[Pdns-users] pdns-recursor ecs support config designs
rpedrica at gmail.com
Tue Nov 8 09:20:23 UTC 2022
" It is not 100% clear what you are trying to achieve"
We simply want to use ecs to direct endpoints to their nearest pop for CDN
services, specifically Microsoft-related services like Teams, Sharepoint,
The CDN services work correctly when a branch uses the ISP-assigned DNS for
that specific branch/link. But as mentioned, it's difficult to manage these
DNS entries when you have many branches across the world (180 sites with 2
different ISP links at each site). It would be much easier if we had a
central recursor that could use ecs to determine geo-located services for
" As for the recursor: by default private addresses will not be used for
outgoing ECS (as governed by ecs-add-for). "
" If the clients use private addresses from multiple locations via VPNs and
all client traffic goes through the VPN as well, it makes sense for a
recursor to use for an outgoing ECS the public gateway address used by the
VPN clients, as the queries *and* traffic are then coming the same source.
You can use ecs-scope-zero-address to achieve that. "
This is not our scenario but I'll check on the indicated option in any case.
" You might take a look into proxy mapping: "
I'll look into this option.
We will probably look to use an SNAT firewall entry (with a
private-to-public mapping) for our VPN policies to fool the recursor into
thinking the client is coming from a public IP address. This will entail
some work as we'll have to create specific mappings for each branch. But
it's the only option I can see for the moment.
Thank you very much for your replies.
On Tue, 8 Nov 2022 at 09:24, Otto Moerbeek <otto at drijf.net> wrote:
> On Tue, Nov 08, 2022 at 08:35:33AM +0200, Robby Pedrica via Pdns-users
> > Hi all,
> > I've searched pdns docs as well as threads here but can find nothing
> > how to deploy ecs or more specifically, under which circumstance ecs can
> > used.
> > From what I understand of ecs, the recursor will forward the client's IP
> > with the request to the auth (or intermediate) servers so that the auth
> > server can respond with a result that is local (if possible) to the
> > I'm going to assume then that a public address is needed from the client
> > you can't determine location info from an rfc1918 address.
> > Consider the following setup:
> > branch1 (client with private address) -> firewall/NAT+VPN (branch) ->
> > internet -> firewall/NAT+VPN (head office) -> recursor -> auth query ...
> > branch2 (client with private address) -> firewall/NAT+VPN (branch) |
> > etc.
> > In this scenario, clients at branches have their queries forwarded over
> > site-to-site VPN tunnels to the recursor at a head office. The client IP
> > recursor sees is the client's private IP address.
> > Is there any possibility of getting a design like this to work with ecs?
> > not, any alternatives?
> > Notes:
> > The specific pdns-recursor settings I'm looking at are:
> > ends-subnet-allow-list
> > ecs-add-for
> > use-incoming-edns-subnet
> > Regards, Robby
> It is not 100% clear what you are trying to achieve,. But here's some
> general info.
> Auths use incoming ECS data to hand out IPs matched to the query
> source by some rules. The assumptionm is that the actual (often https)
> traffic comes from the same source.
> As for the recursor: by default private addresses will not be used
> for outgoing ECS (as governed by ecs-add-for).
> If the clients use private addresses from multiple locations via VPNs
> and all client traffic goes through the VPN as well, it makes sense
> for a recursor to use for an outgoing ECS the public gateway address
> used by the VPN clients, as the queries *and* traffic are then coming
> the same source. You can use ecs-scope-zero-address to achieve that.
> If the actual client traffic goes on the net using a different public
> gateway than used by the recursor, e.g., the public address used by
> the remote office location, you want an outging ECS to use that. You
> might take a look into proxy mapping:
> On a general note: only if you observe actual inefficient CDN use I
> would bother with ECS, as it complicates your configuration, makes the
> recursor's cache less efficient, and is not guaranteed to proivide
> actual gain.
c: +27 82 416 8696
f: +27 86 538 5810
m: rpedrica at xstore.co.za
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Pdns-users