[Pdns-users] pdns-recursor ecs support config designs

Robby Pedrica rpedrica at gmail.com
Tue Nov 8 06:35:33 UTC 2022

Hi all,

I've searched pdns docs as well as threads here but can find nothing 
about how to deploy ecs or more specifically, under which circumstance 
ecs can be used.

 From what I understand of ecs, the recursor will forward the client's 
IP with the request to the auth (or intermediate) servers so that the 
auth server can respond with a result that is local (if possible) to the 
client. I'm going to assume then that a public address is needed from 
the client as you can't determine location info from an rfc1918 address.

Consider the following setup:

branch1 (client with private address) -> firewall/NAT+VPN (branch) -> 
internet -> firewall/NAT+VPN (head office) -> recursor -> auth query ...
branch2 (client with private address) -> firewall/NAT+VPN (branch) |

In this scenario, clients at branches have their queries forwarded over 
site-to-site VPN tunnels to the recursor at a head office. The client IP 
the recursor sees is the client's private IP address.

Is there any possibility of getting a design like this to work with ecs? 
If not, any alternatives?


The specific pdns-recursor settings I'm looking at are:


Regards, Robby
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20221108/ad12582b/attachment.htm>

More information about the Pdns-users mailing list