Discussion:
[Pdns-users] pdns-recursor: edns-subnet signalling
Niklas
2012-08-09 15:47:48 UTC
Permalink
Hello PowerDNS users,

given a setup where one pdns recursor forwards dns requests to
multiple pdns resolvers. Is it possible to have the recursor share the
client ip (== real remote ip) with the resolvers?

I am running a pdns server customized with pipe backend and need the
client subnet for optimizing.

In [1] Peter van Dijk talks about edns-subnet signalling as an
interesting topic. But there is little description on whether there
was work done on the issue or if it is in development.

Would be great to know :)

Best,
Niklas


[1] http://www.mail-archive.com/pdns-***@mailman.powerdns.com/msg05314.html
Niklas
2012-08-09 21:50:53 UTC
Permalink
Hi again,

It appears I am not the only one who seeks clarification on the edns
issue. Like [1] and [2] I found there is an option disable-edns in the
recursor.conf and even a counter for outgoing edns queries exists:
noedns-outqueries (found it with rec_controll get-all)

Still when I enable this on the recursor, the queries getting to the
resolver omit the real remote ip. Instead they contain the IP of the
ISP DNS twice. Not only that, but queries already containing a edns
part appear to be reformatted too.

Requests send with dig + edns client subnet plugin

a) directly
-> Q xxx.abc IN SOA -1 10.0.0.109 10.0.1.4
10.0.1.13/32

b) via the recursor
-> Q yyy.abc IN SOA -1 10.0.1.12 10.0.1.4
10.0.1.12/32

At the moment I am digging into the source code. Hence it would be a
big help if somebody could give me a few pointers.

Best,
Niklas

[1] http://mailman.powerdns.com/pipermail/pdns-users/2010-April/006641.html
[2] http://old.nabble.com/EDNS-support-%2B-default-buffer-size-td27941127.html
Post by Niklas
Hello PowerDNS users,
given a setup where one pdns recursor forwards dns requests to
multiple pdns resolvers. Is it possible to have the recursor share the
client ip (== real remote ip) with the resolvers?
I am running a pdns server customized with pipe backend and need the
client subnet for optimizing.
In [1] Peter van Dijk talks about edns-subnet signalling as an
interesting topic. But there is little description on whether there
was work done on the issue or if it is in development.
Would be great to know :)
Best,
Niklas
Peter van Dijk
2012-08-13 09:36:00 UTC
Permalink
Hello Niklas,
Post by Niklas
It appears I am not the only one who seeks clarification on the edns
issue. Like [1] and [2] I found there is an option disable-edns in the
noedns-outqueries (found it with rec_controll get-all)
Still when I enable this on the recursor, the queries getting to the
resolver omit the real remote ip. Instead they contain the IP of the
ISP DNS twice. Not only that, but queries already containing a edns
part appear to be reformatted too.
EDNS is a generic extension mechanism; edns-subnet is a specific use of that
mechanism. The recursor has some EDNS support but no edns-subnet support.
Post by Niklas
Requests send with dig + edns client subnet plugin
a) directly
-> Q xxx.abc IN SOA -1 10.0.0.109 10.0.1.4
10.0.1.13/32
auth+pipe picking up your edns-subnet data.
Post by Niklas
b) via the recursor
-> Q yyy.abc IN SOA -1 10.0.1.12 10.0.1.4
10.0.1.12/32
Recursor is not passing on edns-subnet data as it simply does not support doing so. Auth is
passing the pipebackend the recursor IP as the realRemote as it has nothing better.

Kind regards,
--
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/
Niklas
2012-08-13 09:42:33 UTC
Permalink
Hello Peter,

thanks for the clarification. Are there any plans to add
edns-client-subnet support to the recursor in the forseeable future?

Best,
Niklas

On Mon, Aug 13, 2012 at 11:36 AM, Peter van Dijk
Post by Peter van Dijk
Hello Niklas,
Post by Niklas
It appears I am not the only one who seeks clarification on the edns
issue. Like [1] and [2] I found there is an option disable-edns in the
noedns-outqueries (found it with rec_controll get-all)
Still when I enable this on the recursor, the queries getting to the
resolver omit the real remote ip. Instead they contain the IP of the
ISP DNS twice. Not only that, but queries already containing a edns
part appear to be reformatted too.
EDNS is a generic extension mechanism; edns-subnet is a specific use of that
mechanism. The recursor has some EDNS support but no edns-subnet support.
Post by Niklas
Requests send with dig + edns client subnet plugin
a) directly
-> Q xxx.abc IN SOA -1 10.0.0.109 10.0.1.4
10.0.1.13/32
auth+pipe picking up your edns-subnet data.
Post by Niklas
b) via the recursor
-> Q yyy.abc IN SOA -1 10.0.1.12 10.0.1.4
10.0.1.12/32
Recursor is not passing on edns-subnet data as it simply does not support doing so. Auth is
passing the pipebackend the recursor IP as the realRemote as it has nothing better.
Kind regards,
--
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/
_______________________________________________
Pdns-users mailing list
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Peter van Dijk
2012-08-13 10:50:58 UTC
Permalink
Hello Niklas,

I am not aware of plans for this; it would involve some tricky changes to the caching layer, or forwarding edns-subnet requests uncached. It almost certainly will not happen for Recursor 3.5 (which we hope to ship soon)

A request for cache-awareness (in another place) has been posted at http://wiki.powerdns.com/trac/ticket/549 - I suggest tracking that ticket if the topic interests you.
Post by Niklas
thanks for the clarification. Are there any plans to add
edns-client-subnet support to the recursor in the forseeable future?
Kind regards,
--
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/
Loading...