On Tue, Nov 08, 2022 at 08:35:33AM +0200, Robby Pedrica via Pdns-users wrote:
> Hi all, > > I've searched pdns docs as well as threads here but can find nothing about > how to deploy ecs or more specifically, under which circumstance ecs can be > used. > > From what I understand of ecs, the recursor will forward the client's IP > with the request to the auth (or intermediate) servers so that the auth > server can respond with a result that is local (if possible) to the client. > I'm going to assume then that a public address is needed from the client as > you can't determine location info from an rfc1918 address. > > Consider the following setup: > > branch1 (client with private address) -> firewall/NAT+VPN (branch) -> > internet -> firewall/NAT+VPN (head office) -> recursor -> auth query ... > branch2 (client with private address) -> firewall/NAT+VPN (branch) | > etc. > > In this scenario, clients at branches have their queries forwarded over > site-to-site VPN tunnels to the recursor at a head office. The client IP the > recursor sees is the client's private IP address. > > Is there any possibility of getting a design like this to work with ecs? If > not, any alternatives? > > Notes: > > The specific pdns-recursor settings I'm looking at are: > > ends-subnet-allow-list > ecs-add-for > use-incoming-edns-subnet > > Regards, Robby It is not 100% clear what you are trying to achieve,. But here's some general info. Auths use incoming ECS data to hand out IPs matched to the query source by some rules. The assumptionm is that the actual (often https) traffic comes from the same source. As for the recursor: by default private addresses will not be used for outgoing ECS (as governed by ecs-add-for). If the clients use private addresses from multiple locations via VPNs and all client traffic goes through the VPN as well, it makes sense for a recursor to use for an outgoing ECS the public gateway address used by the VPN clients, as the queries *and* traffic are then coming the same source. You can use ecs-scope-zero-address to achieve that. If the actual client traffic goes on the net using a different public gateway than used by the recursor, e.g., the public address used by the remote office location, you want an outging ECS to use that. You might take a look into proxy mapping: https://docs.powerdns.com/recursor/lua-config/proxymapping.html On a general note: only if you observe actual inefficient CDN use I would bother with ECS, as it complicates your configuration, makes the recursor's cache less efficient, and is not guaranteed to proivide actual gain. -Otto _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users