ECS prefix and EDNS Client subnet question
Bob Harold
rharolde at umich.edu
Fri Oct 28 13:53:55 UTC 2016
On Thu, Oct 27, 2016 at 7:51 PM, <HsuLiPing at itri.org.tw> wrote:
> ;
> ; area10.itri.org.tw.txt
> ;
> $ORIGIN sub.itri.org.tw.
> $ttl 60
>
> @ IN SOA dns1 hsuliping.itri.org.tw. (
> 2016102701 ;serial no
> 1h ;refresh every 1 hours
> 1h ;retry - 1 hour
> 2D ;expire after 2 days
> 1D) ;minimum ttl of 1 days
>
> IN NS dns1
> IN NS dns2
>
> dns1 IN A 192.168.254.138
> dns2 IN A 192.168.157.194
>
> areaxx IN A 10.0.0.10
> IN AAAA 2001:ed8:3000::10
>
> ==============================================================
> ;
> ; default.example.com.txt
> ;
> $ORIGIN sub.example.com.
> $ttl 60
>
> @ IN SOA dns1 nocomment.example.com. (
> 2016102702 ;serial no
> 1h ;refresh every 1 hours
> 1h ;retry - 1 hour
> 2D ;expire after 2 days
> 1D) ;minimum ttl of 1 days
>
>
> ;sub-domain name servers
> IN NS dns1
> IN NS dns2
>
> ;A records for name servers above
> dns1 IN A 192.168.254.138
> dns2 IN A 192.168.157.194
>
> areaxx IN A 10.0.255.255
> IN AAAA 2001:ed8:3000::FFFF:255
> ================================================================
>
> acl ecs-area01 { ecs 192.168.164.0/24; }
> acl no-ecs-area01 { 192.168.164.0/24; };
>
> options {
> directory "d:\isc bind 9\var\named";
> // geoip-directory "d:\isc bind 9\geodb";
>
> // version statement - inhibited for security
> // avoid hacking any know weaknesses
>
> version none;
>
> allow-recursion { 192.168.0.0/16; };
> forwarders{ 192.168.9.11; };
>
> tcp-clients 600;
>
> hostname "Very glad service for you....";
>
> listen-on-v6 { none; };
> allow-update {none;}; // defaulted - if not present
>
> max-cache-ttl 60;
> max-ncache-ttl 600;
>
> dump-file "named dump.db";
> memstatistics-file "named.memstats";
>
> pid-file "named.pid";
> querylog yes;
> interface-interval 0;
> statistics-file "named.stats";
> zone-statistics yes;
>
> notify explicit;
> allow-transfer { none; };
> };
>
> view "area01" {
> match-clients { no-ecs-area01; ecs-area01; key Area01.example.com.;};
> zone "sub.example.com" in {
> type master;
> file "sub/area01.example.com.txt";
> also-notify { 192.168.157.194 key Area01.example.com.; };
> allow-transfer { key Area01.example.com.; };
> };
> };
> // Area01 View End
>
> view "deafult" { // Default
> match-clients { any; };
> zone "sub.example.com" in {
> type master;
> file "sub/default.example.com.txt";
> also-notify { 192.168.157.194 key Default.example.com.;};
> allow-transfer { key Default.example.com.; };
> };
> };
> // Default View End
>
>
> This DNS Server Platform is Windows 2012 R2 and i install Bind 9.11
> my pc ip is 192.168.164.123, so when i test if in view area01
> no-ecs-area01 match list then when
> i use dig that zone entry it always return view default entry. but if i
> add no-ecs-area01 then that will
> response correct entry.
> when i use dig query include +subnet=192.168.164.1 then it will return
> view area01 entry (not include no-ec-area01)
> i don't know herer was wrong.
> In query log can find Client ECS entry ?
> =================================My test pc ip infomation ================
> C:>ipconfig
>
>
> IPv4 address. . . . . . . . . . . : 192.168.164.87
> subnet mask. . . . . . . . . . . .: 255.255.255.0
>
> All Bind are install in Windows 2012 R2 platform
>
> =================================Test 1 : in view area01 "no-ecs-area01"
> not exist ================
> C:>dig areaxx.sub.example.com. @dns2.sub.example.com.
>
> ; <<>> DiG 9.11.0 <<>> areaxx.sub.example.com. @dns2.sub.example.com.
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13577
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: 325d48c8c441ee0168c686475811912d9a5d9fc7bf113bd2 (good)
> ;; QUESTION SECTION:
> ;areaxx.sub.example.com. IN A
>
> ;; ANSWER SECTION:
> areaxx.sub.example.com. 60 IN A 10.0.255.255
>
> ==============================Test 1 : in view area01 "no-ecs-area01"
> exist===========
> C:>dig areaxx.sub.example.com. @dns2.sub.example.com.
>
> ; <<>> DiG 9.11.0 <<>> areaxx.sub.example.com. @dns2.sub.example.com.
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32403
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: ec76aa0d6063ddfac0fb42b958118fa3039eae3d58015a05 (good)
> ;; QUESTION SECTION:
> ;areaxx.sub.example.com. IN A
>
> ;; ANSWER SECTION:
> areaxx.sub.example.com. 60 IN A 10.0.0.10
>
> ==========================Test 3 : in view area01 "no-ecs-area01" no exist
> ===========
> C:>dig areaxx.sub.example.com. @dns2.sub.example.com.
> +subnet=192.168.164.1
>
> ; <<>> DiG 9.11.0 <<>> areaxx.sub.example.com. @dns2.sub.example.com.
> +subnet=192.168.164.1
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62641
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: cb35db4f91e921970f85303858118f1128a20c69c0e0b995 (good)
> ; CLIENT-SUBNET: 192.168.164.1/32/24
> ;; QUESTION SECTION:
> ;areaxx.sub.example.com. IN A
>
> ;; ANSWER SECTION:
> areaxx.sub.example.com. 60 IN A 10.0.0.10
>
> ==========================Test 4 : from example.com. domain DNS Server
> query ===========
> C:>dig areaxx.sub.example.com. @dns2.example.com.
>
> ; <<>> DiG 9.11.0 <<>> areaxx.sub.example.com. @dns2.example.com.
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53897
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: da1119758607734a0e0355755811906b9703987cbc318f84 (good)
> ;; QUESTION SECTION:
> ;areaxx.sub.example.com. IN A
>
> ;; ANSWER SECTION:
> areaxx.sub.example.com. 60 IN A 10.0.255.255
> ============================================================
> ========================
> C:>dig areaxx.sub.example.com. @dns2.example.com. +subnet=192.168.164.1
>
> ; <<>> DiG 9.11.0 <<>> areaxx.sub.example.com. @dns2.example.com.
> +subnet=192.168.164.1
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8782
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: 342acccf1e48e80572a35255581190a7a6a2857252dd6c05 (good)
> ; CLIENT-SUBNET: 192.168.164.1/32/0
> ;; QUESTION SECTION:
> ;areaxx.sub.example.com. IN A
>
> ;; ANSWER SECTION:
> areaxx.sub.example.com. 60 IN A 10.0.255.255
>
> =======================================================================
> The EDNS Client Subnet (ECS) option is used by a recursive resolver to
> inform an authoritative name server of the network address block from
> which the original query was received, enabling authoritative servers
> to give different answers to the same resolver for different resolver
> clients.
> An ACL containing an element of the form ecs prefix will match
> if a request arrives in containing an ECS option encoding an address
> within that prefix.
> If the request has no ECS option, then "ecs" elements are simply ignored.
> Addresses in ACLs that are not prefixed with "ecs" are matched only
> against the source address.
>
> Above section was from ARM page 176, when i careful check my config file
> I don't know where i was wrong
>
>
>
>
>
> Client subnet information will store in which log
>
>
> --
> 本信件可能包含工研院機密資訊,非指定之收件者,請勿使用或揭露本信件內容,並請銷毀此信件。 This email may contain
> confidential information. Please do not use or disclose it in any way and
> delete it if you are not the intended recipient.
>
>
The first three dig commands look correct.
1. No ecs, so it does not match.
2. No ecs, matches "no-ecs-area01"
3. ecs matches
4. and 5. use "@dns2.example.com." instead of "@dns2.sub.example.com." - is
that a different server?
--
Bob Harold
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20161028/90239676/attachment-0001.html>
More information about the bind-users
mailing list