Re: [Pdns-users] pdns-recursor ecs support config designs
Hi Brian Understood re. "user ecs" vs "pass" = semantic error on my side. And yes, a local per branch recursor would better but we have to take installation/operational management overhead into account for doing this at a lot of sites; as well, we're trying to move away from local infrastructure. I have a loaded config for table-based proxy mapping now via a lua-config-file entry - busy testing ... On an unrelated note (although it would certainly help with above troubleshooting), I'm running the pdns-recursor docker image via: powerdns/pdns-recursor-48:latest And there doesn't seem to be any logging inside the container - am I missing something? Regards, Robby On Tue, 8 Nov 2022 at 11:44, Brian Candler wrote: > On 08/11/2022 09:20, Robby Pedrica via Pdns-users wrote: > > > The CDN services work correctly when a branch uses the ISP-assigned > > DNS for that specific branch/link. But as mentioned, it's difficult to > > manage these DNS entries when you have many branches across the world > > (180 sites with 2 different ISP links at each site). It would be much > > easier if we had a central recursor that could use ecs to determine > > geo-located services for each branch. > > The central recursor would be able to see the source IP addresses of all > the clients, correct? Would it see the public (post NAT) or internal > address (e.g. site-to-site VPN)? > > The recursor itself doesn't "use ecs" as such, but it could *pass* the > client's IP address via ecs to the authoritative servers. However, > whether the authoritative servers use that information or not is not > within your control. They may ignore it, and look at the source IP > address of the request only (i.e. the IP address of your recursor). In > which case, you're stuck. > > In any case, getting clients to use a local DNS cache would be much > better for resilience and performance than routing all queries via a > central recursor. > > -- Robby Pedrica XStore c: +27 82 416 8696 f: +27 86 538 5810 m: rpedr...@xstore.co.za w: http://.xstore.co.za/ ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] pdns-recursor ecs support config designs
On Tue, Nov 08, 2022 at 09:44:22AM +, Brian Candler via Pdns-users wrote: > On 08/11/2022 09:20, Robby Pedrica via Pdns-users wrote: > > > The CDN services work correctly when a branch uses the ISP-assigned DNS > > for that specific branch/link. But as mentioned, it's difficult to > > manage these DNS entries when you have many branches across the world > > (180 sites with 2 different ISP links at each site). It would be much > > easier if we had a central recursor that could use ecs to determine > > geo-located services for each branch. > > The central recursor would be able to see the source IP addresses of all the > clients, correct? Would it see the public (post NAT) or internal address > (e.g. site-to-site VPN)? > > The recursor itself doesn't "use ecs" as such, but it could *pass* the > client's IP address via ecs to the authoritative servers. However, whether > the authoritative servers use that information or not is not within your > control. They may ignore it, and look at the source IP address of the > request only (i.e. the IP address of your recursor). In which case, you're > stuck. > > In any case, getting clients to use a local DNS cache would be much better > for resilience and performance than routing all queries via a central > recursor. Agreed, running a local recursor per office is certainly something to consider. If you run those yourself you are not/less dependent on ISP setups. -Otto ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] pdns-recursor ecs support config designs
On 08/11/2022 09:20, Robby Pedrica via Pdns-users wrote: The CDN services work correctly when a branch uses the ISP-assigned DNS for that specific branch/link. But as mentioned, it's difficult to manage these DNS entries when you have many branches across the world (180 sites with 2 different ISP links at each site). It would be much easier if we had a central recursor that could use ecs to determine geo-located services for each branch. The central recursor would be able to see the source IP addresses of all the clients, correct? Would it see the public (post NAT) or internal address (e.g. site-to-site VPN)? The recursor itself doesn't "use ecs" as such, but it could *pass* the client's IP address via ecs to the authoritative servers. However, whether the authoritative servers use that information or not is not within your control. They may ignore it, and look at the source IP address of the request only (i.e. the IP address of your recursor). In which case, you're stuck. In any case, getting clients to use a local DNS cache would be much better for resilience and performance than routing all queries via a central recursor. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] pdns-recursor ecs support config designs
Thanks Otto, " It is not 100% clear what you are trying to achieve" We simply want to use ecs to direct endpoints to their nearest pop for CDN services, specifically Microsoft-related services like Teams, Sharepoint, etc. The CDN services work correctly when a branch uses the ISP-assigned DNS for that specific branch/link. But as mentioned, it's difficult to manage these DNS entries when you have many branches across the world (180 sites with 2 different ISP links at each site). It would be much easier if we had a central recursor that could use ecs to determine geo-located services for each branch. " As for the recursor: by default private addresses will not be used for outgoing ECS (as governed by ecs-add-for). " Understood. " If the clients use private addresses from multiple locations via VPNs and all client traffic goes through the VPN as well, it makes sense for a recursor to use for an outgoing ECS the public gateway address used by the VPN clients, as the queries *and* traffic are then coming the same source. You can use ecs-scope-zero-address to achieve that. " This is not our scenario but I'll check on the indicated option in any case. " You might take a look into proxy mapping: " I'll look into this option. We will probably look to use an SNAT firewall entry (with a private-to-public mapping) for our VPN policies to fool the recursor into thinking the client is coming from a public IP address. This will entail some work as we'll have to create specific mappings for each branch. But it's the only option I can see for the moment. Thank you very much for your replies. Regards, Robby On Tue, 8 Nov 2022 at 09:24, Otto Moerbeek wrote: > On Tue, Nov 08, 2022 at 08:35:33AM +0200, Robby Pedrica via Pdns-users > wrote: > > > Hi all, > > > > I've searched pdns docs as well as threads here but can find nothing > about > > how to deploy ecs or more specifically, under which circumstance ecs can > be > > used. > > > > From what I understand of ecs, the recursor will forward the client's IP > > with the request to the auth (or intermediate) servers so that the auth > > server can respond with a result that is local (if possible) to the > client. > > I'm going to assume then that a public address is needed from the client > as > > you can't determine location info from an rfc1918 address. > > > > Consider the following setup: > > > > branch1 (client with private address) -> firewall/NAT+VPN (branch) -> > > internet -> firewall/NAT+VPN (head office) -> recursor -> auth query ... > > branch2 (client with private address) -> firewall/NAT+VPN (branch) | > > etc. > > > > In this scenario, clients at branches have their queries forwarded over > > site-to-site VPN tunnels to the recursor at a head office. The client IP > the > > recursor sees is the client's private IP address. > > > > Is there any possibility of getting a design like this to work with ecs? > If > > not, any alternatives? > > > > Notes: > > > > The specific pdns-recursor settings I'm looking at are: > > > > ends-subnet-allow-list > > ecs-add-for > > use-incoming-edns-subnet > > > > Regards, Robby > > It is not 100% clear what you are trying to achieve,. But here's some > general info. > > Auths use incoming ECS data to hand out IPs matched to the query > source by some rules. The assumptionm is that the actual (often https) > traffic comes from the same source. > > As for the recursor: by default private addresses will not be used > for outgoing ECS (as governed by ecs-add-for). > > If the clients use private addresses from multiple locations via VPNs > and all client traffic goes through the VPN as well, it makes sense > for a recursor to use for an outgoing ECS the public gateway address > used by the VPN clients, as the queries *and* traffic are then coming > the same source. You can use ecs-scope-zero-address to achieve that. > > If the actual client traffic goes on the net using a different public > gateway than used by the recursor, e.g., the public address used by > the remote office location, you want an outging ECS to use that. You > might take a look into proxy mapping: > > https://docs.powerdns.com/recursor/lua-config/proxymapping.html > > On a general note: only if you observe actual inefficient CDN use I > would bother with ECS, as it complicates your configuration, makes the > recursor's cache less efficient, and is not guaranteed to proivide > actual gain. > > -Otto > > -- Robby Pedrica XStore c: +27 82 416 8696 f: +27 86 538 5810 m: rpedr...@xstore.co.za w: http://.xstore.co.za/ ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] pdns-recursor ecs support config designs
On Tue, Nov 08, 2022 at 08:35:33AM +0200, Robby Pedrica via Pdns-users wrote: > Hi all, > > I've searched pdns docs as well as threads here but can find nothing about > how to deploy ecs or more specifically, under which circumstance ecs can be > used. > > From what I understand of ecs, the recursor will forward the client's IP > with the request to the auth (or intermediate) servers so that the auth > server can respond with a result that is local (if possible) to the client. > I'm going to assume then that a public address is needed from the client as > you can't determine location info from an rfc1918 address. > > Consider the following setup: > > branch1 (client with private address) -> firewall/NAT+VPN (branch) -> > internet -> firewall/NAT+VPN (head office) -> recursor -> auth query ... > branch2 (client with private address) -> firewall/NAT+VPN (branch) | > etc. > > In this scenario, clients at branches have their queries forwarded over > site-to-site VPN tunnels to the recursor at a head office. The client IP the > recursor sees is the client's private IP address. > > Is there any possibility of getting a design like this to work with ecs? If > not, any alternatives? > > Notes: > > The specific pdns-recursor settings I'm looking at are: > > ends-subnet-allow-list > ecs-add-for > use-incoming-edns-subnet > > Regards, Robby It is not 100% clear what you are trying to achieve,. But here's some general info. Auths use incoming ECS data to hand out IPs matched to the query source by some rules. The assumptionm is that the actual (often https) traffic comes from the same source. As for the recursor: by default private addresses will not be used for outgoing ECS (as governed by ecs-add-for). If the clients use private addresses from multiple locations via VPNs and all client traffic goes through the VPN as well, it makes sense for a recursor to use for an outgoing ECS the public gateway address used by the VPN clients, as the queries *and* traffic are then coming the same source. You can use ecs-scope-zero-address to achieve that. If the actual client traffic goes on the net using a different public gateway than used by the recursor, e.g., the public address used by the remote office location, you want an outging ECS to use that. You might take a look into proxy mapping: https://docs.powerdns.com/recursor/lua-config/proxymapping.html On a general note: only if you observe actual inefficient CDN use I would bother with ECS, as it complicates your configuration, makes the recursor's cache less efficient, and is not guaranteed to proivide actual gain. -Otto ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] pdns-recursor ecs support config designs
Apologies, to clarify: 1. No we do not own the auth servers, the queries are for general internet DNS lookups so could hit any auth server. The recursor does it's standard root server and down lookups ... 2. The desired outcome is that clients are directed to local resources especially for office 365 services like teams, SharePoint, etc. At the moment, we make use of the ISP-provided DNS servers at each location which is difficult to manage seeing as different ISPs are generally used for each location. Regards Robby On Tue, 8 Nov 2022, 09:02 Ask Bjørn Hansen, wrote: > From your description it’s not clear (to me anyway) if you control the > authoritative server that you care about or not and it’s not clear what the > desired outcome you are looking for by using ECS. > > Ask ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] pdns-recursor ecs support config designs
From your description it’s not clear (to me anyway) if you control the authoritative server that you care about or not and it’s not clear what the desired outcome you are looking for by using ECS. Ask ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
