dnsdist: new ECSRule to match traffic from ECS option ?

[dmachard]

• Program: dnsdist
• Issue type: Feature request

Short description

This feature request is to add a new rule to match traffic from specified client subnet (ECS).

Usecase

In a containerized environment, we need to route incoming DNS traffic towards specific authoritative DNS servers.
However in some cases, routing cannot be done directly with the real IP of the client because it is no longer available,
but only with the ECS option.

Here's the routing scheme example:

clients --(no ECS) -> dnsdist edge --(with ECS)-> container dnsdist  ------> dns auth A
                                                             |-------------> dns auth B

I managed to achieve this with the LUA code and a minimalist decoder for the ECS option:

listNmg = newNMG()
listNmg:addMask("172.16.0.0/24")

dofile("/etc/dnsdist/decode_ecs.lua")

addAction(LuaRule(ECSOptionRule(listNmg)), PoolAction("pool_internal"))

I believe it would be nice to add a native rule like ECSRule to facilitate this.
Does this make sense to you?

[rgacogne]

Such a rule would make sense to me, yes! Although in this exact case, forwarding from dnsdist to dnsdist, I think the proxy protocol might be better suited and should already work fine for what you want to achieve.

[dmachard]

In fact, we would like to use the ECSRule like the NetmaskGroupRule (with the NetmaskGroup object as input), something like that ECSRule(nmg [, quiet]])

Thanks for tip, I'll try to play with the ProxyProcotol (although after reading the documentation, I feel like I need to write some LUA code too to achieve my need)

[rgacogne]

In fact, we would like to use the ECSRule like the NetmaskGroupRule (with the NetmaskGroup object as input), something like that ECSRule(nmg [, quiet]])

👍

Thanks for tip, I'll try to play with the ProxyProcotol (although after reading the documentation, I feel like I need to write some LUA code too to achieve my need)

Please let us know if it doesn't work, as it sounds like a very legitimate use-case to me.

[dmachard]

Please let us know if it doesn't work, as it sounds like a very legitimate use-case to me.

Just to keep you informed, I managed to use the proxy protocol :) even if it's complicated to have a DNS monitoring tool compatible with proxy protocol :/

[g0tar]

Just to justify this FR - I got pdns-recursor forwarding to dnsdist (rationale), however pdns-recursor doesn't support Proxy Protocol: #11931.
I think that proxy forwarding in recursor would cover more cases though, but as it's not planned the required counterpart is ECS reception and recognition here.