On Thu, Oct 27, 2016 at 7:51 PM, <hsulip...@itri.org.tw> wrote: > ; > ; area10.itri.org.tw.txt > ; > $ORIGIN sub.itri.org.tw. > $ttl 60 > > @ IN SOA dns1 hsuliping.itri.org.tw. ( > 2016102701 ;serial no > 1h ;refresh every 1 hours > 1h ;retry - 1 hour > 2D ;expire after 2 days > 1D) ;minimum ttl of 1 days > > IN NS dns1 > IN NS dns2 > > dns1 IN A 192.168.254.138 > dns2 IN A 192.168.157.194 > > areaxx IN A 10.0.0.10 > IN AAAA 2001:ed8:3000::10 > > ============================================================== > ; > ; default.example.com.txt > ; > $ORIGIN sub.example.com. > $ttl 60 > > @ IN SOA dns1 nocomment.example.com. ( > 2016102702 ;serial no > 1h ;refresh every 1 hours > 1h ;retry - 1 hour > 2D ;expire after 2 days > 1D) ;minimum ttl of 1 days > > > ;sub-domain name servers > IN NS dns1 > IN NS dns2 > > ;A records for name servers above > dns1 IN A 192.168.254.138 > dns2 IN A 192.168.157.194 > > areaxx IN A 10.0.255.255 > IN AAAA 2001:ed8:3000::FFFF:255 > ================================================================ > > acl ecs-area01 { ecs 192.168.164.0/24; } > acl no-ecs-area01 { 192.168.164.0/24; }; > > options { > directory "d:\isc bind 9\var\named"; > // geoip-directory "d:\isc bind 9\geodb"; > > // version statement - inhibited for security > // avoid hacking any know weaknesses > > version none; > > allow-recursion { 192.168.0.0/16; }; > forwarders{ 192.168.9.11; }; > > tcp-clients 600; > > hostname "Very glad service for you...."; > > listen-on-v6 { none; }; > allow-update {none;}; // defaulted - if not present > > max-cache-ttl 60; > max-ncache-ttl 600; > > dump-file "named dump.db"; > memstatistics-file "named.memstats"; > > pid-file "named.pid"; > querylog yes; > interface-interval 0; > statistics-file "named.stats"; > zone-statistics yes; > > notify explicit; > allow-transfer { none; }; > }; > > view "area01" { > match-clients { no-ecs-area01; ecs-area01; key Area01.example.com.;}; > zone "sub.example.com" in { > type master; > file "sub/area01.example.com.txt"; > also-notify { 192.168.157.194 key Area01.example.com.; }; > allow-transfer { key Area01.example.com.; }; > }; > }; > // Area01 View End > > view "deafult" { // Default > match-clients { any; }; > zone "sub.example.com" in { > type master; > file "sub/default.example.com.txt"; > also-notify { 192.168.157.194 key Default.example.com.;}; > allow-transfer { key Default.example.com.; }; > }; > }; > // Default View End > > > This DNS Server Platform is Windows 2012 R2 and i install Bind 9.11 > my pc ip is 192.168.164.123, so when i test if in view area01 > no-ecs-area01 match list then when > i use dig that zone entry it always return view default entry. but if i > add no-ecs-area01 then that will > response correct entry. > when i use dig query include +subnet=192.168.164.1 then it will return > view area01 entry (not include no-ec-area01) > i don't know herer was wrong. > In query log can find Client ECS entry ? > =================================My test pc ip infomation ================ > C:>ipconfig > > > IPv4 address. . . . . . . . . . . : 192.168.164.87 > subnet mask. . . . . . . . . . . .: 255.255.255.0 > > All Bind are install in Windows 2012 R2 platform > > =================================Test 1 : in view area01 "no-ecs-area01" > not exist ================ > C:>dig areaxx.sub.example.com. @dns2.sub.example.com. > > ; <<>> DiG 9.11.0 <<>> areaxx.sub.example.com. @dns2.sub.example.com. > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13577 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ; COOKIE: 325d48c8c441ee0168c686475811912d9a5d9fc7bf113bd2 (good) > ;; QUESTION SECTION: > ;areaxx.sub.example.com. IN A > > ;; ANSWER SECTION: > areaxx.sub.example.com. 60 IN A 10.0.255.255 > > ==============================Test 1 : in view area01 "no-ecs-area01" > exist=========== > C:>dig areaxx.sub.example.com. @dns2.sub.example.com. > > ; <<>> DiG 9.11.0 <<>> areaxx.sub.example.com. @dns2.sub.example.com. > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32403 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ; COOKIE: ec76aa0d6063ddfac0fb42b958118fa3039eae3d58015a05 (good) > ;; QUESTION SECTION: > ;areaxx.sub.example.com. IN A > > ;; ANSWER SECTION: > areaxx.sub.example.com. 60 IN A 10.0.0.10 > > ==========================Test 3 : in view area01 "no-ecs-area01" no exist > =========== > C:>dig areaxx.sub.example.com. @dns2.sub.example.com. > +subnet=192.168.164.1 > > ; <<>> DiG 9.11.0 <<>> areaxx.sub.example.com. @dns2.sub.example.com. > +subnet=192.168.164.1 > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62641 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ; COOKIE: cb35db4f91e921970f85303858118f1128a20c69c0e0b995 (good) > ; CLIENT-SUBNET: 192.168.164.1/32/24 > ;; QUESTION SECTION: > ;areaxx.sub.example.com. IN A > > ;; ANSWER SECTION: > areaxx.sub.example.com. 60 IN A 10.0.0.10 > > ==========================Test 4 : from example.com. domain DNS Server > query =========== > C:>dig areaxx.sub.example.com. @dns2.example.com. > > ; <<>> DiG 9.11.0 <<>> areaxx.sub.example.com. @dns2.example.com. > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53897 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ; COOKIE: da1119758607734a0e0355755811906b9703987cbc318f84 (good) > ;; QUESTION SECTION: > ;areaxx.sub.example.com. IN A > > ;; ANSWER SECTION: > areaxx.sub.example.com. 60 IN A 10.0.255.255 > ============================================================ > ======================== > C:>dig areaxx.sub.example.com. @dns2.example.com. +subnet=192.168.164.1 > > ; <<>> DiG 9.11.0 <<>> areaxx.sub.example.com. @dns2.example.com. > +subnet=192.168.164.1 > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8782 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ; COOKIE: 342acccf1e48e80572a35255581190a7a6a2857252dd6c05 (good) > ; CLIENT-SUBNET: 192.168.164.1/32/0 > ;; QUESTION SECTION: > ;areaxx.sub.example.com. IN A > > ;; ANSWER SECTION: > areaxx.sub.example.com. 60 IN A 10.0.255.255 > > ======================================================================= > The EDNS Client Subnet (ECS) option is used by a recursive resolver to > inform an authoritative name server of the network address block from > which the original query was received, enabling authoritative servers > to give different answers to the same resolver for different resolver > clients. > An ACL containing an element of the form ecs prefix will match > if a request arrives in containing an ECS option encoding an address > within that prefix. > If the request has no ECS option, then "ecs" elements are simply ignored. > Addresses in ACLs that are not prefixed with "ecs" are matched only > against the source address. > > Above section was from ARM page 176, when i careful check my config file > I don't know where i was wrong > > > > > > Client subnet information will store in which log > > > -- > 本信件可能包含工研院機密資訊,非指定之收件者,請勿使用或揭露本信件內容,並請銷毀此信件。 This email may contain > confidential information. Please do not use or disclose it in any way and > delete it if you are not the intended recipient. > > The first three dig commands look correct. 1. No ecs, so it does not match. 2. No ecs, matches "no-ecs-area01" 3. ecs matches 4. and 5. use "@dns2.example.com." instead of "@dns2.sub.example.com." - is that a different server?
-- Bob Harold
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users