ECS prefix and EDNS Client subnet question
; ; area10.itri.org.tw.txt ; $ORIGIN sub.itri.org.tw. $ttl 60 @ IN SOA dns1 hsuliping.itri.org.tw. ( 2016102701 ;serial no 1h;refresh every 1 hours 1h ;retry - 1 hour 2D;expire after 2 days 1D);minimum ttl of 1 days IN NS dns1 IN NS dns2 dns1IN A 192.168.254.138 dns2IN A 192.168.157.194 areaxx IN A 10.0.0.10 IN 2001:ed8:3000::10 == ; ; default.example.com.txt ; $ORIGIN sub.example.com. $ttl 60 @ IN SOA dns1 nocomment.example.com. ( 2016102702 ;serial no 1h;refresh every 1 hours 1h ;retry - 1 hour 2D;expire after 2 days 1D);minimum ttl of 1 days ;sub-domain name servers IN NS dns1 IN NS dns2 ;A records for name servers above dns1IN A 192.168.254.138 dns2 IN A 192.168.157.194 areaxx IN A 10.0.255.255 IN 2001:ed8:3000:::255 acl ecs-area01 { ecs 192.168.164.0/24; } acl no-ecs-area01 { 192.168.164.0/24; }; options { directory "d:\isc bind 9\var\named"; // geoip-directory "d:\isc bind 9\geodb"; // version statement - inhibited for security // avoid hacking any know weaknesses version none; allow-recursion { 192.168.0.0/16; }; forwarders{ 192.168.9.11; }; tcp-clients 600; hostname "Very glad service for you"; listen-on-v6 { none; }; allow-update {none;}; // defaulted - if not present max-cache-ttl60; max-ncache-ttl 600; dump-file "named dump.db"; memstatistics-file "named.memstats"; pid-file "named.pid"; querylog yes; interface-interval 0; statistics-file "named.stats"; zone-statistics yes; notify explicit; allow-transfer { none; }; }; view "area01" { match-clients { no-ecs-area01; ecs-area01; key Area01.example.com.;}; zone "sub.example.com" in { type master; file "sub/area01.example.com.txt"; also-notify { 192.168.157.194 key Area01.example.com.; }; allow-transfer { key Area01.example.com.; }; }; }; // Area01 View End view "deafult" { // Default match-clients { any; }; zone "sub.example.com" in { type master; file "sub/default.example.com.txt"; also-notify { 192.168.157.194 key Default.example.com.;}; allow-transfer { key Default.example.com.; }; }; }; // Default View End This DNS Server Platform is Windows 2012 R2 and i install Bind 9.11 my pc ip is 192.168.164.123, so when i test if in view area01 no-ecs-area01 match list then when i use dig that zone entry it always return view default entry. but if i add no-ecs-area01 then that will response correct entry. when i use dig query include +subnet=192.168.164.1 then it will return view area01 entry (not include no-ec-area01) i don't know herer was wrong. In query log can find Client ECS entry ? =My test pc ip infomation C:>ipconfig IPv4 address. . . . . . . . . . . : 192.168.164.87 subnet mask. . . . . . . . . . . .: 255.255.255.0 All Bind are install in Windows 2012 R2 platform =Test 1 : in view area01 "no-ecs-area01" not exist C:>dig areaxx.sub.example.com. @dns2.sub.example.com. ; <<>> DiG 9.11.0 <<>> areaxx.sub.example.com. @dns2.sub.example.com. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13577 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 325d48c8c441ee0168c686475811912d9a5d9fc7bf113bd2 (good) ;; QUESTION SECTION: ;areaxx.sub.example.com.IN A ;; ANSWER SECTION: areaxx.sub.example.com. 60 IN A 10.0.255.255 ==Test 1 : in view area01 "no-ecs-area01" exist=== C:>dig areaxx.sub.example.com. @dns2.sub.example.com. ; <<>> DiG 9.11.0 <<>> areaxx.sub.example.com. @dns2.sub.example.com. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32403 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: ec76aa0d6063ddfac0fb42b958118fa3039eae3d58015a05 (good) ;; QUESTION SECTION: ;areaxx.sub.example.com.IN A ;; ANSWER SECTION: areaxx.sub.example.com. 60 IN A 10.0.0.10 ==Test 3 : in view area01 "no-ecs-area01" no exist === C:>dig areaxx.sub.example.com. @dns2.sub.example.com. +subnet=192.168.164.1 ; <<>> DiG 9.11.0
Bind 9.11 question (ACL ecs )
From 9.1 ARM chapter 7 that mention The EDNS Client Subnet (ECS) option is used by a recursive resolver to inform an authoritative name server of the network address block from which the original query was received, enabling authoritative servers to give different answers to the same resolver for different resolver clients. An ACL containing an element of the form ecs prefix will match if a request arrives in containing an ECS option encoding an address within that prefix. If the request has no ECS option, then "ecs" elements are simply ignored. Addresses in ACLs that are not prefixed with "ecs" are matched only against the source address. Now i was migrate DNS bint fro 9.10 to 9.11 and use ECS prefix on my allow-query entry but when i use dig test (not include +subnet) it not response but when i remvoe that ecs keyword every thing was OK. I was use bind 9.11 setup three dns server one for mydomain.idv and two are sub.mydomain.idv. my sub.mydomain.idv has multi view but has same zone. when i use dig query sub.mydomain.idv entry it always return last match view, it will not reponse by client subnet following was my partial named.conf content sub.mydomain.idv (Primary server -ip:a.b.c.d) = acl "slave-ips" { a.b.c.d; }; server a.b.c.d { provide-ixfr yes; request-nsid yes; send-cookie yes; edns-udp-size 4096; max-udp-size 4096; transfer-format many-answers; }; server a1.b1.c1.d1 { // mydomain.idv primary server request-nsid yes; send-cookie yes; edns-udp-size 4096; max-udp-size 4096; }; include "d:\isc bind 9\etc\ecs-acl-list.txt"; include "d:\isc bind 9\etc\no-ecs-acl-list.txt"; include "d:\isc bind 9\etc\KeyFiles.txt"; include "d:\isc bind 9\etc\logging.conf"; options { directory "d:\isc bind 9\var\named"; allow-update {none;}; notify explicit; allow-transfer { none; }; allow-query { none; }; }; // End Options view "area01" { match-clients { area01; ecs-area01; !{!ecs-area01; any; } ; key Area01.mydomain.idv.;}; zone "sub.mydomain.idv" in { type master; allow-query { area01; ecs-area01; }; file "sub/area01.mydomain.idv.txt"; also-notify { a.b.c1.d key Area01.mydomain.idv.; }; allow-transfer { key Area01.mydomain.idv.; }; }; }; // End View view "area02" { match-clients { area02; ecs-area02; !{!ecs-area02; any; } ; key Area02.mydomain.idv.; }; zone "sub.mydomain.idv" in { type master; allow-query { area02; ecs-area02; }; file "sub/area02.mydomain.idv.txt"; also-notify { a.b.c1.d key Area02.mydomain.idv.; }; allow-transfer { key Area02.mydomain.idv.; }; }; }; // End View view "area03" { match-clients { area03; ecs-area03; !{!ecs-area03; any; } ; key Area03.mydomain.idv.; }; zone "sub.mydomain.idv" in { type master; allow-query { area03; ecs-area03; }; file "sub/area03.mydomain.idv.txt"; also-notify { a.b.c1.d key Area03.mydomain.idv.;}; allow-transfer { key Area03.mydomain.idv.; }; }; }; // End View view "deafult" { // Default match-clients {any; }; zone "sub.mydomain.idv" in { type master; allow-query { any; }; file "sub/default.mydomain.idv.txt"; also-notify { a.b.c1.d key Default.mydomain.idv.;}; allow-transfer { key Default.mydomain.idv.; }; }; }; // End View sub.mydomain.idv (Slave server -ip:a.b.c1.d) = server a.b.c.d { provide-ixfr yes; request-nsid yes; send-cookie yes; edns-udp-size 4096; max-udp-size 4096; transfer-format many-answers; }; server a1.b1.c1.d1 { // mydomain.idv primary server request-nsid yes; send-cookie yes; edns-udp-size 4096; max-udp-size 4096; }; include "d:\isc bind 9\etc\ecs-acl-list.txt"; include "d:\isc bind 9\etc\no-ecs-acl-list.txt"; include "d:\isc bind 9\etc\KeyFiles.txt"; include "d:\isc bind 9\etc\logging.conf"; options { directory "d:\isc bind 9\var\named"; allow-update {none;}; notify explicit; allow-transfer { none; }; allow-query { none; }; }; // End Options view "area01" { match-clients { area01; ecs-area01; !{!ecs-area01; any; } ; key Area01.mydomain.idv.;}; zone "sub.mydomain.idv" in { type slave; allow-query { area01; ecs-area01; }; file "sub/area01.mydomain.idv.ca"; masters { a.b.c.d key Area01.mydomain.idv.; }; }; }; // End View view "area02" { match-clients { area02; ecs-area02; !{!ecs-area02; any; } ; key Area02.mydomain.idv.;}; zone "sub.mydomain.idv" in { type slave; allow-query { area02; ecs-area02; }; file "sub/area02.mydomain.idv.ca"; masters { a.b.c.d key Area02.mydomain.idv.; }; }; //