[Pdns-users] Proxy mapped address used for allow-from

Otto Moerbeek otto at drijf.net
Thu Jan 26 17:37:55 UTC 2023 

On Thu, Jan 26, 2023 at 03:07:17PM +0200, Robby Pedrica via Pdns-users wrote:

>  Thanks Otto,
> 
> I agree with the docs, but then the actual operation/result is not
> consistent unless I'm misunderstanding the operation or purpose of
> proxy-protocol-from.
> 
> *Product:*
> 
> pdns-recursor
> 
> *Version:*
> 
> 4.8.1
> 
> *Full recursor.conf config:*
> 
> allow-from=<src-subnet>
> api-key=xxxx
> #config-dir=/usr/etc
> daemon=no
> #disable-syslog=no
> edns-subnet-allow-list=0.0.0.0/0.
> etc-hosts-file=/etc/hosts
> # export-etc-hosts=off
> #local-address=
> local-port=53
> loglevel=6
> log-common-errors=yes
> # max-cache-entries=1000000
> # max-concurrent-requests-per-tcp-connection=10
> max-tcp-clients=128
> # max-tcp-per-client=0
> # max-tcp-queries-per-connection=0
> # network-timeout=1500
> new-domain-log=yes
> quiet=no
> threads=2
> use-incoming-edns-subnet=yes
> webserver=yes
> webserver-address=0.0.0.0
> webserver-allow-from=0.0.0.0/0
> webserver-loglevel=none
> webserver-password=xxxx
> webserver-port=8082
> write-pid=yes
> hint-file=/etc/named.root.txt
> log-common-errors=no
> lua-config-file=/etc/proxy-map.lua
> max-busy-dot-probes=50
> proxy-protocol-from=<mapped public IP per below>
> 
> *LUA script for proxy maps:*
> 
> addProxyMapping("private subnet 1", "mapped public IP")
> 
> There are 2 requirements:
> 
> 1. accurately enable ACLs via allow-from

As far as I know, the ACL are checked accurately, i.e. as defined in
the docs. 

> 2. use proxy-mapped public address from addProxyMapping for ecs/edns queries
> 
> Currently, the proxy mapped address is being used to match against
> allow-from rather than the source/original address.

I have the feeling there is some form of miscommunication going on.

As documented, see:

"M is used for incoming ACL checking (allow-from) and to determine the
ECS processing (ecs-add-for)."

where M is "the source address mapped by Table Based Proxy Mapping" in

https://docs.powerdns.com/recursor/lua-config/proxymapping.html#table-based-proxy-mapping

The first section of the page tries to explain what address is used in
what circumstances. 

The point of proxyMapping is to use the mapped address as ECS and for
ACL checking.

If that is not what you want, maybe proxyMapping is not the answer to
your question?

	-Otto

> 
> I'm hoping proxy-protocol-from does not affect ecs/edns function but the
> docs don't discuss anything around this - I would assume not.
> 
> Update and per your replies:
> 
> "I think proxyMapping and the use of ECS is explained in
> https://docs.powerdns.com/recursor/lua-config/proxymapping.html."
> 
> I understand proxymapping - this is not my issue, I'm just mentioning
> it to provide context.
> 
> (My logging is still not working in my docker container. I'll request
> separate assistance with this.)
> Regards and thank you
> 
> 
> Robby
> 
> 
> 
> 
> 
> On Fri, 20 Jan 2023 at 17:58, Otto Moerbeek <otto at drijf.net> wrote:
> 
> > Please show your full configuration, including versions etc. Also, it
> > is not clear which product you are using.
> >
> > The recursor docs say:
> >
> > "Note that once a Proxy Protocol header has been received, the source
> > address from the proxy header instead of the address of the proxy will
> > be checked against the allow-from ACL."
> >
> > https://docs.powerdns.com/recursor/settings.html#proxy-protocol-from
> >
> >         -Otto
> >
> >
> > On Fri, Jan 20, 2023 at 05:48:31PM +0200, Robby Pedrica via Pdns-users
> > wrote:
> >
> > > Hi all,
> > >
> > > I'm not sure if this is a change in behaviour or I simply haven't noticed
> > > this before but after upgrading my docker image today, I've seen queries
> > > being dropped due to the mapped address in my proxy mappings being used
> > for
> > > allow-from rather than the src/original address. I use a private-public
> > > address mapping in the proxy maps because I use the mapped public IP as
> > > part of ecs/edns.
> > >
> > > I've now set:
> > >
> > > proxy-protocol-from=<mapped ip> (or should this be the src IP?)
> > >
> > > but this doesn't appear to have changed anything and queries are still
> > > being dropped.
> > >
> > > Can anyone advise where I'm going wrong? I don't mind putting the mapped
> > > (public) IP in allow-from but would prefer not to do it if not required.
> > >
> > > Regards
> > >
> > > --
> > > Robby Pedrica
> > >
> > > c: +27 82 416 8696
> >
> > > _______________________________________________
> > > Pdns-users mailing list
> > > Pdns-users at mailman.powerdns.com
> > > https://mailman.powerdns.com/mailman/listinfo/pdns-users
> >
> >
> 
> -- 
> Robby Pedrica
> XStore
> c: +27 82 416 8696
> f: +27 86 538 5810
> m: rpedrica at xstore.co.za
> w: http://wwww.xstore.co.za/

> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

More information about the Pdns-users mailing list