[Pdns-users] EDNS between DNSDist and PowerDNS Auth

Kilian Ries mail at kilian-ries.de
Mon Dec 14 15:23:00 UTC 2020


i'm running a dnsdist loadbalancer with multiple powerdns auth upstream backends. I use the gmysql backend with "allow-axfr" per domain base via domainmetadata table in mysql. This does work when clients ask directly to pdns but not with dnsdist in front of pdns because the real client IP is not transmitted correct / real IP is lost.

I know that dnsdist does support proxy_protocol but pdns auth is not quite ready for it: https://github.com/PowerDNS/pdns/issues/8403

Now i'm trying to provide the correct client IP via EDNS header form dnsdist -> pdns backends. DNSDist config is already updated and via tcpdump i can see the correct header is set:



newServer({address="", order=1, name="dns1", checkName="example.com", useClientSubnet=true })


dig cmd (set client subnet header)


dig example.com @dns1 AXFR +subnet=




mysql> select * from domainmetadata where domain_id='3';


| id       | domain_id | kind            | content        |


| 100 |   3 | ALLOW-AXFR-FROM |  |


EDNS subnet processing is activated in pdns auth:





But it seems that pdns is not processing the EDNS header correct because i always get "Transfer failed." as response. If i ask directly to pdns auth (not via dnsdist) the transfer works as expected.

Is there anything i made wrong in my config? Or does the gmysql backend not support EDNS subnet processing? If not, would it be possible to do a lua script check in dnsdist for lookup the allow-axfr IPs from the mysql database?

Looks like it will take another few month till proxy_protocol support is ready ...




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20201214/83fe5980/attachment.htm>

More information about the Pdns-users mailing list