[Pdns-users] pdns-recursor ecs support config designs

Otto Moerbeek otto at drijf.net
Tue Nov 8 07:24:10 UTC 2022 

On Tue, Nov 08, 2022 at 08:35:33AM +0200, Robby Pedrica via Pdns-users wrote:

> Hi all,
> 
> I've searched pdns docs as well as threads here but can find nothing about
> how to deploy ecs or more specifically, under which circumstance ecs can be
> used.
> 
> From what I understand of ecs, the recursor will forward the client's IP
> with the request to the auth (or intermediate) servers so that the auth
> server can respond with a result that is local (if possible) to the client.
> I'm going to assume then that a public address is needed from the client as
> you can't determine location info from an rfc1918 address.
> 
> Consider the following setup:
> 
> branch1 (client with private address) -> firewall/NAT+VPN (branch) ->
> internet -> firewall/NAT+VPN (head office) -> recursor -> auth query ...
> branch2 (client with private address) -> firewall/NAT+VPN (branch) |
> etc.
> 
> In this scenario, clients at branches have their queries forwarded over
> site-to-site VPN tunnels to the recursor at a head office. The client IP the
> recursor sees is the client's private IP address.
> 
> Is there any possibility of getting a design like this to work with ecs? If
> not, any alternatives?
> 
> Notes:
> 
> The specific pdns-recursor settings I'm looking at are:
> 
> ends-subnet-allow-list
> ecs-add-for
> use-incoming-edns-subnet
> 
> Regards, Robby

It is not 100% clear what you are trying to achieve,. But here's some
general info.

Auths use incoming ECS data to hand out IPs matched to the query
source by some rules. The assumptionm is that the actual (often https)
traffic comes from the same source.

As for the recursor: by default private addresses will not be used
for outgoing ECS (as governed by ecs-add-for).

If the clients use private addresses from multiple locations via VPNs
and all client traffic goes through the VPN as well, it makes sense
for a recursor to use for an outgoing ECS the public gateway address
used by the VPN clients, as the queries *and* traffic are then coming
the same source.  You can use ecs-scope-zero-address to achieve that.

If the actual client traffic goes on the net using a different public
gateway than used by the recursor, e.g., the public address used by
the remote office location, you want an outging ECS to use that. You
might take a look into proxy mapping:

https://docs.powerdns.com/recursor/lua-config/proxymapping.html

On a general note: only if you observe actual inefficient CDN use I
would bother with ECS, as it complicates your configuration, makes the
recursor's cache less efficient, and is not guaranteed to proivide
actual gain.

	-Otto

More information about the Pdns-users mailing list