Re: ECS prefix and EDNS Client subnet question
On Thu, Oct 27, 2016 at 7:51 PM, wrote:
> ;
> ; area10.itri.org.tw.txt
> ;
> $ORIGIN sub.itri.org.tw.
> $ttl 60
>
> @ IN SOA dns1 hsuliping.itri.org.tw. (
>2016102701 ;serial no
> 1h;refresh every 1 hours
> 1h ;retry - 1 hour
> 2D;expire after 2 days
> 1D);minimum ttl of 1 days
>
>IN NS dns1
>IN NS dns2
>
> dns1IN A 192.168.254.138
> dns2IN A 192.168.157.194
>
> areaxx IN A 10.0.0.10
>IN 2001:ed8:3000::10
>
> ==
> ;
> ; default.example.com.txt
> ;
> $ORIGIN sub.example.com.
> $ttl 60
>
> @ IN SOA dns1 nocomment.example.com. (
>2016102702 ;serial no
> 1h;refresh every 1 hours
> 1h ;retry - 1 hour
> 2D;expire after 2 days
> 1D);minimum ttl of 1 days
>
>
> ;sub-domain name servers
>IN NS dns1
>IN NS dns2
>
> ;A records for name servers above
> dns1IN A 192.168.254.138
> dns2 IN A 192.168.157.194
>
> areaxx IN A 10.0.255.255
>IN 2001:ed8:3000:::255
>
>
> acl ecs-area01 { ecs 192.168.164.0/24; }
> acl no-ecs-area01 { 192.168.164.0/24; };
>
> options {
> directory "d:\isc bind 9\var\named";
> // geoip-directory "d:\isc bind 9\geodb";
>
> // version statement - inhibited for security
> // avoid hacking any know weaknesses
>
> version none;
>
> allow-recursion { 192.168.0.0/16; };
> forwarders{ 192.168.9.11; };
>
> tcp-clients 600;
>
> hostname "Very glad service for you";
>
> listen-on-v6 { none; };
> allow-update {none;}; // defaulted - if not present
>
> max-cache-ttl60;
> max-ncache-ttl 600;
>
> dump-file "named dump.db";
> memstatistics-file "named.memstats";
>
> pid-file "named.pid";
> querylog yes;
> interface-interval 0;
> statistics-file "named.stats";
> zone-statistics yes;
>
> notify explicit;
> allow-transfer { none; };
> };
>
> view "area01" {
> match-clients { no-ecs-area01; ecs-area01; key Area01.example.com.;};
> zone "sub.example.com" in {
> type master;
> file "sub/area01.example.com.txt";
> also-notify { 192.168.157.194 key Area01.example.com.; };
> allow-transfer { key Area01.example.com.; };
> };
> };
> // Area01 View End
>
> view "deafult" { // Default
> match-clients { any; };
> zone "sub.example.com" in {
> type master;
> file "sub/default.example.com.txt";
> also-notify { 192.168.157.194 key Default.example.com.;};
> allow-transfer { key Default.example.com.; };
> };
> };
> // Default View End
>
>
> This DNS Server Platform is Windows 2012 R2 and i install Bind 9.11
> my pc ip is 192.168.164.123, so when i test if in view area01
> no-ecs-area01 match list then when
> i use dig that zone entry it always return view default entry. but if i
> add no-ecs-area01 then that will
> response correct entry.
> when i use dig query include +subnet=192.168.164.1 then it will return
> view area01 entry (not include no-ec-area01)
> i don't know herer was wrong.
> In query log can find Client ECS entry ?
> =My test pc ip infomation
> C:>ipconfig
>
>
>IPv4 address. . . . . . . . . . . : 192.168.164.87
>subnet mask. . . . . . . . . . . .: 255.255.255.0
>
> All Bind are install in Windows 2012 R2 platform
>
> =Test 1 : in view area01 "no-ecs-area01"
> not exist
> C:>dig areaxx.sub.example.com. @dns2.sub.example.com.
>
> ; <<>> DiG 9.11.0 <<>> areaxx.sub.example.com. @dns2.sub.example.com.
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13577
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: 325d48c8c441ee0168c686475811912d9a5d9fc7bf113bd2 (good)
> ;; QUESTION SECTION:
> ;areaxx.sub.example.com.IN A
>
> ;; ANSWER SECTION:
> areaxx.sub.example.com. 60 IN A 10.0.255.255
>
> ==Test 1 : in view area01 "no-ecs-area01"
> exist===
> C:>dig areaxx.sub.example.com. @dns2.sub.example.com.
>
> ; <<>> DiG 9.11.0 <<>> areaxx.sub.example.com. @dns2.sub.example.com.
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32403
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: ec76aa0d6063ddfac0fb42b958118fa3039eae3d58015a05 (good)
> ;; QU
ECS prefix and EDNS Client subnet question
;
; area10.itri.org.tw.txt
;
$ORIGIN sub.itri.org.tw.
$ttl 60
@ IN SOA dns1 hsuliping.itri.org.tw. (
2016102701 ;serial no
1h;refresh every 1 hours
1h ;retry - 1 hour
2D;expire after 2 days
1D);minimum ttl of 1 days
IN NS dns1
IN NS dns2
dns1IN A 192.168.254.138
dns2IN A 192.168.157.194
areaxx IN A 10.0.0.10
IN 2001:ed8:3000::10
==
;
; default.example.com.txt
;
$ORIGIN sub.example.com.
$ttl 60
@ IN SOA dns1 nocomment.example.com. (
2016102702 ;serial no
1h;refresh every 1 hours
1h ;retry - 1 hour
2D;expire after 2 days
1D);minimum ttl of 1 days
;sub-domain name servers
IN NS dns1
IN NS dns2
;A records for name servers above
dns1IN A 192.168.254.138
dns2 IN A 192.168.157.194
areaxx IN A 10.0.255.255
IN 2001:ed8:3000:::255
acl ecs-area01 { ecs 192.168.164.0/24; }
acl no-ecs-area01 { 192.168.164.0/24; };
options {
directory "d:\isc bind 9\var\named";
// geoip-directory "d:\isc bind 9\geodb";
// version statement - inhibited for security
// avoid hacking any know weaknesses
version none;
allow-recursion { 192.168.0.0/16; };
forwarders{ 192.168.9.11; };
tcp-clients 600;
hostname "Very glad service for you";
listen-on-v6 { none; };
allow-update {none;}; // defaulted - if not present
max-cache-ttl60;
max-ncache-ttl 600;
dump-file "named dump.db";
memstatistics-file "named.memstats";
pid-file "named.pid";
querylog yes;
interface-interval 0;
statistics-file "named.stats";
zone-statistics yes;
notify explicit;
allow-transfer { none; };
};
view "area01" {
match-clients { no-ecs-area01; ecs-area01; key Area01.example.com.;};
zone "sub.example.com" in {
type master;
file "sub/area01.example.com.txt";
also-notify { 192.168.157.194 key Area01.example.com.; };
allow-transfer { key Area01.example.com.; };
};
};
// Area01 View End
view "deafult" { // Default
match-clients { any; };
zone "sub.example.com" in {
type master;
file "sub/default.example.com.txt";
also-notify { 192.168.157.194 key Default.example.com.;};
allow-transfer { key Default.example.com.; };
};
};
// Default View End
This DNS Server Platform is Windows 2012 R2 and i install Bind 9.11
my pc ip is 192.168.164.123, so when i test if in view area01 no-ecs-area01
match list then when
i use dig that zone entry it always return view default entry. but if i add
no-ecs-area01 then that will
response correct entry.
when i use dig query include +subnet=192.168.164.1 then it will return view
area01 entry (not include no-ec-area01)
i don't know herer was wrong.
In query log can find Client ECS entry ?
=My test pc ip infomation
C:>ipconfig
IPv4 address. . . . . . . . . . . : 192.168.164.87
subnet mask. . . . . . . . . . . .: 255.255.255.0
All Bind are install in Windows 2012 R2 platform
=Test 1 : in view area01 "no-ecs-area01" not
exist
C:>dig areaxx.sub.example.com. @dns2.sub.example.com.
; <<>> DiG 9.11.0 <<>> areaxx.sub.example.com. @dns2.sub.example.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13577
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 325d48c8c441ee0168c686475811912d9a5d9fc7bf113bd2 (good)
;; QUESTION SECTION:
;areaxx.sub.example.com.IN A
;; ANSWER SECTION:
areaxx.sub.example.com. 60 IN A 10.0.255.255
==Test 1 : in view area01 "no-ecs-area01"
exist===
C:>dig areaxx.sub.example.com. @dns2.sub.example.com.
; <<>> DiG 9.11.0 <<>> areaxx.sub.example.com. @dns2.sub.example.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32403
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: ec76aa0d6063ddfac0fb42b958118fa3039eae3d58015a05 (good)
;; QUESTION SECTION:
;areaxx.sub.example.com.IN A
;; ANSWER SECTION:
areaxx.sub.example.com. 60 IN A 10.0.0.10
==Test 3 : in view area01 "no-ecs-area01" no exist
===
C:>dig areaxx.sub.example.com. @dns2.sub.example.com. +subnet=192.168.164.1
; <<>> DiG 9.11.0
