[Pdns-users] ECS not using proxied client IP?

Nejedlo, Mark Mark.Nejedlo at tdstelecom.com
Fri Apr 16 22:37:46 UTC 2021 

On of the suggestions I was given last week for improving PowerDNS performance was to use the proxy protocol available in pdns_recursor 4.4 when passing traffic between dnsdist and pdns_recursor.  I've finally gotten a chance to test this setup, but I'm having a problem with getting the recursor to use the proxied client IP for ECS.  Recursor.conf at the end.

If I configure pdns_recursor to listen on the public IP/port 53, I see pdns_recursor adding ECS with the client subnet/24 set correctly.

If I configure pdns_recursor to listen on the loopback/port 5353, with dnsdist in front (sending proxied requests, proxying verified by Wireshark), pdns_recursor adds ECS using the scope zero IP instead of the client subnet.

Using the same dnsdist/pdns_recursor setup as the previous, but with "ecs-add-for=0.0.0.0/0, ::/0" added to the configuration,  I see ECS with ::/56 as the client subnet.  Since dnsdist is using "newServer({address='[::1]:5353', useProxyProtocol=true, sockets=12})", this suggests that pdns_recursor is ignoring the client IP that was proxied, and using the client IP from the UDP connection instead.

I did try 4.5beta2 as well, but the behavior didn't change.

Have I missed some setting for telling pdns_recursor to use the proxied client IP in ECS?  Is this a bug?

Thanks,
Mark


/etc/pdns-recursor/recursor.conf
----------
setgid=pdns-recursor
setuid=pdns-recursor
version-string=anonymous
threads=10
pdns-distributes-queries=yes
distributor-threads=1
distribution-load-factor=1.25
query-local-address=184.60.111.107, 2600:3402:400:2:250:56ff:feb8:7de5

allow-from=0.0.0.0/0, ::/0
proxy-protocol-from=127.0.0.1/8, ::1/128
edns-subnet-whitelist=tds.net

#local-port=5353
local-port=53
#local-address=127.0.0.1,::1
local-address=184.60.111.107, 2600:3402:400:2:250:56ff:feb8:7de5
lua-dns-script=/etc/pdns-recursor/recursor-script.lua

--
XML combines the efficiency of text files with the readability of binary files

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20210416/d9d440b0/attachment.htm>

More information about the Pdns-users mailing list