Thanks Otto, " It is not 100% clear what you are trying to achieve"
We simply want to use ecs to direct endpoints to their nearest pop for CDN services, specifically Microsoft-related services like Teams, Sharepoint, etc. The CDN services work correctly when a branch uses the ISP-assigned DNS for that specific branch/link. But as mentioned, it's difficult to manage these DNS entries when you have many branches across the world (180 sites with 2 different ISP links at each site). It would be much easier if we had a central recursor that could use ecs to determine geo-located services for each branch. " As for the recursor: by default private addresses will not be used for outgoing ECS (as governed by ecs-add-for). " Understood. " If the clients use private addresses from multiple locations via VPNs and all client traffic goes through the VPN as well, it makes sense for a recursor to use for an outgoing ECS the public gateway address used by the VPN clients, as the queries *and* traffic are then coming the same source. You can use ecs-scope-zero-address to achieve that. " This is not our scenario but I'll check on the indicated option in any case. " You might take a look into proxy mapping: " I'll look into this option. We will probably look to use an SNAT firewall entry (with a private-to-public mapping) for our VPN policies to fool the recursor into thinking the client is coming from a public IP address. This will entail some work as we'll have to create specific mappings for each branch. But it's the only option I can see for the moment. Thank you very much for your replies. Regards, Robby On Tue, 8 Nov 2022 at 09:24, Otto Moerbeek <o...@drijf.net> wrote: > On Tue, Nov 08, 2022 at 08:35:33AM +0200, Robby Pedrica via Pdns-users > wrote: > > > Hi all, > > > > I've searched pdns docs as well as threads here but can find nothing > about > > how to deploy ecs or more specifically, under which circumstance ecs can > be > > used. > > > > From what I understand of ecs, the recursor will forward the client's IP > > with the request to the auth (or intermediate) servers so that the auth > > server can respond with a result that is local (if possible) to the > client. > > I'm going to assume then that a public address is needed from the client > as > > you can't determine location info from an rfc1918 address. > > > > Consider the following setup: > > > > branch1 (client with private address) -> firewall/NAT+VPN (branch) -> > > internet -> firewall/NAT+VPN (head office) -> recursor -> auth query ... > > branch2 (client with private address) -> firewall/NAT+VPN (branch) | > > etc. > > > > In this scenario, clients at branches have their queries forwarded over > > site-to-site VPN tunnels to the recursor at a head office. The client IP > the > > recursor sees is the client's private IP address. > > > > Is there any possibility of getting a design like this to work with ecs? > If > > not, any alternatives? > > > > Notes: > > > > The specific pdns-recursor settings I'm looking at are: > > > > ends-subnet-allow-list > > ecs-add-for > > use-incoming-edns-subnet > > > > Regards, Robby > > It is not 100% clear what you are trying to achieve,. But here's some > general info. > > Auths use incoming ECS data to hand out IPs matched to the query > source by some rules. The assumptionm is that the actual (often https) > traffic comes from the same source. > > As for the recursor: by default private addresses will not be used > for outgoing ECS (as governed by ecs-add-for). > > If the clients use private addresses from multiple locations via VPNs > and all client traffic goes through the VPN as well, it makes sense > for a recursor to use for an outgoing ECS the public gateway address > used by the VPN clients, as the queries *and* traffic are then coming > the same source. You can use ecs-scope-zero-address to achieve that. > > If the actual client traffic goes on the net using a different public > gateway than used by the recursor, e.g., the public address used by > the remote office location, you want an outging ECS to use that. You > might take a look into proxy mapping: > > https://docs.powerdns.com/recursor/lua-config/proxymapping.html > > On a general note: only if you observe actual inefficient CDN use I > would bother with ECS, as it complicates your configuration, makes the > recursor's cache less efficient, and is not guaranteed to proivide > actual gain. > > -Otto > > -- Robby Pedrica XStore c: +27 82 416 8696 f: +27 86 538 5810 m: rpedr...@xstore.co.za w: http://wwww.xstore.co.za/
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
