跳至主要內容

EDNS Client Subnet

小苹果儿DNSednsecs约 500 字

ECS功能,可以用于将客户端IP地址传递给所要请求域名的权威DNS服务器。

配置方法

ZDNS配置插入

f5 GTM配置读取

f5社区

转载至:
https://community.f5.com/t5/technical-articles/using-client-subnet-in-dns-requests/ta-p/282196

BIG-IP DNS 14.0 now supports edns-client-subnet (ECS) for both responding to client requests (GSLB) or forwarding client requests (screening). The following is a quick start on using this feature.

What is EDNS-Client-Subnet (ECS)

If you are familiar with X-Forwarded-For headers in HTTP requests, ECS solves a similar problem. The problem is how to forward a DNS request through a proxy and preserve information about the original request (IP Address). Some of this discussion I also cover in a previous article,Implementing Client Subnet in DNS Requests open in new window.

Traditional DNS Requests

When a traditional DNS request is made, a client makes a request to a “local” DNS server (LDNS), and that request is forwarded to the authoritative DNS server for that domain. When a topology (send different responses based on the source address) record is evaluated it will use the source IP of the LDNS server. Usually this is OK for most applications, but it would be ideal to be able to forward more precise information from the LDNS server.

ECS DNS Requests

Using ECS a LDNS server can inject additional meta-data about the request that includes information about the source IP address of the client. In the following example a “Client Subnet” of 192.0.2.0/24 is forwarded to the DNS server.

0151T000003d7EYQAY.png

ECS on BIG-IP DNS

F5 BIG-IP DNS can use ECS in two ways.

  • Use ECS when handling topology requests
  • Inject ECS when “screening” a DNS server

Using ECS with BIG-IP DNS Topology

There are two methods of configuring BIG-IP DNS to use ECS. Either at the wide-ip or globally.

To configure ECS on a wide-ip:

0151T000003d7EZQAY.png

To configure ECS globally. Under DNS Settings.

0151T000003d7EaQAI.png

Injecting ECS records

BIG-IP DNS can also proxy requests to other DNS servers (BIG-IP DNS or other vendors). When you modify the DNS profile to insert an ECS record.

0151T000003d7EbQAI.png

You will observe that the original /32 address will be forwarded to any DNS servers that are in the pool for that particular Virtual Server.

0151T000003d7EcQAI.png

The following is a diagram of the above.

0151T000003d7EdQAI.png

上次编辑于:
贡献者: 00D2
Copyright © 2024 小苹果儿