[Pdns-users] pdns-recursor ecs support config designs
Robby Pedrica
rpedrica at gmail.com
Tue Nov 8 06:35:33 UTC 2022
Hi all,
I've searched pdns docs as well as threads here but can find nothing
about how to deploy ecs or more specifically, under which circumstance
ecs can be used.
From what I understand of ecs, the recursor will forward the client's
IP with the request to the auth (or intermediate) servers so that the
auth server can respond with a result that is local (if possible) to the
client. I'm going to assume then that a public address is needed from
the client as you can't determine location info from an rfc1918 address.
Consider the following setup:
branch1 (client with private address) -> firewall/NAT+VPN (branch) ->
internet -> firewall/NAT+VPN (head office) -> recursor -> auth query ...
branch2 (client with private address) -> firewall/NAT+VPN (branch) |
etc.
In this scenario, clients at branches have their queries forwarded over
site-to-site VPN tunnels to the recursor at a head office. The client IP
the recursor sees is the client's private IP address.
Is there any possibility of getting a design like this to work with ecs?
If not, any alternatives?
Notes:
The specific pdns-recursor settings I'm looking at are:
ends-subnet-allow-list
ecs-add-for
use-incoming-edns-subnet
Regards, Robby
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20221108/ad12582b/attachment.htm>
More information about the Pdns-users
mailing list