pdns icon indicating copy to clipboard operation
pdns copied to clipboard
verified publisher icon PowerDNS

dnsdist: new ECSRule to match traffic from ECS option ?

Open dmachard opened this issue 1 year ago • 5 comments

  • Program: dnsdist
  • Issue type: Feature request

Short description

This feature request is to add a new rule to match traffic from specified client subnet (ECS).

Usecase

In a containerized environment, we need to route incoming DNS traffic towards specific authoritative DNS servers. However in some cases, routing cannot be done directly with the real IP of the client because it is no longer available, but only with the ECS option.

Here's the routing scheme example:

clients --(no ECS) -> dnsdist edge --(with ECS)-> container dnsdist  ------> dns auth A
                                                             |-------------> dns auth B

I managed to achieve this with the LUA code and a minimalist decoder for the ECS option:

listNmg = newNMG()
listNmg:addMask("172.16.0.0/24")

dofile("/etc/dnsdist/decode_ecs.lua")

addAction(LuaRule(ECSOptionRule(listNmg)), PoolAction("pool_internal"))

I believe it would be nice to add a native rule like ECSRule to facilitate this. Does this make sense to you?

dmachard avatar Feb 23 '24 17:02 dmachard

Such a rule would make sense to me, yes! Although in this exact case, forwarding from dnsdist to dnsdist, I think the proxy protocol might be better suited and should already work fine for what you want to achieve.

rgacogne avatar Feb 24 '24 16:02 rgacogne

In fact, we would like to use the ECSRule like the NetmaskGroupRule (with the NetmaskGroup object as input), something like that ECSRule(nmg [, quiet]])

Thanks for tip, I'll try to play with the ProxyProcotol (although after reading the documentation, I feel like I need to write some LUA code too to achieve my need)

dmachard avatar Feb 24 '24 17:02 dmachard

In fact, we would like to use the ECSRule like the NetmaskGroupRule (with the NetmaskGroup object as input), something like that ECSRule(nmg [, quiet]])

:+1:

Thanks for tip, I'll try to play with the ProxyProcotol (although after reading the documentation, I feel like I need to write some LUA code too to achieve my need)

Please let us know if it doesn't work, as it sounds like a very legitimate use-case to me.

rgacogne avatar Feb 26 '24 09:02 rgacogne

Please let us know if it doesn't work, as it sounds like a very legitimate use-case to me.

Just to keep you informed, I managed to use the proxy protocol :) even if it's complicated to have a DNS monitoring tool compatible with proxy protocol :/

dmachard avatar Feb 27 '24 21:02 dmachard

Just to justify this FR - I got pdns-recursor forwarding to dnsdist (rationale), however pdns-recursor doesn't support Proxy Protocol: https://github.com/PowerDNS/pdns/issues/11931. I think that proxy forwarding in recursor would cover more cases though, but as it's not planned the required counterpart is ECS reception and recognition here.

g0tar avatar Nov 02 '25 11:11 g0tar