CNAME youtube-ui.l.google.com.
youtube-ui.l.google.com. 300 IN A 172.217.168.46
youtube-ui.l.google.com. 300 IN A 216.58.215.238
youtube-ui.l.google.com. 300 IN A 172.217.168.14

[2]

dig @216.239.38.10 www.youtube.com

; <<>> DiG 9.9.3 <<>> @216.239.38.10www.youtube.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50656
;; flags: qr aa rd; QUERY: 1, ANSWER: 17, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.youtube.com. IN A

;; ANSWER SECTION:
www.youtube.com. 86400 IN CNAME youtube-ui.l.google.com.
youtube-ui.l.google.com. 300 IN A 172.217.5.14
youtube-ui.l.google.com. 300 IN A 216.58.216.110
youtube-ui.l.google.com. 300 IN A 216.58.192.206
youtube-ui.l.google.com. 300 IN A 216.58.192.238
youtube-ui.l.google.com. 300 IN A 172.217.4.78
youtube-ui.l.google.com. 300 IN A 172.217.4.206
youtube-ui.l.google.com. 300 IN A 172.217.4.238
youtube-ui.l.google.com. 300 IN A 172.217.0.14
youtube-ui.l.google.com. 300 IN A 172.217.9.78
youtube-ui.l.google.com. 300 IN A 216.58.192.174
youtube-ui.l.google.com. 300 IN A 172.217.9.46
youtube-ui.l.google.com. 300 IN A 172.217.6.110
youtube-ui.l.google.com. 300 IN A 172.217.4.46
youtube-ui.l.google.com. 300 IN A 172.217.1.46
youtube-ui.l.google.com. 300 IN A 172.217.8.174
youtube-ui.l.google.com. 300 IN A 172.217.8.206

[3]

ping 172.217.5.14
PING 172.217.5.14 (172.217.5.14) 56(84) bytes of data.
64 bytes from 172.217.5.14: icmp_seq=2 ttl=128 time=25.7 ms
64 bytes from 172.217.5.14: icmp_seq=3 ttl=128 time=27.7 ms
64 bytes from 172.217.5.14: icmp_seq=4 ttl=128 time=27.3 ms
64 bytes from 172.217.5.14: icmp_seq=5 ttl=128 time=26.4 ms

[4]

ping 172.217.168.78
PING 172.217.168.78 (172.217.168.78) 56(84) bytes of data.
64 bytes from 172.217.168.78: icmp_seq=1 ttl=128 time=131 ms
64 bytes from 172.217.168.78: icmp_seq=2 ttl=128 time=135 ms
64 bytes from 172.217.168.78: icmp_seq=3 ttl=128 time=133 ms
64 bytes from 172.217.168.78: icmp_seq=4 ttl=128 time=134 ms

[5]
https://doc.powerdns.com/recursor/settings.html#ecs-scope-zero-address
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20190213/e860b2d5/attachment.html>

More information about the Pdns-users mailing list