Hi, I observed some situations where PDNS recursor sends a DNS query with loopback IP address (as in [5]) in the client subnet. Sending such info. can cause a confusion at the Auth. servers leading into suboptimal mapping for the end-user. For instance, I resolved www.youtube.com directly against Google's Auth. DNS server using 127.0.0.1/32[1] as a client subnet and without ECS [2] where Google's Auth. would use the requester IP address (which is my machine's IP in this case) to find the best near-by server.
As you can see from [1] and [2], the set of A records returned in both cases are different (I did resolve www.youtube.com using my machine's IP address in the client subnet and I received the same answers as in [2]). Moreover, I measured how far are those answers from my machine using ping. As shown in [3], the server was close to my machine because the Auth. server used my IP address to find a near-by server. However, when a loopback address was used, it caused a confusion at the Auth. DNS and I was assigned to a server which is far from my machine [4] (26ms vs 130ms). To comply with the RFC for such cases, instead of sending 127.0.0.1/32, the recursor can either (i) send a DNS query without ECS option at all or (ii) include its own IP address in the query. I just wanted to point out the possible performance implication when using loopback address in client subnet when resolving queries against Auth. DNS servers. Sincerely, Rami [1] dig @216.239.38.10 www.youtube.com+client=127.0.0.1/32 ; <<>> DiG 9.9.3 <<>> @216.239.38.10www.youtube.com +client=127.0.0.1/32 ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35237 ;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ; CLIENT-SUBNET: 127.0.0.1/32/32 ;; QUESTION SECTION: ;www.youtube.com. IN A ;; ANSWER SECTION: www.youtube.com. 86400 IN CNAME youtube-ui.l.google.com. youtube-ui.l.google.com. 300 IN A 172.217.168.46 youtube-ui.l.google.com. 300 IN A 216.58.215.238 youtube-ui.l.google.com. 300 IN A 172.217.168.14 [2] dig @216.239.38.10 www.youtube.com ; <<>> DiG 9.9.3 <<>> @216.239.38.10www.youtube.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50656 ;; flags: qr aa rd; QUERY: 1, ANSWER: 17, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;www.youtube.com. IN A ;; ANSWER SECTION: www.youtube.com. 86400 IN CNAME youtube-ui.l.google.com. youtube-ui.l.google.com. 300 IN A 172.217.5.14 youtube-ui.l.google.com. 300 IN A 216.58.216.110 youtube-ui.l.google.com. 300 IN A 216.58.192.206 youtube-ui.l.google.com. 300 IN A 216.58.192.238 youtube-ui.l.google.com. 300 IN A 172.217.4.78 youtube-ui.l.google.com. 300 IN A 172.217.4.206 youtube-ui.l.google.com. 300 IN A 172.217.4.238 youtube-ui.l.google.com. 300 IN A 172.217.0.14 youtube-ui.l.google.com. 300 IN A 172.217.9.78 youtube-ui.l.google.com. 300 IN A 216.58.192.174 youtube-ui.l.google.com. 300 IN A 172.217.9.46 youtube-ui.l.google.com. 300 IN A 172.217.6.110 youtube-ui.l.google.com. 300 IN A 172.217.4.46 youtube-ui.l.google.com. 300 IN A 172.217.1.46 youtube-ui.l.google.com. 300 IN A 172.217.8.174 youtube-ui.l.google.com. 300 IN A 172.217.8.206 [3] ping 172.217.5.14 PING 172.217.5.14 (172.217.5.14) 56(84) bytes of data. 64 bytes from 172.217.5.14: icmp_seq=2 ttl=128 time=25.7 ms 64 bytes from 172.217.5.14: icmp_seq=3 ttl=128 time=27.7 ms 64 bytes from 172.217.5.14: icmp_seq=4 ttl=128 time=27.3 ms 64 bytes from 172.217.5.14: icmp_seq=5 ttl=128 time=26.4 ms [4] ping 172.217.168.78 PING 172.217.168.78 (172.217.168.78) 56(84) bytes of data. 64 bytes from 172.217.168.78: icmp_seq=1 ttl=128 time=131 ms 64 bytes from 172.217.168.78: icmp_seq=2 ttl=128 time=135 ms 64 bytes from 172.217.168.78: icmp_seq=3 ttl=128 time=133 ms 64 bytes from 172.217.168.78: icmp_seq=4 ttl=128 time=134 ms [5] https://doc.powerdns.com/recursor/settings.html#ecs-scope-zero-address
_______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users
