Re: [Pdns-users] Proxy mapped address used for allow-from

2023-01-27 Thread Robby Pedrica via Pdns-users 
>
> > 1. accurately enable ACLs via allow-from
>
> As far as I know, the ACL are checked accurately, i.e. as defined in
> the docs.
>
> > 2. use proxy-mapped public address from addProxyMapping for ecs/edns
> queries
> >
> > Currently, the proxy mapped address is being used to match against
> > allow-from rather than the source/original address.
>
> I have the feeling there is some form of miscommunication going on.
>
> As documented, see:
>
> "M is used for incoming ACL checking (allow-from) and to determine the
> ECS processing (ecs-add-for)."
>
> where M is "the source address mapped by Table Based Proxy Mapping" in
>
>
> https://docs.powerdns.com/recursor/lua-config/proxymapping.html#table-based-proxy-mapping
>
> The first section of the page tries to explain what address is used in
> what circumstances.
>
> The point of proxyMapping is to use the mapped address as ECS and for
> ACL checking.
>
> If that is not what you want, maybe proxyMapping is not the answer to
> your question?
>
> -Otto
>

Hi Otto,

This is a perfect explanation and understood now.

Thanks for your assistance

Regards, Robby
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Proxy mapped address used for allow-from

2023-01-26 Thread Otto Moerbeek via Pdns-users 
On Thu, Jan 26, 2023 at 03:07:17PM +0200, Robby Pedrica via Pdns-users wrote:

>  Thanks Otto,
> 
> I agree with the docs, but then the actual operation/result is not
> consistent unless I'm misunderstanding the operation or purpose of
> proxy-protocol-from.
> 
> *Product:*
> 
> pdns-recursor
> 
> *Version:*
> 
> 4.8.1
> 
> *Full recursor.conf config:*
> 
> allow-from=
> api-key=
> #config-dir=/usr/etc
> daemon=no
> #disable-syslog=no
> edns-subnet-allow-list=0.0.0.0/0.
> etc-hosts-file=/etc/hosts
> # export-etc-hosts=off
> #local-address=
> local-port=53
> loglevel=6
> log-common-errors=yes
> # max-cache-entries=100
> # max-concurrent-requests-per-tcp-connection=10
> max-tcp-clients=128
> # max-tcp-per-client=0
> # max-tcp-queries-per-connection=0
> # network-timeout=1500
> new-domain-log=yes
> quiet=no
> threads=2
> use-incoming-edns-subnet=yes
> webserver=yes
> webserver-address=0.0.0.0
> webserver-allow-from=0.0.0.0/0
> webserver-loglevel=none
> webserver-password=
> webserver-port=8082
> write-pid=yes
> hint-file=/etc/named.root.txt
> log-common-errors=no
> lua-config-file=/etc/proxy-map.lua
> max-busy-dot-probes=50
> proxy-protocol-from=
> 
> *LUA script for proxy maps:*
> 
> addProxyMapping("private subnet 1", "mapped public IP")
> 
> There are 2 requirements:
> 
> 1. accurately enable ACLs via allow-from

As far as I know, the ACL are checked accurately, i.e. as defined in
the docs. 

> 2. use proxy-mapped public address from addProxyMapping for ecs/edns queries
> 
> Currently, the proxy mapped address is being used to match against
> allow-from rather than the source/original address.

I have the feeling there is some form of miscommunication going on.

As documented, see:

"M is used for incoming ACL checking (allow-from) and to determine the
ECS processing (ecs-add-for)."

where M is "the source address mapped by Table Based Proxy Mapping" in

https://docs.powerdns.com/recursor/lua-config/proxymapping.html#table-based-proxy-mapping

The first section of the page tries to explain what address is used in
what circumstances. 

The point of proxyMapping is to use the mapped address as ECS and for
ACL checking.

If that is not what you want, maybe proxyMapping is not the answer to
your question?

-Otto

> 
> I'm hoping proxy-protocol-from does not affect ecs/edns function but the
> docs don't discuss anything around this - I would assume not.
> 
> Update and per your replies:
> 
> "I think proxyMapping and the use of ECS is explained in
> https://docs.powerdns.com/recursor/lua-config/proxymapping.html.;
> 
> I understand proxymapping - this is not my issue, I'm just mentioning
> it to provide context.
> 
> (My logging is still not working in my docker container. I'll request
> separate assistance with this.)
> Regards and thank you
> 
> 
> Robby
> 
> 
> 
> 
> 
> On Fri, 20 Jan 2023 at 17:58, Otto Moerbeek  wrote:
> 
> > Please show your full configuration, including versions etc. Also, it
> > is not clear which product you are using.
> >
> > The recursor docs say:
> >
> > "Note that once a Proxy Protocol header has been received, the source
> > address from the proxy header instead of the address of the proxy will
> > be checked against the allow-from ACL."
> >
> > https://docs.powerdns.com/recursor/settings.html#proxy-protocol-from
> >
> > -Otto
> >
> >
> > On Fri, Jan 20, 2023 at 05:48:31PM +0200, Robby Pedrica via Pdns-users
> > wrote:
> >
> > > Hi all,
> > >
> > > I'm not sure if this is a change in behaviour or I simply haven't noticed
> > > this before but after upgrading my docker image today, I've seen queries
> > > being dropped due to the mapped address in my proxy mappings being used
> > for
> > > allow-from rather than the src/original address. I use a private-public
> > > address mapping in the proxy maps because I use the mapped public IP as
> > > part of ecs/edns.
> > >
> > > I've now set:
> > >
> > > proxy-protocol-from= (or should this be the src IP?)
> > >
> > > but this doesn't appear to have changed anything and queries are still
> > > being dropped.
> > >
> > > Can anyone advise where I'm going wrong? I don't mind putting the mapped
> > > (public) IP in allow-from but would prefer not to do it if not required.
> > >
> > > Regards
> > >
> > > --
> > > Robby Pedrica
> > >
> > > c: +27 82 416 8696
> >
> > > ___
> > > Pdns-users mailing list
> > > Pdns-users@mailman.powerdns.com
> > > https://mailman.powerdns.com/mailman/listinfo/pdns-users
> >
> >
> 
> -- 
> Robby Pedrica
> XStore
> c: +27 82 416 8696
> f: +27 86 538 5810
> m: rpedr...@xstore.co.za
> w: http://.xstore.co.za/

> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Proxy mapped address used for allow-from

2023-01-26 Thread Robby Pedrica via Pdns-users 
 Thanks Otto,

I agree with the docs, but then the actual operation/result is not
consistent unless I'm misunderstanding the operation or purpose of
proxy-protocol-from.

*Product:*

pdns-recursor

*Version:*

4.8.1

*Full recursor.conf config:*

allow-from=
api-key=
#config-dir=/usr/etc
daemon=no
#disable-syslog=no
edns-subnet-allow-list=0.0.0.0/0.
etc-hosts-file=/etc/hosts
# export-etc-hosts=off
#local-address=
local-port=53
loglevel=6
log-common-errors=yes
# max-cache-entries=100
# max-concurrent-requests-per-tcp-connection=10
max-tcp-clients=128
# max-tcp-per-client=0
# max-tcp-queries-per-connection=0
# network-timeout=1500
new-domain-log=yes
quiet=no
threads=2
use-incoming-edns-subnet=yes
webserver=yes
webserver-address=0.0.0.0
webserver-allow-from=0.0.0.0/0
webserver-loglevel=none
webserver-password=
webserver-port=8082
write-pid=yes
hint-file=/etc/named.root.txt
log-common-errors=no
lua-config-file=/etc/proxy-map.lua
max-busy-dot-probes=50
proxy-protocol-from=

*LUA script for proxy maps:*

addProxyMapping("private subnet 1", "mapped public IP")

There are 2 requirements:

1. accurately enable ACLs via allow-from
2. use proxy-mapped public address from addProxyMapping for ecs/edns queries

Currently, the proxy mapped address is being used to match against
allow-from rather than the source/original address.

I'm hoping proxy-protocol-from does not affect ecs/edns function but the
docs don't discuss anything around this - I would assume not.

Update and per your replies:

"I think proxyMapping and the use of ECS is explained in
https://docs.powerdns.com/recursor/lua-config/proxymapping.html.;

I understand proxymapping - this is not my issue, I'm just mentioning
it to provide context.

(My logging is still not working in my docker container. I'll request
separate assistance with this.)
Regards and thank you


Robby





On Fri, 20 Jan 2023 at 17:58, Otto Moerbeek  wrote:

> Please show your full configuration, including versions etc. Also, it
> is not clear which product you are using.
>
> The recursor docs say:
>
> "Note that once a Proxy Protocol header has been received, the source
> address from the proxy header instead of the address of the proxy will
> be checked against the allow-from ACL."
>
> https://docs.powerdns.com/recursor/settings.html#proxy-protocol-from
>
> -Otto
>
>
> On Fri, Jan 20, 2023 at 05:48:31PM +0200, Robby Pedrica via Pdns-users
> wrote:
>
> > Hi all,
> >
> > I'm not sure if this is a change in behaviour or I simply haven't noticed
> > this before but after upgrading my docker image today, I've seen queries
> > being dropped due to the mapped address in my proxy mappings being used
> for
> > allow-from rather than the src/original address. I use a private-public
> > address mapping in the proxy maps because I use the mapped public IP as
> > part of ecs/edns.
> >
> > I've now set:
> >
> > proxy-protocol-from= (or should this be the src IP?)
> >
> > but this doesn't appear to have changed anything and queries are still
> > being dropped.
> >
> > Can anyone advise where I'm going wrong? I don't mind putting the mapped
> > (public) IP in allow-from but would prefer not to do it if not required.
> >
> > Regards
> >
> > --
> > Robby Pedrica
> >
> > c: +27 82 416 8696
>
> > ___
> > Pdns-users mailing list
> > Pdns-users@mailman.powerdns.com
> > https://mailman.powerdns.com/mailman/listinfo/pdns-users
>
>

-- 
Robby Pedrica
XStore
c: +27 82 416 8696
f: +27 86 538 5810
m: rpedr...@xstore.co.za
w: http://.xstore.co.za/
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Proxy mapped address used for allow-from

2023-01-20 Thread Robby Pedrica via Pdns-users 

On Fri, 20 Jan 2023 at 17:58, Otto Moerbeek  wrote:

   Please show your full configuration, including versions etc. Also, it
   is not clear which product you are using.

   The recursor docs say:

   "Note that once a Proxy Protocol header has been received, the source
   address from the proxy header instead of the address of the proxy will
   be checked against the allow-from ACL."

   https://docs.powerdns.com/recursor/settings.html#proxy-protocol-from

        -Otto


   On Fri, Jan 20, 2023 at 05:48:31PM +0200, Robby Pedrica via
   Pdns-users wrote:

> Hi all,
>
> I'm not sure if this is a change in behaviour or I simply haven't
   noticed
> this before but after upgrading my docker image today, I've seen
   queries
> being dropped due to the mapped address in my proxy mappings
   being used for
> allow-from rather than the src/original address. I use a
   private-public
> address mapping in the proxy maps because I use the mapped public
   IP as
> part of ecs/edns.
>
> I've now set:
>
> proxy-protocol-from= (or should this be the src IP?)
>
> but this doesn't appear to have changed anything and queries are
   still
> being dropped.
>
> Can anyone advise where I'm going wrong? I don't mind putting the
   mapped
> (public) IP in allow-from but would prefer not to do it if not
   required.
>
> Regards
>
> --
> Robby Pedrica
>
> c: +27 82 416 8696

> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users



Thanks Otto,

(apologies for the wrong addressing)

I agree on the docs, but then the actual operation/result is not 
consistent unless I'm misunderstanding the operation or purpose of 
proxy-protocol-from.


/Product:/

pdns-recursor

/Version:/

4.8.1 (or docker image:latest)

/Full recursor.conf:/

allow-from=, private subnet 2>
edns-subnet-allow-list=0.0.0.0/0 .
use-incoming-edns-subnet=yes
proxy-protocol-from=x.x.x.x (public address from proxy mapping)
api-key=
#config-dir=/usr/etc
daemon=no
#disable-syslog=no
edns-subnet-allow-list=0.0.0.0/0.
etc-hosts-file=/etc/hosts
# export-etc-hosts=off
#local-address=
local-port=53
loglevel=6
log-common-errors=yes
# max-cache-entries=100
# max-concurrent-requests-per-tcp-connection=10
max-tcp-clients=128
# max-tcp-per-client=0
# max-tcp-queries-per-connection=0
# network-timeout=1500
new-domain-log=yes
quiet=no
threads=2
use-incoming-edns-subnet=yes
webserver=yes
webserver-address=0.0.0.0
webserver-allow-from=0.0.0.0/0
webserver-loglevel=none
webserver-password=x
write-pid=yes
hint-file=/etc/named.root.txt
log-common-errors=no
lua-config-file=/etc/proxy-map.lua
max-busy-dot-probes=50
proxy-protocol-from=, 

//etc/proxy-map.lua:/

protobufServer("syslog-ip:port">
addProxyMapping("private subnet 1", "mapped public IP 1")
addProxyMapping("private subnet 2", "mapped public IP 2")

/Logs from docker:/

recursor_1  | Jan 20 18:45:57 PowerDNS Recursor 0.0.0.0.HEAD.gHEAD (C) 
2001-2022 PowerDNS.COM BV
recursor_1  | Jan 20 18:45:57 Using 64-bits mode. Built using gcc 10.2.1 
20210110 on Jan 20 2023 12:15:50 by root@localhost.
recursor_1  | Jan 20 18:45:57 PowerDNS comes with ABSOLUTELY NO 
WARRANTY. This is free software, and you are welcome to redistribute it 
according to the terms of the GPL version 2.
recursor_1  | Jan 20 18:45:57 msg="If using IPv6, please raise sysctl 
net.ipv6.route.max_size to a size >= 16384" subsystem="config" level="0" 
prio="Error" tid="0" ts="1674240357.631" current="4096"
recursor_1  | Jan 20 18:45:57 msg="Enabling IPv4 transport for outgoing 
queries" subsystem="config" level="0" prio="Notice" tid="0" 
ts="1674240357.631"
recursor_1  | Jan 20 18:45:57 msg="NOT using IPv6 for outgoing queries - 
add an IPv6 address (like '::') to query-local-address to enable" 
subsystem="config" level="0" prio="Warning" tid="0" ts="1674240357.631"
recursor_1  | Jan 20 18:45:57 msg="Setting access control" 
subsystem="config" level="0" prio="Info" tid="0" ts="1674240357.631" 
acl="allow-from" addresses=""
recursor_1  | Jan 20 18:45:57 msg="Will not send queries to" 
subsystem="config" level="0" prio="Notice" tid="0" ts="1674240357.635" 
addresses="127.0.0.0/8 10.0.0.0/8 100.64.0.0/10 169.254.0.0/16 
192.168.0.0/16 172.16.0.0/12 ::1/128 fc00::/7 fe80::/10 0.0.0.0/8 
192.0.0.0/24 192.0.2.0/24 198.51.100.0/24 203.0.113.0/24 240.0.0.0/4 
::/96 :::0:0/96 100::/64 2001:db8::/32 0.0.0.0 ::"
recursor_1  | Jan 20 18:45:57 msg="PowerDNS Recursor itself will 
distribute queries over threads" subsystem="config" level="0" 
prio="Notice" tid="0" ts="1674240357.635"
recursor_1  | Jan 20 18:45:57 msg="Inserting rfc 1918 private space 
zones" subsystem="config" level="0" prio="Notice" tid="0" 
ts="1674240357.635"
recursor_1  | Jan 20 18:45:57 msg="Listening for queries" 
subsystem="config" level="0"

Re: [Pdns-users] Proxy mapped address used for allow-from

2023-01-20 Thread Otto Moerbeek via Pdns-users 
Please show your full configuration, including versions etc. Also, it
is not clear which product you are using.

The recursor docs say:

"Note that once a Proxy Protocol header has been received, the source
address from the proxy header instead of the address of the proxy will
be checked against the allow-from ACL."

https://docs.powerdns.com/recursor/settings.html#proxy-protocol-from

-Otto


On Fri, Jan 20, 2023 at 05:48:31PM +0200, Robby Pedrica via Pdns-users wrote:

> Hi all,
> 
> I'm not sure if this is a change in behaviour or I simply haven't noticed
> this before but after upgrading my docker image today, I've seen queries
> being dropped due to the mapped address in my proxy mappings being used for
> allow-from rather than the src/original address. I use a private-public
> address mapping in the proxy maps because I use the mapped public IP as
> part of ecs/edns.
> 
> I've now set:
> 
> proxy-protocol-from= (or should this be the src IP?)
> 
> but this doesn't appear to have changed anything and queries are still
> being dropped.
> 
> Can anyone advise where I'm going wrong? I don't mind putting the mapped
> (public) IP in allow-from but would prefer not to do it if not required.
> 
> Regards
> 
> -- 
> Robby Pedrica
> 
> c: +27 82 416 8696

> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users