[Pdns-users] Proxy mapped address used for allow-from
Robby Pedrica
rpedrica at gmail.com
Fri Jan 20 19:13:48 UTC 2023
On Fri, 20 Jan 2023 at 17:58, Otto Moerbeek <otto at drijf.net> wrote:
Please show your full configuration, including versions etc. Also, it
is not clear which product you are using.
The recursor docs say:
"Note that once a Proxy Protocol header has been received, the source
address from the proxy header instead of the address of the proxy will
be checked against the allow-from ACL."
https://docs.powerdns.com/recursor/settings.html#proxy-protocol-from
-Otto
On Fri, Jan 20, 2023 at 05:48:31PM +0200, Robby Pedrica via
Pdns-users wrote:
> Hi all,
>
> I'm not sure if this is a change in behaviour or I simply haven't
noticed
> this before but after upgrading my docker image today, I've seen
queries
> being dropped due to the mapped address in my proxy mappings
being used for
> allow-from rather than the src/original address. I use a
private-public
> address mapping in the proxy maps because I use the mapped public
IP as
> part of ecs/edns.
>
> I've now set:
>
> proxy-protocol-from=<mapped ip> (or should this be the src IP?)
>
> but this doesn't appear to have changed anything and queries are
still
> being dropped.
>
> Can anyone advise where I'm going wrong? I don't mind putting the
mapped
> (public) IP in allow-from but would prefer not to do it if not
required.
>
> Regards
>
> --
> Robby Pedrica
>
> c: +27 82 416 8696
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
Thanks Otto,
(apologies for the wrong addressing)
I agree on the docs, but then the actual operation/result is not
consistent unless I'm misunderstanding the operation or purpose of
proxy-protocol-from.
/Product:/
pdns-recursor
/Version:/
4.8.1 (or docker image:latest)
/Full recursor.conf:/
allow-from=<private subnet 1>, private subnet 2>
edns-subnet-allow-list=0.0.0.0/0 <http://0.0.0.0/0>.
use-incoming-edns-subnet=yes
proxy-protocol-from=x.x.x.x (public address from proxy mapping)
api-key=xxxx
#config-dir=/usr/etc
daemon=no
#disable-syslog=no
edns-subnet-allow-list=0.0.0.0/0.
etc-hosts-file=/etc/hosts
# export-etc-hosts=off
#local-address=
local-port=53
loglevel=6
log-common-errors=yes
# max-cache-entries=1000000
# max-concurrent-requests-per-tcp-connection=10
max-tcp-clients=128
# max-tcp-per-client=0
# max-tcp-queries-per-connection=0
# network-timeout=1500
new-domain-log=yes
quiet=no
threads=2
use-incoming-edns-subnet=yes
webserver=yes
webserver-address=0.0.0.0
webserver-allow-from=0.0.0.0/0
webserver-loglevel=none
webserver-password=xxxxx
write-pid=yes
hint-file=/etc/named.root.txt
log-common-errors=no
lua-config-file=/etc/proxy-map.lua
max-busy-dot-probes=50
proxy-protocol-from=<mapped public IP 1>, <mapped public IP 2>
//etc/proxy-map.lua:/
protobufServer("syslog-ip:port">
addProxyMapping("private subnet 1", "mapped public IP 1")
addProxyMapping("private subnet 2", "mapped public IP 2")
/Logs from docker:/
recursor_1 | Jan 20 18:45:57 PowerDNS Recursor 0.0.0.0.HEAD.gHEAD (C)
2001-2022 PowerDNS.COM BV
recursor_1 | Jan 20 18:45:57 Using 64-bits mode. Built using gcc 10.2.1
20210110 on Jan 20 2023 12:15:50 by root at localhost.
recursor_1 | Jan 20 18:45:57 PowerDNS comes with ABSOLUTELY NO
WARRANTY. This is free software, and you are welcome to redistribute it
according to the terms of the GPL version 2.
recursor_1 | Jan 20 18:45:57 msg="If using IPv6, please raise sysctl
net.ipv6.route.max_size to a size >= 16384" subsystem="config" level="0"
prio="Error" tid="0" ts="1674240357.631" current="4096"
recursor_1 | Jan 20 18:45:57 msg="Enabling IPv4 transport for outgoing
queries" subsystem="config" level="0" prio="Notice" tid="0"
ts="1674240357.631"
recursor_1 | Jan 20 18:45:57 msg="NOT using IPv6 for outgoing queries -
add an IPv6 address (like '::') to query-local-address to enable"
subsystem="config" level="0" prio="Warning" tid="0" ts="1674240357.631"
recursor_1 | Jan 20 18:45:57 msg="Setting access control"
subsystem="config" level="0" prio="Info" tid="0" ts="1674240357.631"
acl="allow-from" addresses="<private subnets>"
recursor_1 | Jan 20 18:45:57 msg="Will not send queries to"
subsystem="config" level="0" prio="Notice" tid="0" ts="1674240357.635"
addresses="127.0.0.0/8 10.0.0.0/8 100.64.0.0/10 169.254.0.0/16
192.168.0.0/16 172.16.0.0/12 ::1/128 fc00::/7 fe80::/10 0.0.0.0/8
192.0.0.0/24 192.0.2.0/24 198.51.100.0/24 203.0.113.0/24 240.0.0.0/4
::/96 ::ffff:0:0/96 100::/64 2001:db8::/32 0.0.0.0 ::"
recursor_1 | Jan 20 18:45:57 msg="PowerDNS Recursor itself will
distribute queries over threads" subsystem="config" level="0"
prio="Notice" tid="0" ts="1674240357.635"
recursor_1 | Jan 20 18:45:57 msg="Inserting rfc 1918 private space
zones" subsystem="config" level="0" prio="Notice" tid="0"
ts="1674240357.635"
recursor_1 | Jan 20 18:45:57 msg="Listening for queries"
subsystem="config" level="0" prio="Info" tid="0" ts="1674240357.636"
address="0.0.0.0" proto="UDP"
recursor_1 | Jan 20 18:45:57 msg="Listening for queries"
subsystem="config" level="0" prio="Info" tid="0" ts="1674240357.636"
address="::" proto="UDP"
recursor_1 | Jan 20 18:45:57 msg="Enabled TCP data-ready filter for
(slight) DoS protection" subsystem="config" level="0" prio="Info"
tid="0" ts="1674240357.636"
recursor_1 | Jan 20 18:45:57 msg="Listening for queries"
subsystem="config" level="0" prio="Info" tid="0" ts="1674240357.636"
address="0.0.0.0" protocol="TCP"
recursor_1 | Jan 20 18:45:57 msg="Listening for queries"
subsystem="config" level="0" prio="Info" tid="0" ts="1674240357.636"
address="::" protocol="TCP"
recursor_1 | Jan 20 18:45:57 msg="Launching distributor threads"
subsystem="config" level="0" prio="Notice" tid="0" ts="1674240357.637"
count="1"
recursor_1 | Jan 20 18:45:57 msg="Launching worker threads"
subsystem="config" level="0" prio="Notice" tid="0" ts="1674240357.637"
count="4"
recursor_1 | Jan 20 18:45:57 msg="Enabling web server"
subsystem="runtime" level="0" prio="Info" tid="0" ts="1674240357.639"
recursor_1 | Jan 20 18:45:57 msg="Listening for HTTP requests"
subsystem="webserver" level="0" prio="Info" tid="0" ts="1674240357.639"
address="0.0.0.0:8082"
recursor_1 | Jan 20 18:45:57 msg="Enabled multiplexer"
subsystem="runtime" level="0" prio="Info" tid="0" ts="1674240357.639"
name="epoll"
recursor_1 | Jan 20 18:45:58 msg="Not validating response for security
status update, this is a non-release version" subsystem="housekeeping"
level="0" prio="Warning" tid="0" ts="1674240358.474"
query="recursor-0.0.0.0.HEAD.gHEAD.security-status.secpoll.powerdns.com"
version="0.0.0.0.HEAD.gHEAD"
recursor_1 | Jan 20 18:45:58 msg="DoT requested but not available"
subsystem="out" level="0" prio="Error" tid="6" ts="1674240358.476"
server="188.166.104.87:853"
recursor_1 | Jan 20 18:45:58 msg="Question" subsystem="syncres"
level="0" prio="Info" tid="3" ts="1674240358.649" ecs="" mtid="1"
proto="udp" qname="253.22.87.10.in-addr.arpa" qtype="PTR"
remote="x.x.x.x:53290"
recursor_1 | Jan 20 18:45:58 msg="Answer" subsystem="syncres" level="0"
prio="Info" tid="3" ts="1674240358.649" additional="0" answers="0"
dotout="0" ecs="" mtid="1" netms="0.000000" outqueries="0" proto="udp"
qname="253.22.87.10.in-addr.arpa" qtype="PTR" rcode="3" rd="1"
remote="10.189.17.132:53290" tcpout="0" throttled="0" timeouts="0"
totms="0.000000" validationState="Indeterminate"
recursor_1 | Jan 20 18:45:58 msg="Question" subsystem="syncres"
level="0" prio="Info" tid="3" ts="1674240358.699" ecs="" mtid="2"
proto="udp" qname="xxxxxxxxxxx.com" qtype="A" remote="10.189.17.132:39228"
recursor_1 | Jan 20 18:45:58 msg="Question answered from packet cache"
subsystem="in" level="0" prio="Notice" tid="3" ts="1674240358.901"
proto="udp" qname="x.x.x.x.in-addr.arpa" qtype="PTR"
remote="10.189.17.132:42879" source="x.x.x.x:42879" tag="0"
...
logs continue ... a sample DROP log entry:
recursor_1 | Jan 20 18:47:56 msg="Dropping UDP query, address not
matched by allow-from" subsystem="in" level="0" prio="Error" tid="1"
ts="1674240476.878" proto="udp" source="<mapped public IP 1>:0"
I have sanitised private information above.
There are 2 requirements:
1. accurately enable ACLs via allow-from
2. use proxy-mapped public address for ecs/edns queries
/Issue statement/
Currently, the proxy mapped address is being used to match against
allow-from rather than the source/original address. This means that
unless I add the publicly mapped proxy addresses to the allow-from
option, those queries will be dropped. While I don't mind adding the
public IPs there, I would prefer not to if not required or if the config
behaviour can be changed to use the source address instead.
I'm hoping proxy-protocol-from does not affect ecs/edns function but the
docs don't discuss anything around this - I would assume not.
Update and per your replies:
"I think proxyMapping and the use of ECS is explained in
https://docs.powerdns.com/recursor/lua-config/proxymapping.html."
I understand proxymapping and ecs - this is not my issue, I'm just mentioning that I have it configured to provide context in case it is important to this specific query.
I've been through all Technical Blog articles, github issues and mailing list entries for 2022/2021 and can find no related articles or queries on this function. The documentation appears to be the only source of info I can find on proxy-protocol-from.
My system logging is still not working in the docker container (although I do get output from "docker-compose logs -f" which I've provided here). I'm not a container expert but it appears the docker image is not using systemd therefore no std log output. I would send a separate query regarding this.
Regards and thank you for your assistance.
Robby
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20230120/e7e3b879/attachment-0001.htm>
More information about the Pdns-users
mailing list