ECS prefix and EDNS Client subnet question

HsuLiPing at itri.org.tw HsuLiPing at itri.org.tw
Thu Oct 27 23:51:11 UTC 2016


;
; area10.itri.org.tw.txt
;
$ORIGIN sub.itri.org.tw.
$ttl     60

@ IN SOA dns1  hsuliping.itri.org.tw. (
   2016102701 ;serial no
                        1h    ;refresh every 1 hours
                        1h      ;retry - 1 hour
                        2D    ;expire after 2 days
                        1D)    ;minimum ttl of 1 days

   IN NS dns1
   IN NS dns2

dns1                    IN      A       192.168.254.138
dns2                    IN      A       192.168.157.194

areaxx   IN A 10.0.0.10
   IN AAAA 2001:ed8:3000::10

==============================================================
;
; default.example.com.txt
;
$ORIGIN sub.example.com.
$ttl     60

@  IN SOA   dns1  nocomment.example.com. (
   2016102702 ;serial no
                        1h    ;refresh every 1 hours
                        1h      ;retry - 1 hour
                        2D    ;expire after 2 days
                        1D)    ;minimum ttl of 1 days

;sub-domain name servers
   IN NS dns1
   IN NS dns2

;A records for name servers above
dns1    IN      A       192.168.254.138
dns2   IN      A       192.168.157.194

areaxx   IN A 10.0.255.255
   IN AAAA 2001:ed8:3000::FFFF:255
================================================================

acl ecs-area01 { ecs 192.168.164.0/24; }
acl no-ecs-area01 { 192.168.164.0/24; };

options {
  directory       "d:\isc bind 9\var\named";
//      geoip-directory "d:\isc bind 9\geodb";

        // version statement - inhibited for security
        // avoid hacking any know weaknesses

  version none;

  allow-recursion { 192.168.0.0/16; };
  forwarders{ 192.168.9.11; };

        tcp-clients 600;

        hostname "Very glad service for you....";

        listen-on-v6 { none; };
        allow-update {none;};  // defaulted - if not present

        max-cache-ttl    60;
        max-ncache-ttl   600;

        dump-file "named dump.db";
 memstatistics-file "named.memstats";

 pid-file "named.pid";
 querylog yes;
        interface-interval 0;
        statistics-file "named.stats";
        zone-statistics yes;

        notify explicit;
        allow-transfer { none; };
};

view "area01" {
    match-clients { no-ecs-area01; ecs-area01; key Area01.example.com.;};
    zone "sub.example.com" in {
         type master;
  file "sub/area01.example.com.txt";
         also-notify { 192.168.157.194 key Area01.example.com.; };
         allow-transfer { key Area01.example.com.; };
     };
};
// Area01 View End

view "deafult" {  // Default
    match-clients { any; };
    zone "sub.example.com" in {
         type master;
  file "sub/default.example.com.txt";
         also-notify { 192.168.157.194 key Default.example.com.;};
         allow-transfer { key Default.example.com.; };
     };
};
// Default View End

This DNS Server Platform is Windows 2012 R2 and i install Bind 9.11
my pc ip is 192.168.164.123, so when i test if in view area01 no-ecs-area01 match list then when
i use dig that zone entry it always return view default entry. but if i add no-ecs-area01 then that will
response correct entry.
when i use dig query include +subnet=192.168.164.1 then it will return view area01 entry (not include no-ec-area01)
i don't know herer was wrong.
In query log can find Client ECS entry ?
=================================My test pc ip infomation ================
C:>ipconfig

   IPv4 address. . . . . . . . . . . : 192.168.164.87
   subnet mask. . . . . . . . . . . .: 255.255.255.0

All Bind are install in Windows 2012 R2 platform

=================================Test 1 : in view area01 "no-ecs-area01" not exist ================
C:>dig areaxx.sub.example.com. @dns2.sub.example.com.

; <<>> DiG 9.11.0 <<>> areaxx.sub.example.com. @dns2.sub.example.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13577
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 325d48c8c441ee0168c686475811912d9a5d9fc7bf113bd2 (good)
;; QUESTION SECTION:
;areaxx.sub.example.com.                IN      A

;; ANSWER SECTION:
areaxx.sub.example.com. 60      IN      A       10.0.255.255

==============================Test 1 : in view area01 "no-ecs-area01" exist===========
C:>dig areaxx.sub.example.com. @dns2.sub.example.com.

; <<>> DiG 9.11.0 <<>> areaxx.sub.example.com. @dns2.sub.example.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32403
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: ec76aa0d6063ddfac0fb42b958118fa3039eae3d58015a05 (good)
;; QUESTION SECTION:
;areaxx.sub.example.com.                IN      A

;; ANSWER SECTION:
areaxx.sub.example.com. 60      IN      A       10.0.0.10

==========================Test 3 : in view area01 "no-ecs-area01" no exist ===========
C:>dig areaxx.sub.example.com. @dns2.sub.example.com. +subnet=192.168.164.1

; <<>> DiG 9.11.0 <<>> areaxx.sub.example.com. @dns2.sub.example.com. +subnet=192.168.164.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62641
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: cb35db4f91e921970f85303858118f1128a20c69c0e0b995 (good)
; CLIENT-SUBNET: 192.168.164.1/32/24
;; QUESTION SECTION:
;areaxx.sub.example.com.                IN      A

;; ANSWER SECTION:
areaxx.sub.example.com. 60      IN      A       10.0.0.10

==========================Test 4 : from example.com. domain DNS Server query ===========
C:>dig areaxx.sub.example.com. @dns2.example.com.

; <<>> DiG 9.11.0 <<>> areaxx.sub.example.com. @dns2.example.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53897
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: da1119758607734a0e0355755811906b9703987cbc318f84 (good)
;; QUESTION SECTION:
;areaxx.sub.example.com.                IN      A

;; ANSWER SECTION:
areaxx.sub.example.com. 60      IN      A       10.0.255.255
====================================================================================
C:>dig areaxx.sub.example.com. @dns2.example.com.  +subnet=192.168.164.1

; <<>> DiG 9.11.0 <<>> areaxx.sub.example.com. @dns2.example.com. +subnet=192.168.164.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8782
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 342acccf1e48e80572a35255581190a7a6a2857252dd6c05 (good)
; CLIENT-SUBNET: 192.168.164.1/32/0
;; QUESTION SECTION:
;areaxx.sub.example.com.                IN      A

;; ANSWER SECTION:
areaxx.sub.example.com. 60      IN      A       10.0.255.255

=======================================================================
The EDNS Client Subnet (ECS) option is used by a recursive resolver to
inform an authoritative name server of the network address block from
which the original query was received, enabling authoritative servers
to give different answers to the same resolver for different resolver clients.
An ACL containing an element of the form ecs prefix will match
if a request arrives in containing an ECS option encoding an address within that prefix.
If the request has no ECS option, then "ecs" elements are simply ignored.
Addresses in ACLs that are not prefixed with "ecs" are matched only against the source address.

Above section was from ARM page 176, when i careful check my config file
I don't know where i was wrong





Client subnet information will store in which log


--
本信件可能包含工研院機密資訊,非指定之收件者,請勿使用或揭露本信件內容,並請銷毀此信件。 This email may contain confidential information. Please do not use or disclose it in any way and delete it if you are not the intended recipient.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20161027/aee130c2/attachment-0001.html>


More information about the bind-users mailing list