from:"HsuLiPing"

ECS prefix and EDNS Client subnet question

2016-10-27 Thread HsuLiPing

;
; area10.itri.org.tw.txt
;
$ORIGIN sub.itri.org.tw.
$ttl 60

@ IN SOA dns1  hsuliping.itri.org.tw. (
   2016102701 ;serial no
1h;refresh every 1 hours
1h  ;retry - 1 hour
2D;expire after 2 days
1D);minimum ttl of 1 days

   IN NS dns1
   IN NS dns2

dns1IN  A   192.168.254.138
dns2IN  A   192.168.157.194

areaxx   IN A 10.0.0.10
   IN  2001:ed8:3000::10

==
;
; default.example.com.txt
;
$ORIGIN sub.example.com.
$ttl 60

@  IN SOA   dns1  nocomment.example.com. (
   2016102702 ;serial no
1h;refresh every 1 hours
1h  ;retry - 1 hour
2D;expire after 2 days
1D);minimum ttl of 1 days

;sub-domain name servers
   IN NS dns1
   IN NS dns2

;A records for name servers above
dns1IN  A   192.168.254.138
dns2   IN  A   192.168.157.194

areaxx   IN A 10.0.255.255
   IN  2001:ed8:3000:::255


acl ecs-area01 { ecs 192.168.164.0/24; }
acl no-ecs-area01 { 192.168.164.0/24; };

options {
  directory   "d:\isc bind 9\var\named";
//  geoip-directory "d:\isc bind 9\geodb";

// version statement - inhibited for security
// avoid hacking any know weaknesses

  version none;

  allow-recursion { 192.168.0.0/16; };
  forwarders{ 192.168.9.11; };

tcp-clients 600;

hostname "Very glad service for you";

listen-on-v6 { none; };
allow-update {none;};  // defaulted - if not present

max-cache-ttl60;
max-ncache-ttl   600;

dump-file "named dump.db";
 memstatistics-file "named.memstats";

 pid-file "named.pid";
 querylog yes;
interface-interval 0;
statistics-file "named.stats";
zone-statistics yes;

notify explicit;
allow-transfer { none; };
};

view "area01" {
match-clients { no-ecs-area01; ecs-area01; key Area01.example.com.;};
zone "sub.example.com" in {
 type master;
  file "sub/area01.example.com.txt";
 also-notify { 192.168.157.194 key Area01.example.com.; };
 allow-transfer { key Area01.example.com.; };
 };
};
// Area01 View End

view "deafult" {  // Default
match-clients { any; };
zone "sub.example.com" in {
 type master;
  file "sub/default.example.com.txt";
 also-notify { 192.168.157.194 key Default.example.com.;};
 allow-transfer { key Default.example.com.; };
 };
};
// Default View End

This DNS Server Platform is Windows 2012 R2 and i install Bind 9.11
my pc ip is 192.168.164.123, so when i test if in view area01 no-ecs-area01 
match list then when
i use dig that zone entry it always return view default entry. but if i add 
no-ecs-area01 then that will
response correct entry.
when i use dig query include +subnet=192.168.164.1 then it will return view 
area01 entry (not include no-ec-area01)
i don't know herer was wrong.
In query log can find Client ECS entry ?
=My test pc ip infomation 
C:>ipconfig

   IPv4 address. . . . . . . . . . . : 192.168.164.87
   subnet mask. . . . . . . . . . . .: 255.255.255.0

All Bind are install in Windows 2012 R2 platform

=Test 1 : in view area01 "no-ecs-area01" not 
exist 
C:>dig areaxx.sub.example.com. @dns2.sub.example.com.

; <<>> DiG 9.11.0 <<>> areaxx.sub.example.com. @dns2.sub.example.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13577
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 325d48c8c441ee0168c686475811912d9a5d9fc7bf113bd2 (good)
;; QUESTION SECTION:
;areaxx.sub.example.com.IN  A

;; ANSWER SECTION:
areaxx.sub.example.com. 60  IN  A   10.0.255.255

==Test 1 : in view area01 "no-ecs-area01" 
exist===
C:>dig areaxx.sub.example.com. @dns2.sub.example.com.

; <<>> DiG 9.11.0 <<>> areaxx.sub.example.com. @dns2.sub.example.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32403
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: ec76aa0d6063ddfac0fb42b958118fa3039eae3d58015a05 (good)
;; QUESTION SECTION:
;areaxx.sub.example.com.IN  A

;; ANSWER SECTION:
areaxx.sub.example.com. 60  IN  A   10.0.0.10

==Test 3 : in view area01 "no-ecs-area01" no exist 
===
C:>dig areaxx.sub.example.com. @dns2.sub.example.com. +subnet=192.168.164.1

; <<>> DiG 9.11.0

Bind 9.11 question (ACL ecs )

2016-10-25 Thread HsuLiPing

From 9.1 ARM chapter 7 that mention

The EDNS Client Subnet (ECS) option is used by a recursive resolver to inform 
an authoritative
name server of the network address block from which the original query was 
received, enabling
authoritative servers to give different answers to the same resolver for 
different resolver clients.



An ACL containing an element of the form ecs prefix will match if a request 
arrives in containing
an ECS option encoding an address within that prefix. If the request has no ECS 
option,
then "ecs" elements are simply ignored. Addresses in ACLs that are not prefixed 
with "ecs" are
matched only against the source address.



Now i was migrate DNS bint fro 9.10 to 9.11 and use ECS prefix on my 
allow-query entry but when i use dig

test (not include +subnet) it not response but when i remvoe that ecs keyword 
every thing was OK.



I was use bind 9.11 setup three dns server one for mydomain.idv and two are 
sub.mydomain.idv.

my sub.mydomain.idv has multi view but has same zone.

when i use dig query sub.mydomain.idv entry it always return last match view, 
it will not reponse by client subnet

following was my partial named.conf content



sub.mydomain.idv (Primary server -ip:a.b.c.d) 
=

acl "slave-ips" { a.b.c.d; };

server  a.b.c.d {
provide-ixfr yes;
request-nsid yes;
send-cookie yes;
edns-udp-size 4096;
max-udp-size 4096;
transfer-format many-answers;
};

server  a1.b1.c1.d1 {  // mydomain.idv primary server
request-nsid yes;
send-cookie yes;
edns-udp-size 4096;
max-udp-size 4096;
};

include "d:\isc bind 9\etc\ecs-acl-list.txt";
include "d:\isc bind 9\etc\no-ecs-acl-list.txt";
include "d:\isc bind 9\etc\KeyFiles.txt";
include "d:\isc bind 9\etc\logging.conf";

options {
  directory   "d:\isc bind 9\var\named";
allow-update {none;};
notify explicit;
allow-transfer { none; };
allow-query { none; };
};

// End Options

view "area01" {
match-clients { area01; ecs-area01; !{!ecs-area01; any; } ; key 
Area01.mydomain.idv.;};
zone "sub.mydomain.idv" in {
 type master;
 allow-query { area01; ecs-area01; };
  file "sub/area01.mydomain.idv.txt";
 also-notify { a.b.c1.d key Area01.mydomain.idv.; };
 allow-transfer { key Area01.mydomain.idv.; };
 };
}; // End View

view "area02" {
match-clients { area02; ecs-area02; !{!ecs-area02; any; } ; key 
Area02.mydomain.idv.; };
zone "sub.mydomain.idv" in {
 type master;
 allow-query { area02; ecs-area02; };
  file "sub/area02.mydomain.idv.txt";
 also-notify { a.b.c1.d key Area02.mydomain.idv.; };
 allow-transfer { key Area02.mydomain.idv.; };
 };
}; // End View

view "area03" {
match-clients {  area03; ecs-area03; !{!ecs-area03; any; } ; key 
Area03.mydomain.idv.; };
zone "sub.mydomain.idv" in {
 type master;
 allow-query {  area03; ecs-area03; };
  file "sub/area03.mydomain.idv.txt";
  also-notify { a.b.c1.d key Area03.mydomain.idv.;};
  allow-transfer { key Area03.mydomain.idv.; };
 };
}; // End View

view "deafult" {  // Default
match-clients {any; };
zone "sub.mydomain.idv" in {
 type master;
 allow-query { any; };
  file "sub/default.mydomain.idv.txt";
 also-notify { a.b.c1.d key Default.mydomain.idv.;};
 allow-transfer { key Default.mydomain.idv.; };
 };
}; // End View

sub.mydomain.idv (Slave server -ip:a.b.c1.d) 
=

server  a.b.c.d {
provide-ixfr yes;
request-nsid yes;
send-cookie yes;
edns-udp-size 4096;
max-udp-size 4096;
transfer-format many-answers;
};

server  a1.b1.c1.d1 {  // mydomain.idv primary server
request-nsid yes;
send-cookie yes;
edns-udp-size 4096;
max-udp-size 4096;
};

include "d:\isc bind 9\etc\ecs-acl-list.txt";
include "d:\isc bind 9\etc\no-ecs-acl-list.txt";
include "d:\isc bind 9\etc\KeyFiles.txt";
include "d:\isc bind 9\etc\logging.conf";

options {
  directory   "d:\isc bind 9\var\named";
allow-update {none;};
notify explicit;
allow-transfer { none; };
allow-query { none; };
};

// End Options

view "area01" {
match-clients { area01; ecs-area01; !{!ecs-area01; any; } ; key 
Area01.mydomain.idv.;};
zone "sub.mydomain.idv" in {
 type slave;
 allow-query { area01; ecs-area01; };
  file "sub/area01.mydomain.idv.ca";
 masters { a.b.c.d key Area01.mydomain.idv.; };
 };
}; // End View

view "area02" {
match-clients { area02; ecs-area02; !{!ecs-area02; any; } ; key 
Area02.mydomain.idv.;};
zone "sub.mydomain.idv" in {
 type slave;
 allow-query { area02; ecs-area02; };
  file "sub/area02.mydomain.idv.ca";
 masters { a.b.c.d key Area02.mydomain.idv.; };
}; //

ECS prefix and EDNS Client subnet question

Bind 9.11 question (ACL ecs )

2 matches

Site Navigation

Mail list logo

Footer information