ECS prefix and EDNS Client subnet question
HsuLiPing at itri.org.tw
HsuLiPing at itri.org.tw
Thu Oct 27 23:51:11 UTC 2016
;
; area10.itri.org.tw.txt
;
$ORIGIN sub.itri.org.tw.
$ttl 60
@ IN SOA dns1 hsuliping.itri.org.tw. (
2016102701 ;serial no
1h ;refresh every 1 hours
1h ;retry - 1 hour
2D ;expire after 2 days
1D) ;minimum ttl of 1 days
IN NS dns1
IN NS dns2
dns1 IN A 192.168.254.138
dns2 IN A 192.168.157.194
areaxx IN A 10.0.0.10
IN AAAA 2001:ed8:3000::10
==============================================================
;
; default.example.com.txt
;
$ORIGIN sub.example.com.
$ttl 60
@ IN SOA dns1 nocomment.example.com. (
2016102702 ;serial no
1h ;refresh every 1 hours
1h ;retry - 1 hour
2D ;expire after 2 days
1D) ;minimum ttl of 1 days
;sub-domain name servers
IN NS dns1
IN NS dns2
;A records for name servers above
dns1 IN A 192.168.254.138
dns2 IN A 192.168.157.194
areaxx IN A 10.0.255.255
IN AAAA 2001:ed8:3000::FFFF:255
================================================================
acl ecs-area01 { ecs 192.168.164.0/24; }
acl no-ecs-area01 { 192.168.164.0/24; };
options {
directory "d:\isc bind 9\var\named";
// geoip-directory "d:\isc bind 9\geodb";
// version statement - inhibited for security
// avoid hacking any know weaknesses
version none;
allow-recursion { 192.168.0.0/16; };
forwarders{ 192.168.9.11; };
tcp-clients 600;
hostname "Very glad service for you....";
listen-on-v6 { none; };
allow-update {none;}; // defaulted - if not present
max-cache-ttl 60;
max-ncache-ttl 600;
dump-file "named dump.db";
memstatistics-file "named.memstats";
pid-file "named.pid";
querylog yes;
interface-interval 0;
statistics-file "named.stats";
zone-statistics yes;
notify explicit;
allow-transfer { none; };
};
view "area01" {
match-clients { no-ecs-area01; ecs-area01; key Area01.example.com.;};
zone "sub.example.com" in {
type master;
file "sub/area01.example.com.txt";
also-notify { 192.168.157.194 key Area01.example.com.; };
allow-transfer { key Area01.example.com.; };
};
};
// Area01 View End
view "deafult" { // Default
match-clients { any; };
zone "sub.example.com" in {
type master;
file "sub/default.example.com.txt";
also-notify { 192.168.157.194 key Default.example.com.;};
allow-transfer { key Default.example.com.; };
};
};
// Default View End
This DNS Server Platform is Windows 2012 R2 and i install Bind 9.11
my pc ip is 192.168.164.123, so when i test if in view area01 no-ecs-area01 match list then when
i use dig that zone entry it always return view default entry. but if i add no-ecs-area01 then that will
response correct entry.
when i use dig query include +subnet=192.168.164.1 then it will return view area01 entry (not include no-ec-area01)
i don't know herer was wrong.
In query log can find Client ECS entry ?
=================================My test pc ip infomation ================
C:>ipconfig
IPv4 address. . . . . . . . . . . : 192.168.164.87
subnet mask. . . . . . . . . . . .: 255.255.255.0
All Bind are install in Windows 2012 R2 platform
=================================Test 1 : in view area01 "no-ecs-area01" not exist ================
C:>dig areaxx.sub.example.com. @dns2.sub.example.com.
; <<>> DiG 9.11.0 <<>> areaxx.sub.example.com. @dns2.sub.example.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13577
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 325d48c8c441ee0168c686475811912d9a5d9fc7bf113bd2 (good)
;; QUESTION SECTION:
;areaxx.sub.example.com. IN A
;; ANSWER SECTION:
areaxx.sub.example.com. 60 IN A 10.0.255.255
==============================Test 1 : in view area01 "no-ecs-area01" exist===========
C:>dig areaxx.sub.example.com. @dns2.sub.example.com.
; <<>> DiG 9.11.0 <<>> areaxx.sub.example.com. @dns2.sub.example.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32403
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: ec76aa0d6063ddfac0fb42b958118fa3039eae3d58015a05 (good)
;; QUESTION SECTION:
;areaxx.sub.example.com. IN A
;; ANSWER SECTION:
areaxx.sub.example.com. 60 IN A 10.0.0.10
==========================Test 3 : in view area01 "no-ecs-area01" no exist ===========
C:>dig areaxx.sub.example.com. @dns2.sub.example.com. +subnet=192.168.164.1
; <<>> DiG 9.11.0 <<>> areaxx.sub.example.com. @dns2.sub.example.com. +subnet=192.168.164.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62641
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: cb35db4f91e921970f85303858118f1128a20c69c0e0b995 (good)
; CLIENT-SUBNET: 192.168.164.1/32/24
;; QUESTION SECTION:
;areaxx.sub.example.com. IN A
;; ANSWER SECTION:
areaxx.sub.example.com. 60 IN A 10.0.0.10
==========================Test 4 : from example.com. domain DNS Server query ===========
C:>dig areaxx.sub.example.com. @dns2.example.com.
; <<>> DiG 9.11.0 <<>> areaxx.sub.example.com. @dns2.example.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53897
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: da1119758607734a0e0355755811906b9703987cbc318f84 (good)
;; QUESTION SECTION:
;areaxx.sub.example.com. IN A
;; ANSWER SECTION:
areaxx.sub.example.com. 60 IN A 10.0.255.255
====================================================================================
C:>dig areaxx.sub.example.com. @dns2.example.com. +subnet=192.168.164.1
; <<>> DiG 9.11.0 <<>> areaxx.sub.example.com. @dns2.example.com. +subnet=192.168.164.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8782
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 342acccf1e48e80572a35255581190a7a6a2857252dd6c05 (good)
; CLIENT-SUBNET: 192.168.164.1/32/0
;; QUESTION SECTION:
;areaxx.sub.example.com. IN A
;; ANSWER SECTION:
areaxx.sub.example.com. 60 IN A 10.0.255.255
=======================================================================
The EDNS Client Subnet (ECS) option is used by a recursive resolver to
inform an authoritative name server of the network address block from
which the original query was received, enabling authoritative servers
to give different answers to the same resolver for different resolver clients.
An ACL containing an element of the form ecs prefix will match
if a request arrives in containing an ECS option encoding an address within that prefix.
If the request has no ECS option, then "ecs" elements are simply ignored.
Addresses in ACLs that are not prefixed with "ecs" are matched only against the source address.
Above section was from ARM page 176, when i careful check my config file
I don't know where i was wrong
Client subnet information will store in which log
--
本信件可能包含工研院機密資訊,非指定之收件者,請勿使用或揭露本信件內容,並請銷毀此信件。 This email may contain confidential information. Please do not use or disclose it in any way and delete it if you are not the intended recipient.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20161027/aee130c2/attachment-0001.html>
More information about the bind-users
mailing list