<div dir="ltr"><br><div class="gmail_extra"><div class="gmail_quote">On Thu, Oct 27, 2016 at 7:51 PM, <span dir="ltr"><<a href="mailto:HsuLiPing@itri.org.tw" target="_blank">HsuLiPing@itri.org.tw</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr" style="font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255);font-family:calibri,arial,helvetica,sans-serif">
<p>;<br>
; area10.itri.org.tw.txt<br>
;<br>
$ORIGIN <a href="http://sub.itri.org.tw" target="_blank">sub.itri.org.tw</a>.<br>
$ttl 60</p>
<p>@ IN SOA dns1 <a href="http://hsuliping.itri.org.tw" target="_blank">hsuliping.itri.org.tw</a>. (<br>
<a href="tel:2016102701" value="+12016102701" target="_blank">2016102701</a> ;serial no<br>
1h ;refresh every 1 hours<br>
1h ;retry - 1 hour<br>
2D ;expire after 2 days<br>
1D) ;minimum ttl of 1 days</p>
<p> IN NS dns1<br>
IN NS dns2 </p>
<p>dns1 IN A 192.168.254.138 <br>
dns2 IN A 192.168.157.194 </p>
<p>areaxx IN A 10.0.0.10 <br>
IN AAAA 2001:ed8:3000::10</p>
<p>==============================<wbr>==============================<wbr>==<br>
;<br>
; default.example.com.txt<br>
;<br>
$ORIGIN <a href="http://sub.example.com" target="_blank">sub.example.com</a>.<br>
$ttl 60</p>
<p>@ IN SOA dns1 <a href="http://nocomment.example.com" target="_blank">nocomment.example.com</a>. (<br>
<a href="tel:2016102702" value="+12016102702" target="_blank">2016102702</a> ;serial no<br>
1h ;refresh every 1 hours<br>
1h ;retry - 1 hour<br>
2D ;expire after 2 days<br>
1D) ;minimum ttl of 1 days</p>
<p><br>
;sub-domain name servers<br>
IN NS dns1<br>
IN NS dns2</p>
<p>;A records for name servers above<br>
dns1 IN A 192.168.254.138 <br>
dns2 IN A 192.168.157.194 </p>
<p>areaxx IN A 10.0.255.255 <br>
IN AAAA 2001:ed8:3000::<wbr>FFFF:255<br>
==============================<wbr>==============================<wbr>====</p>
<p>acl ecs-area01 { ecs <a href="http://192.168.164.0/24" target="_blank">192.168.164.0/24</a>; }<br>
acl no-ecs-area01 { <a href="http://192.168.164.0/24" target="_blank">192.168.164.0/24</a>; };</p>
<p>options {<br>
directory "d:\isc bind 9\var\named";<br>
// geoip-directory "d:\isc bind 9\geodb";</p>
<p> // version statement - inhibited for security<br>
// avoid hacking any know weaknesses</p>
<p> version none;</p>
<p> allow-recursion { <a href="http://192.168.0.0/16" target="_blank">192.168.0.0/16</a>; };<br>
forwarders{ 192.168.9.11; };</p>
<p> tcp-clients 600;</p>
<p> hostname "Very glad service for you....";</p>
<p> listen-on-v6 { none; };<br>
allow-update {none;}; // defaulted - if not present</p>
<p> max-cache-ttl 60;<br>
max-ncache-ttl 600;</p>
<p> dump-file "named dump.db";<br>
memstatistics-file "named.memstats";</p>
<p> pid-file "named.pid";<br>
querylog yes;<br>
interface-interval 0;<br>
statistics-file "named.stats";<br>
zone-statistics yes;</p>
<p> notify explicit;<br>
allow-transfer { none; };<br>
};</p>
<p>view "area01" {<br>
match-clients { no-ecs-area01; ecs-area01; key Area01.example.com.;};<br>
zone "<a href="http://sub.example.com" target="_blank">sub.example.com</a>" in {<br>
type master;<br>
file "sub/area01.example.com.txt";<br>
also-notify { 192.168.157.194 key <a href="http://Area01.example.com" target="_blank">Area01.example.com</a>.; };<br>
allow-transfer { key <a href="http://Area01.example.com" target="_blank">Area01.example.com</a>.; };<br>
};<br>
}; <br>
// Area01 View End</p>
<p>view "deafult" { // Default<br>
match-clients { any; };<br>
zone "<a href="http://sub.example.com" target="_blank">sub.example.com</a>" in {<br>
type master;<br>
file "sub/default.example.com.txt";<br>
also-notify { 192.168.157.194 key Default.example.com.;};<br>
allow-transfer { key <a href="http://Default.example.com" target="_blank">Default.example.com</a>.; };<br>
};<br>
}; <br>
// Default View End</p>
<p><br>
This DNS Server Platform is Windows 2012 R2 and i install Bind 9.11<br>
my pc ip is 192.168.164.123, so when i test if in view area01 no-ecs-area01 match list then when<br>
i use dig that zone entry it always return view default entry. but if i add no-ecs-area01 then that will<br>
response correct entry. <br>
when i use dig query include +subnet=192.168.164.1 then it will return view area01 entry (not include no-ec-area01)<br>
i don't know herer was wrong. <br>
In query log can find Client ECS entry ?<br>
==============================<wbr>===My test pc ip infomation ================<br>
C:>ipconfig</p>
<p><br>
IPv4 address. . . . . . . . . . . : 192.168.164.87<br>
subnet mask. . . . . . . . . . . .: 255.255.255.0<br>
<br>
All Bind are install in Windows 2012 R2 platform</p>
<p>==============================<wbr>===Test 1 : in view area01 "no-ecs-area01" not exist ================<br>
C:>dig <a href="http://areaxx.sub.example.com" target="_blank">areaxx.sub.example.com</a>. @<a href="http://dns2.sub.example.com" target="_blank">dns2.sub.example.com</a>.</p>
<p>; <<>> DiG 9.11.0 <<>> <a href="http://areaxx.sub.example.com" target="_blank">areaxx.sub.example.com</a>. @<a href="http://dns2.sub.example.com" target="_blank">dns2.sub.example.com</a>.<br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13577<br>
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1</p>
<p>;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags:; udp: 4096<br>
; COOKIE: 325d48c8c441ee0168c68647581191<wbr>2d9a5d9fc7bf113bd2 (good)<br>
;; QUESTION SECTION:<br>
;<a href="http://areaxx.sub.example.com" target="_blank">areaxx.sub.example.com</a>. <wbr> IN A</p>
<p>;; ANSWER SECTION:<br>
<a href="http://areaxx.sub.example.com" target="_blank">areaxx.sub.example.com</a>. 60 IN A 10.0.255.255</p>
<p>==============================<wbr>Test 1 : in view area01 "no-ecs-area01" exist===========<br>
C:>dig <a href="http://areaxx.sub.example.com" target="_blank">areaxx.sub.example.com</a>. @<a href="http://dns2.sub.example.com" target="_blank">dns2.sub.example.com</a>.</p>
<p>; <<>> DiG 9.11.0 <<>> <a href="http://areaxx.sub.example.com" target="_blank">areaxx.sub.example.com</a>. @<a href="http://dns2.sub.example.com" target="_blank">dns2.sub.example.com</a>.<br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32403<br>
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1</p>
<p>;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags:; udp: 4096<br>
; COOKIE: ec76aa0d6063ddfac0fb42b958118f<wbr>a3039eae3d58015a05 (good)<br>
;; QUESTION SECTION:<br>
;<a href="http://areaxx.sub.example.com" target="_blank">areaxx.sub.example.com</a>. <wbr> IN A</p>
<p>;; ANSWER SECTION:<br>
<a href="http://areaxx.sub.example.com" target="_blank">areaxx.sub.example.com</a>. 60 IN A 10.0.0.10</p>
<p>==========================Test 3 : in view area01 "no-ecs-area01" no exist ===========<br>
C:>dig <a href="http://areaxx.sub.example.com" target="_blank">areaxx.sub.example.com</a>. @<a href="http://dns2.sub.example.com" target="_blank">dns2.sub.example.com</a>. +subnet=192.168.164.1</p>
<p>; <<>> DiG 9.11.0 <<>> <a href="http://areaxx.sub.example.com" target="_blank">areaxx.sub.example.com</a>. @<a href="http://dns2.sub.example.com" target="_blank">dns2.sub.example.com</a>. +subnet=192.168.164.1<br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62641<br>
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1</p>
<p>;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags:; udp: 4096<br>
; COOKIE: cb35db4f91e921970f85303858118f<wbr>1128a20c69c0e0b995 (good)<br>
; CLIENT-SUBNET: <a href="http://192.168.164.1/32/24" target="_blank">192.168.164.1/32/24</a><br>
;; QUESTION SECTION:<br>
;<a href="http://areaxx.sub.example.com" target="_blank">areaxx.sub.example.com</a>. <wbr> IN A</p>
<p>;; ANSWER SECTION:<br>
<a href="http://areaxx.sub.example.com" target="_blank">areaxx.sub.example.com</a>. 60 IN A 10.0.0.10</p>
<p>==========================Test 4 : from <a href="http://example.com" target="_blank">example.com</a>. domain DNS Server query ===========<br>
C:>dig <a href="http://areaxx.sub.example.com" target="_blank">areaxx.sub.example.com</a>. @<a href="http://dns2.example.com" target="_blank">dns2.example.com</a>.</p>
<p>; <<>> DiG 9.11.0 <<>> <a href="http://areaxx.sub.example.com" target="_blank">areaxx.sub.example.com</a>. @<a href="http://dns2.example.com" target="_blank">dns2.example.com</a>.<br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53897<br>
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1</p>
<p>;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags:; udp: 4096<br>
; COOKIE: da1119758607734a0e035575581190<wbr>6b9703987cbc318f84 (good)<br>
;; QUESTION SECTION:<br>
;<a href="http://areaxx.sub.example.com" target="_blank">areaxx.sub.example.com</a>. <wbr> IN A</p>
<p>;; ANSWER SECTION:<br>
<a href="http://areaxx.sub.example.com" target="_blank">areaxx.sub.example.com</a>. 60 IN A 10.0.255.255<br>
==============================<wbr>==============================<wbr>========================<br>
C:>dig <a href="http://areaxx.sub.example.com" target="_blank">areaxx.sub.example.com</a>. @<a href="http://dns2.example.com" target="_blank">dns2.example.com</a>. +subnet=192.168.164.1</p>
<p>; <<>> DiG 9.11.0 <<>> <a href="http://areaxx.sub.example.com" target="_blank">areaxx.sub.example.com</a>. @<a href="http://dns2.example.com" target="_blank">dns2.example.com</a>. +subnet=192.168.164.1<br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8782<br>
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1</p>
<p>;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags:; udp: 4096<br>
; COOKIE: 342acccf1e48e80572a35255581190<wbr>a7a6a2857252dd6c05 (good)<br>
; CLIENT-SUBNET: <a href="http://192.168.164.1/32/0" target="_blank">192.168.164.1/32/0</a><br>
;; QUESTION SECTION:<br>
;<a href="http://areaxx.sub.example.com" target="_blank">areaxx.sub.example.com</a>. <wbr> IN A</p>
<p>;; ANSWER SECTION:<br>
<a href="http://areaxx.sub.example.com" target="_blank">areaxx.sub.example.com</a>. 60 IN A 10.0.255.255</p>
<p>==============================<wbr>==============================<wbr>===========<br>
The EDNS Client Subnet (ECS) option is used by a recursive resolver to <br>
inform an authoritative name server of the network address block from<br>
which the original query was received, enabling authoritative servers <br>
to give different answers to the same resolver for different resolver clients.<br>
An ACL containing an element of the form ecs prefix will match <br>
if a request arrives in containing an ECS option encoding an address within that prefix.<br>
If the request has no ECS option, then "ecs" elements are simply ignored. <br>
Addresses in ACLs that are not prefixed with "ecs" are matched only against the source address.</p>
<p>Above section was from ARM page 176, when i careful check my config file <br>
I don't know where i was wrong</p>
<p> </p>
<p> </p>
<p>Client subnet information will store in which log </p>
<br>
<br>
--<br>
本信件可能包含工研院機密資訊,非指定之收件者,<wbr>請勿使用或揭露本信件內容,並請銷毀此信件。 This email may contain confidential information. Please do not use or disclose it in any way and delete it if you are not the intended recipient.
</div>
<br></blockquote><div><br></div><div>The first three dig commands look correct.<br></div><div>1. No ecs, so it does not match.<br></div><div>2. No ecs, matches "no-ecs-area01"<br></div><div>3. ecs matches<br></div><div>4. and 5. use "@<a href="http://dns2.example.com">dns2.example.com</a>." instead of "@<a href="http://dns2.sub.example.com">dns2.sub.example.com</a>." - is that a different server?<br><br>-- <br></div><div>Bob Harold<br><br></div></div><br></div></div>