[Pdns-users] Geo DNS - Apex Alias (not resolving)

Anthony Turner tony.turner at nodemax.com
Wed Jun 16 17:45:20 UTC 2021 

Hi Brian,

Thanks for your reply. I'm still a bit stumped, those long nights and a bit
of lack of understanding on my part as to the "why" I can't get it to work.

The geo.hotchilli.co.uk resolves as geoip from france, US, UK, Germany,
Canada etc very slick but I am stumped on the ALIAS for the apex domain
hotchilli.co.uk

I have split the recursor onto another host and set on the auth server to:

resolver=46.17.216.219:5300
expand-alias=yes
edns-subnet-processing=yes

recursor has this which I pretty sure is far too much and of course some I
don't understand

allow-from=46.17.216.218, 46.17.217.219, 46.17.216.0/21, 127.0.0.1,
127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16,
172.16.0.0/12, ::1/128, fc00::/7, fe80::/10
config-dir=/etc/powerdns
ecs-add-for=0.0.0.0/0,::/0, !46.17.216.218/32, !46.17.217.219/32, !
46.17.216.219/32, !127.0.0.0/8, !10.0.0.0/8, !100.64.0.0/10, !169.254.0.0/16,
!192.168.0.0/16, !172.16.0.0/12, !::1/128, !fc00::/7, !fe80::/10
ecs-cache-limit-ttl=0
ecs-ipv4-bits=24
ecs-ipv4-cache-bits=24
ecs-ipv6-bits=56
ecs-ipv6-cache-bits=56
edns-subnet-whitelist= 0.0.0.0/0, ::
gettag-needs-edns-options=yes
use-incoming-edns-subnet=yes
hint-file=/usr/share/dns/root.hints
include-dir=/etc/powerdns/recursor.d
local-address=46.17.216.219
local-port=5300
lua-config-file=/etc/powerdns/recursor.lua
quiet=yes
setgid=pdns
setuid=pdns
loglevel=9
logging-facility=0
trace=on

No idea when when the auth server sends a request to the recursor I see (
Adding EDNS Client Subnet Mask 127.0.0.1/32 to query) I was hoping for the
IP for all the clients which the auth server must be getting.

Jun 16 18:04:33 dnsr0-hot pdns_recursor[77524]: [136] geo.hotchilli.co.uk:
Trying IP 46.17.216.218:53, asking 'geo.hotchilli.co.uk|A'
Jun 16 18:04:33 dnsr0-hot pdns_recursor[77524]: [136] geo.hotchilli.co.uk:
Adding EDNS Client Subnet Mask 127.0.0.1/32 to query
Jun 16 18:04:33 dnsr0-hot pdns_recursor[77524]: [136] geo.hotchilli.co.uk:
Received EDNS Client Subnet Mask 127.0.0.0/21 on response

also appears to be cached, ok if it caches based on subnet
Jun 16 18:25:34 dnsr0-hot pdns_recursor[78388]: [3] geo.hotchilli.co.uk:
Found cache hit for A: 46.17.220.152[ttl=56]

with the subnet of  127.0.0.1/32 all countries returning  46.17.220.152 of
course

So what does work perfectly is:

dnsdist -----> auth revolving geoip for geo.hotchilli.co.uk, so the subnet
passes dnsdist to auth

Now either the client subnet doesn't pass from auth directly to the
recursor or my recursor has the wrong config. I am going to assume for a
minute it's my recursor config as there is so little config on the auth
server. (3 lines)

Please can I ask on this list what is the min config on the recursor for
the ALIAS to resolve based on the client subnet which is passed from the
auth server.

Many Thanks

Tony Turner














On Mon, Jun 14, 2021 at 9:21 AM Brian Candler <b.candler at pobox.com> wrote:

> $ dig +short @dns0.hotchilli.uk. geo.hotchilli.co.uk. a
> 46.17.220.152
> $ dig +short @dns0.hotchilli.uk. hotchilli.co.uk. a
> 10.0.2.18
>
> I see that's the response you configured for "unknown.geo.hotchilli.co.uk"
>
> I'd be inclined to use tcpdump to look at queries from dist to auth,
> auth to recursor, and recursor to auth - and check the flow of packets
> when you send an external query for "hotchilli.co.uk". My guess is that
> the source subnet of the original query isn't propagating all the way
> through, and maybe you can identify at which step it's lost.
>
> I do wonder if there's a better way; perhaps dnsdist itself could map
> hotchilli.co.uk to geo.hotchilli.co.uk? But I don't use dnsdist myself.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20210616/f5f316d0/attachment.htm>

More information about the Pdns-users mailing list