Hi, I am working in a French multinational company, in charge of Greater China region, sit in Shanghai China.
We are using Google Apps (Gmail, Contacts, Calendar, Drive, Sites, etc.) for office application. Meanwhile need to access may other international web resources (of course…). As we all know the China GFW (Greater Firewall) in place, which blocks access to many web resources (Google, Facebook, Twitter, SalesForce, GitHub, and many…). So we implemented tunnels to Hong Kong/Taiwan to cross it. The network layer topology is simple: · We setup 1 VPN tunnel to Hong Kong (with 1 other tunnel to Taiwan as redundancy). · We created routing rules based on China’s country IP range. If destination is China, traffic go out through local link directly; if destination is Non-China, traffic go out though VPN tunnel. · 2 tunnels will be switched in case 1 is down. On DNS part, since China DNS providers are doing DNS poisoning, we choose a France DNS provider as resolver. The solution works ok, except France DNS always reply record according to the breakout IP. This causes slowness when we access China website, e.g. open www.taobao.com, but in fact access a Taobao’s CDN node in Iceland. My idea is to change to Google DNS (or maybe OpenDNS) and utilize EDNS-Client-Subnet. · When local client doing DNS query, the on premise Recursive Name Server (currently using Windows Server 2008 R2’ DNS role) should pass the query to 8.8.8.8 with location indication of Shanghai (in reality, the traffic will go through Hong Kong tunnel and expose Hong Kong IP to 8.8.8.8.) · 8.8.8.8 should reply record with a node most optimized for Shanghai. · Client then access the node with local Internet link, with best speed. After my research, I don’t think Windows Server support EDNS-Client-Subnet yet. Another stable DNS Recursor should be adopted to replace it for local DNS service. I spend some time on PowerDNS Recursor and see since 4.0 it officially support EDNS-Client-Subnet, but when I read documents, hardly can find how to make it work as I expected. So I am asking is there any recommended solution to achieve such goal? Any special considerations? Thanks in advance, -- This e-mail and its attachments are confidential and intended for use by the above named recipient(s) only. If you are not the intended recipient, please note that any use, modification, dissemination, edition or reproduction (either in whole or partially) of this e-mail and/or its attachments, or of the information contained herein, is strictly prohibited. If you have received this e-mail by mistake, please notify the sender immediately, and immediately delete this e-mail with its attachments and any copy of it from your computer system. We do not ensure the security of electronically transmitted information. Therefore, we take no responsibility in the event this email and/or its attachments may have been for example modified, altered and/or in the case of transmission of a virus. Your communication with us through such means shall signify your acceptance of such risks. We kindly advise you to check whether this email or its attachments are free of viruses
_______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users
