[Pdns-users] Proxy mapped address used for allow-from

Robby Pedrica rpedrica at gmail.com
Thu Jan 26 13:07:17 UTC 2023


 Thanks Otto,

I agree with the docs, but then the actual operation/result is not
consistent unless I'm misunderstanding the operation or purpose of
proxy-protocol-from.

*Product:*

pdns-recursor

*Version:*

4.8.1

*Full recursor.conf config:*

allow-from=<src-subnet>
api-key=xxxx
#config-dir=/usr/etc
daemon=no
#disable-syslog=no
edns-subnet-allow-list=0.0.0.0/0.
etc-hosts-file=/etc/hosts
# export-etc-hosts=off
#local-address=
local-port=53
loglevel=6
log-common-errors=yes
# max-cache-entries=1000000
# max-concurrent-requests-per-tcp-connection=10
max-tcp-clients=128
# max-tcp-per-client=0
# max-tcp-queries-per-connection=0
# network-timeout=1500
new-domain-log=yes
quiet=no
threads=2
use-incoming-edns-subnet=yes
webserver=yes
webserver-address=0.0.0.0
webserver-allow-from=0.0.0.0/0
webserver-loglevel=none
webserver-password=xxxx
webserver-port=8082
write-pid=yes
hint-file=/etc/named.root.txt
log-common-errors=no
lua-config-file=/etc/proxy-map.lua
max-busy-dot-probes=50
proxy-protocol-from=<mapped public IP per below>

*LUA script for proxy maps:*

addProxyMapping("private subnet 1", "mapped public IP")

There are 2 requirements:

1. accurately enable ACLs via allow-from
2. use proxy-mapped public address from addProxyMapping for ecs/edns queries

Currently, the proxy mapped address is being used to match against
allow-from rather than the source/original address.

I'm hoping proxy-protocol-from does not affect ecs/edns function but the
docs don't discuss anything around this - I would assume not.

Update and per your replies:

"I think proxyMapping and the use of ECS is explained in
https://docs.powerdns.com/recursor/lua-config/proxymapping.html."

I understand proxymapping - this is not my issue, I'm just mentioning
it to provide context.

(My logging is still not working in my docker container. I'll request
separate assistance with this.)
Regards and thank you


Robby





On Fri, 20 Jan 2023 at 17:58, Otto Moerbeek <otto at drijf.net> wrote:

> Please show your full configuration, including versions etc. Also, it
> is not clear which product you are using.
>
> The recursor docs say:
>
> "Note that once a Proxy Protocol header has been received, the source
> address from the proxy header instead of the address of the proxy will
> be checked against the allow-from ACL."
>
> https://docs.powerdns.com/recursor/settings.html#proxy-protocol-from
>
>         -Otto
>
>
> On Fri, Jan 20, 2023 at 05:48:31PM +0200, Robby Pedrica via Pdns-users
> wrote:
>
> > Hi all,
> >
> > I'm not sure if this is a change in behaviour or I simply haven't noticed
> > this before but after upgrading my docker image today, I've seen queries
> > being dropped due to the mapped address in my proxy mappings being used
> for
> > allow-from rather than the src/original address. I use a private-public
> > address mapping in the proxy maps because I use the mapped public IP as
> > part of ecs/edns.
> >
> > I've now set:
> >
> > proxy-protocol-from=<mapped ip> (or should this be the src IP?)
> >
> > but this doesn't appear to have changed anything and queries are still
> > being dropped.
> >
> > Can anyone advise where I'm going wrong? I don't mind putting the mapped
> > (public) IP in allow-from but would prefer not to do it if not required.
> >
> > Regards
> >
> > --
> > Robby Pedrica
> >
> > c: +27 82 416 8696
>
> > _______________________________________________
> > Pdns-users mailing list
> > Pdns-users at mailman.powerdns.com
> > https://mailman.powerdns.com/mailman/listinfo/pdns-users
>
>

-- 
Robby Pedrica
XStore
c: +27 82 416 8696
f: +27 86 538 5810
m: rpedrica at xstore.co.za
w: http://wwww.xstore.co.za/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20230126/f16da73c/attachment.htm>


More information about the Pdns-users mailing list