[dns-operations] EDNS client subnet authoritative server implementation
Stefan Schmidt
zaphodb at zaphods.net
Fri Feb 9 14:26:21 UTC 2018
On 2018-02-09 03:53, John Kristoff wrote:
> Friends,
Hi John,
> I'm interested in utilizing a DNS authoritative server implementation
> that provides at least some support for the EDNS client subnet option
> (IETF RFC 7871).
>
> For now I just need an implementation that will signal to Google
> resolvers that it supports the feature without too much effort on my
> part if that is possible. Ideally I'd also like the software to be able
> to log the received client subnet values along with the other
> traditional query detail (e.g. query address, name, class).
>
> BIND seems to do at least the logging part, but I'm not sure if they
> will be compatible with Google. In a recent ARM they have this note:
>
> The authoritative ECS implementation in named is based on an early
> version of the specification, and is known to have incompatibilities
> with other implementations.
>
> This sounds like it might not work for me. Anyone know differently?
It might just be the EDNS0 Option Code value, IIRC the Google and
OpenDNS used a preliminary option code.
PowerDNS Authoritative Server switched over to the IANA assigned one [1]
in version 3.4.0.
> It looks like this might be available in PowerDNS, but maybe only with
> the pipe back end, which may work fine in my case. Has anyone used
> PowerDNS for auth edns client subnet handling and can confirm or show
> an
> example config/pipe/setup that gets them client subnet data from Google
> resolvers?
I can confirm it is really easy to implement with the PowerDNS pipe
backend and that it has been working very well for me.
PowerDNS takes care of all the processing and you just need to use
pipebackend ABI version 3 [2] populating the scopebits and auth values
for each backend response.
A simple ABI example backend can be found at [3] where $ednsip will be
the netmask you get from the recursive server.
pdns.conf:
launch=pipe:backendname
pipe-backendname-command=/path/to/your/pipebackend
pipe-backendname-timeout=1000 #in ms
pipe-backendname-abi-version=3
edns-subnet-processing=yes
➜ ~ dig @8.8.8.8 any bl.wavecdn.net
...
bl.wavecdn.net. 59 IN TXT "your IPv4: 87.138.201.0"
As PowerDNS Recursor and dnsdist also support EDNS Client Subnet you
don't even have to rely on Google for testing and i should mention that
dig now sports the +subnet (formerly +client) flag allowing you to
manually query the auth server for its response to that "variable".
best wishes,
Stefan
[1]
https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-11
[2]
https://doc.powerdns.com/authoritative/backends/pipe.html#pipe-abi-version
[3]
https://raw.githubusercontent.com/PowerDNS/pdns/master/modules/pipebackend/backend-v3.pl
More information about the dns-operations
mailing list