Re: [Pdns-users] pdns recursor edns-client-subnet caching problems

[Shawn Zhou]

I don't think that's the right behavior. If Client Subnet scope set to 0, 
resolver should not cache it.unbound DNS gives me the expected output as it 
cache has different entries for different client subnet. Why is pdns recursor's 
implementation different?
root@DFW01-CPS02:~# dig @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net

; <<>> DiG 9.11.0-P3 <<>> @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30374
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; CLIENT-SUBNET: 52.57.28.138/32/16
;; QUESTION SECTION:
;morpheus-ien.insnw.net.INA

;; ANSWER SECTION:
morpheus-ien.insnw.net.3600INCNAMEien01-fra02.svc.insnw.net.
ien01-fra02.svc.insnw.net. 600INA35.156.66.126

;; AUTHORITY SECTION:
insnw.net.86400INNSns2.insnw.net.
insnw.net.86400INNSns1.insnw.net.

;; ADDITIONAL SECTION:
ns1.insnw.net.86400INA192.33.29.21
ns2.insnw.net.86400INA192.33.29.22

;; Query time: 38 msec
;; SERVER: ::1#53(::1)
;; WHEN: Wed Aug 02 21:57:39 GMT 2017
;; MSG SIZE  rcvd: 177

root@DFW01-CPS02:~# dig @localhost morpheus-ien.insnw.net

; <<>> DiG 9.11.0-P3 <<>> @localhost morpheus-ien.insnw.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15379
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;morpheus-ien.insnw.net.INA

;; ANSWER SECTION:
morpheus-ien.insnw.net.3600INCNAMEins-091.inscname.net.
ins-091.inscname.net.3600INCNAMEa-sg08sl07.insnw.net.
a-sg08sl07.insnw.net.3600INA192.33.31.183

;; AUTHORITY SECTION:
insnw.net.86382INNSns2.insnw.net.
insnw.net.86382INNSns1.insnw.net.

;; ADDITIONAL SECTION:
ns1.insnw.net.86382INA192.33.29.21
ns2.insnw.net.86382INA192.33.29.22

;; Query time: 133 msec
;; SERVER: ::1#53(::1)
;; WHEN: Wed Aug 02 21:57:57 GMT 2017
;; MSG SIZE  rcvd: 191

root@DFW01-CPS02:~# dig @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net

; <<>> DiG 9.11.0-P3 <<>> @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16040
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; CLIENT-SUBNET: 52.57.28.138/32/16
;; QUESTION SECTION:
;morpheus-ien.insnw.net.INA

;; ANSWER SECTION:
morpheus-ien.insnw.net.3578INCNAMEien01-fra02.svc.insnw.net.
ien01-fra02.svc.insnw.net. 578INA35.156.66.126

;; AUTHORITY SECTION:
insnw.net.86378INNSns2.insnw.net.
insnw.net.86378INNSns1.insnw.net.

;; ADDITIONAL SECTION:
ns1.insnw.net.86378INA192.33.29.21
ns2.insnw.net.86378INA192.33.29.22

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Wed Aug 02 21:58:01 GMT 2017
;; MSG SIZE  rcvd: 177

root@DFW01-CPS02:~# dig @localhost +subnet=35.156.66.126 morpheus-ien.insnw.net

; <<>> DiG 9.11.0-P3 <<>> @localhost +subnet=35.156.66.126 
morpheus-ien.insnw.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3792
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; CLIENT-SUBNET: 35.156.66.126/32/14
;; QUESTION SECTION:
;morpheus-ien.insnw.net.INA

;; ANSWER SECTION:
morpheus-ien.insnw.net.3600INCNAMEien01-fra02.svc.insnw.net.
ien01-fra02.svc.insnw.net. 600INA35.156.66.126

;; AUTHORITY SECTION:
insnw.net.86400INNSns2.insnw.net.
insnw.net.86400INNSns1.insnw.net.

;; ADDITIONAL SECTION:
ns1.insnw.net.86400INA192.33.29.21
ns2.insnw.net.86400INA192.33.29.22

;; Query time: 1 msec
;; SERVER: ::1#53(::1)
;; WHEN: Wed Aug 02 21:59:08 GMT 2017
;; MSG SIZE  rcvd: 177

root@DFW01-CPS02:~# dig @localhost +subnet=35.156.66.126 morpheus-ien.insnw.net

; <<>> DiG 9.11.0-P3 <<>> @localhost +subnet=35.156.66.126 
morpheus-ien.insnw.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53600
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; CLIENT-SUBNET: 35.156.66.126/32/14
;; QUESTION SECTION:
;morpheus-ien.insnw.net.INA

;; ANSWER SECTION:
morpheus-ien.insnw.net.3593INCNAMEien01-fra02.svc.insnw.net.
ien01-

Re: [Pdns-users] pdns recursor edns-client-subnet caching problems

[Remi Gacogne]

Hi Shawn,

On 08/02/2017 08:47 AM, Shawn Zhou wrote:
> Sorry. I meant the authoritative nameserver did respond with the correct 
> answer. 

The authoritative server answers with a EDNS Client Subnet scope set to
0 when we send a query with a source set to 127.0.0.1/32, meaning that
we can cache the answer and use it for any source:

$ dig @ns1.insnw.net +subnet=127.0.0.1 morpheus-ien.insnw.net

; <<>> DiG 9.11.2 <<>> @ns1.insnw.net +subnet=127.0.0.1
morpheus-ien.insnw.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41118
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: b560d095f78df047eb13a9a85981941eb2b38c5376e87bb2 (good)
; CLIENT-SUBNET: 127.0.0.1/32/0
[...]

Once this answer is in our cache, we will use it until it expires and
won't look for most specific answers, regardless of the ECS value of the
query.

-- 
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/



signature.asc
Description: OpenPGP digital signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users