[Pdns-users] ECS not using proxied client IP?

Nejedlo, Mark Mark.Nejedlo at tdstelecom.com
Fri Apr 16 22:37:46 UTC 2021

On of the suggestions I was given last week for improving PowerDNS performance was to use the proxy protocol available in pdns_recursor 4.4 when passing traffic between dnsdist and pdns_recursor.  I've finally gotten a chance to test this setup, but I'm having a problem with getting the recursor to use the proxied client IP for ECS.  Recursor.conf at the end.

If I configure pdns_recursor to listen on the public IP/port 53, I see pdns_recursor adding ECS with the client subnet/24 set correctly.

If I configure pdns_recursor to listen on the loopback/port 5353, with dnsdist in front (sending proxied requests, proxying verified by Wireshark), pdns_recursor adds ECS using the scope zero IP instead of the client subnet.

Using the same dnsdist/pdns_recursor setup as the previous, but with "ecs-add-for=, ::/0" added to the configuration,  I see ECS with ::/56 as the client subnet.  Since dnsdist is using "newServer({address='[::1]:5353', useProxyProtocol=true, sockets=12})", this suggests that pdns_recursor is ignoring the client IP that was proxied, and using the client IP from the UDP connection instead.

I did try 4.5beta2 as well, but the behavior didn't change.

Have I missed some setting for telling pdns_recursor to use the proxied client IP in ECS?  Is this a bug?


query-local-address=, 2600:3402:400:2:250:56ff:feb8:7de5

allow-from=, ::/0
proxy-protocol-from=, ::1/128

local-address=, 2600:3402:400:2:250:56ff:feb8:7de5

XML combines the efficiency of text files with the readability of binary files

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20210416/d9d440b0/attachment.htm>

More information about the Pdns-users mailing list