[Pdns-users] ECS not using proxied client IP?

Fri, 16 Apr 2021 15:38:05 -0700 

On of the suggestions I was given last week for improving PowerDNS performance 
was to use the proxy protocol available in pdns_recursor 4.4 when passing 
traffic between dnsdist and pdns_recursor.  I've finally gotten a chance to 
test this setup, but I'm having a problem with getting the recursor to use the 
proxied client IP for ECS.  Recursor.conf at the end.

If I configure pdns_recursor to listen on the public IP/port 53, I see 
pdns_recursor adding ECS with the client subnet/24 set correctly.

If I configure pdns_recursor to listen on the loopback/port 5353, with dnsdist 
in front (sending proxied requests, proxying verified by Wireshark), 
pdns_recursor adds ECS using the scope zero IP instead of the client subnet.

Using the same dnsdist/pdns_recursor setup as the previous, but with 
"ecs-add-for=0.0.0.0/0, ::/0" added to the configuration,  I see ECS with ::/56 
as the client subnet.  Since dnsdist is using "newServer({address='[::1]:5353', 
useProxyProtocol=true, sockets=12})", this suggests that pdns_recursor is 
ignoring the client IP that was proxied, and using the client IP from the UDP 
connection instead.

I did try 4.5beta2 as well, but the behavior didn't change.

Have I missed some setting for telling pdns_recursor to use the proxied client 
IP in ECS?  Is this a bug?

Thanks,
Mark


/etc/pdns-recursor/recursor.conf
----------
setgid=pdns-recursor
setuid=pdns-recursor
version-string=anonymous
threads=10
pdns-distributes-queries=yes
distributor-threads=1
distribution-load-factor=1.25
query-local-address=184.60.111.107, 2600:3402:400:2:250:56ff:feb8:7de5

allow-from=0.0.0.0/0, ::/0
proxy-protocol-from=127.0.0.1/8, ::1/128
edns-subnet-whitelist=tds.net

#local-port=5353
local-port=53
#local-address=127.0.0.1,::1
local-address=184.60.111.107, 2600:3402:400:2:250:56ff:feb8:7de5
lua-dns-script=/etc/pdns-recursor/recursor-script.lua

--
XML combines the efficiency of text files with the readability of binary files


_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Reply via email to