Thanks Otto, I agree with the docs, but then the actual operation/result is not consistent unless I'm misunderstanding the operation or purpose of proxy-protocol-from.
*Product:* pdns-recursor *Version:* 4.8.1 *Full recursor.conf config:* allow-from=<src-subnet> api-key=xxxx #config-dir=/usr/etc daemon=no #disable-syslog=no edns-subnet-allow-list=0.0.0.0/0. etc-hosts-file=/etc/hosts # export-etc-hosts=off #local-address= local-port=53 loglevel=6 log-common-errors=yes # max-cache-entries=1000000 # max-concurrent-requests-per-tcp-connection=10 max-tcp-clients=128 # max-tcp-per-client=0 # max-tcp-queries-per-connection=0 # network-timeout=1500 new-domain-log=yes quiet=no threads=2 use-incoming-edns-subnet=yes webserver=yes webserver-address=0.0.0.0 webserver-allow-from=0.0.0.0/0 webserver-loglevel=none webserver-password=xxxx webserver-port=8082 write-pid=yes hint-file=/etc/named.root.txt log-common-errors=no lua-config-file=/etc/proxy-map.lua max-busy-dot-probes=50 proxy-protocol-from=<mapped public IP per below> *LUA script for proxy maps:* addProxyMapping("private subnet 1", "mapped public IP") There are 2 requirements: 1. accurately enable ACLs via allow-from 2. use proxy-mapped public address from addProxyMapping for ecs/edns queries Currently, the proxy mapped address is being used to match against allow-from rather than the source/original address. I'm hoping proxy-protocol-from does not affect ecs/edns function but the docs don't discuss anything around this - I would assume not. Update and per your replies: "I think proxyMapping and the use of ECS is explained in https://docs.powerdns.com/recursor/lua-config/proxymapping.html." I understand proxymapping - this is not my issue, I'm just mentioning it to provide context. (My logging is still not working in my docker container. I'll request separate assistance with this.) Regards and thank you Robby On Fri, 20 Jan 2023 at 17:58, Otto Moerbeek <o...@drijf.net> wrote: > Please show your full configuration, including versions etc. Also, it > is not clear which product you are using. > > The recursor docs say: > > "Note that once a Proxy Protocol header has been received, the source > address from the proxy header instead of the address of the proxy will > be checked against the allow-from ACL." > > https://docs.powerdns.com/recursor/settings.html#proxy-protocol-from > > -Otto > > > On Fri, Jan 20, 2023 at 05:48:31PM +0200, Robby Pedrica via Pdns-users > wrote: > > > Hi all, > > > > I'm not sure if this is a change in behaviour or I simply haven't noticed > > this before but after upgrading my docker image today, I've seen queries > > being dropped due to the mapped address in my proxy mappings being used > for > > allow-from rather than the src/original address. I use a private-public > > address mapping in the proxy maps because I use the mapped public IP as > > part of ecs/edns. > > > > I've now set: > > > > proxy-protocol-from=<mapped ip> (or should this be the src IP?) > > > > but this doesn't appear to have changed anything and queries are still > > being dropped. > > > > Can anyone advise where I'm going wrong? I don't mind putting the mapped > > (public) IP in allow-from but would prefer not to do it if not required. > > > > Regards > > > > -- > > Robby Pedrica > > > > c: +27 82 416 8696 > > > _______________________________________________ > > Pdns-users mailing list > > Pdnsemail@example.com > > https://mailman.powerdns.com/mailman/listinfo/pdns-users > > -- Robby Pedrica XStore c: +27 82 416 8696 f: +27 86 538 5810 m: rpedr...@xstore.co.za w: http://wwww.xstore.co.za/
_______________________________________________ Pdns-users mailing list Pdnsfirstname.lastname@example.org https://mailman.powerdns.com/mailman/listinfo/pdns-users