[Pdns-users] pdns-recursor ecs support config designs

Robby Pedrica rpedrica at gmail.com
Tue Nov 8 09:20:23 UTC 2022


Thanks Otto,

" It is not 100% clear what you are trying to achieve"

We simply want to use ecs to direct endpoints to their nearest pop for CDN
services, specifically Microsoft-related services like Teams, Sharepoint,
etc.

The CDN services work correctly when a branch uses the ISP-assigned DNS for
that specific branch/link. But as mentioned, it's difficult to manage these
DNS entries when you have many branches across the world (180 sites with 2
different ISP links at each site). It would be much easier if we had a
central recursor that could use ecs to determine geo-located services for
each branch.

" As for the recursor: by default private addresses will not be used for
outgoing ECS (as governed by ecs-add-for). "

Understood.

" If the clients use private addresses from multiple locations via VPNs and
all client traffic goes through the VPN as well, it makes sense for a
recursor to use for an outgoing ECS the public gateway address used by the
VPN clients, as the queries *and* traffic are then coming the same source.
You can use ecs-scope-zero-address to achieve that. "

This is not our scenario but I'll check on the indicated option in any case.

" You might take a look into proxy mapping: "

I'll look into this option.

We will probably look to use an SNAT firewall entry (with a
private-to-public mapping) for our VPN policies to fool the recursor into
thinking the client is coming from a public IP address. This will entail
some work as we'll have to create specific mappings for each branch. But
it's the only option I can see for the moment.

Thank you very much for your replies.

Regards, Robby








On Tue, 8 Nov 2022 at 09:24, Otto Moerbeek <otto at drijf.net> wrote:

> On Tue, Nov 08, 2022 at 08:35:33AM +0200, Robby Pedrica via Pdns-users
> wrote:
>
> > Hi all,
> >
> > I've searched pdns docs as well as threads here but can find nothing
> about
> > how to deploy ecs or more specifically, under which circumstance ecs can
> be
> > used.
> >
> > From what I understand of ecs, the recursor will forward the client's IP
> > with the request to the auth (or intermediate) servers so that the auth
> > server can respond with a result that is local (if possible) to the
> client.
> > I'm going to assume then that a public address is needed from the client
> as
> > you can't determine location info from an rfc1918 address.
> >
> > Consider the following setup:
> >
> > branch1 (client with private address) -> firewall/NAT+VPN (branch) ->
> > internet -> firewall/NAT+VPN (head office) -> recursor -> auth query ...
> > branch2 (client with private address) -> firewall/NAT+VPN (branch) |
> > etc.
> >
> > In this scenario, clients at branches have their queries forwarded over
> > site-to-site VPN tunnels to the recursor at a head office. The client IP
> the
> > recursor sees is the client's private IP address.
> >
> > Is there any possibility of getting a design like this to work with ecs?
> If
> > not, any alternatives?
> >
> > Notes:
> >
> > The specific pdns-recursor settings I'm looking at are:
> >
> > ends-subnet-allow-list
> > ecs-add-for
> > use-incoming-edns-subnet
> >
> > Regards, Robby
>
> It is not 100% clear what you are trying to achieve,. But here's some
> general info.
>
> Auths use incoming ECS data to hand out IPs matched to the query
> source by some rules. The assumptionm is that the actual (often https)
> traffic comes from the same source.
>
> As for the recursor: by default private addresses will not be used
> for outgoing ECS (as governed by ecs-add-for).
>
> If the clients use private addresses from multiple locations via VPNs
> and all client traffic goes through the VPN as well, it makes sense
> for a recursor to use for an outgoing ECS the public gateway address
> used by the VPN clients, as the queries *and* traffic are then coming
> the same source.  You can use ecs-scope-zero-address to achieve that.
>
> If the actual client traffic goes on the net using a different public
> gateway than used by the recursor, e.g., the public address used by
> the remote office location, you want an outging ECS to use that. You
> might take a look into proxy mapping:
>
> https://docs.powerdns.com/recursor/lua-config/proxymapping.html
>
> On a general note: only if you observe actual inefficient CDN use I
> would bother with ECS, as it complicates your configuration, makes the
> recursor's cache less efficient, and is not guaranteed to proivide
> actual gain.
>
>         -Otto
>
>

-- 
Robby Pedrica
XStore
c: +27 82 416 8696
f: +27 86 538 5810
m: rpedrica at xstore.co.za
w: http://wwww.xstore.co.za/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20221108/51c5fcb1/attachment-0001.htm>


More information about the Pdns-users mailing list