consultoriaheitor
commented
2 months ago When I enable only the public blocks, the subnet queries stop working, and the recursive resolution time increases.
Closed consultoriaheitor closed 2 months ago
consultoriaheitor
commented
2 months ago When I enable only the public blocks, the subnet queries stop working, and the recursive resolution time increases.
wcawijngaards
commented
2 months ago It is possible to include networks based on the domain name of the zone, with client-subnet-zone: <domain>.
There are no options to exclude addresses, or zones, from edns subnet. The options set the list of allowed addresses and domains. Addresses and domains not listed are then not used with edns subnet.
EDNS subnet is supposedly configured by mutual configuration, I thought. So sending it everywhere is not according to its definition.
If the resolution is not working properly, a check of what happens, with enabling verbosity at levels 4 or 5, and looking that log, could be useful. That may indicate what happens that makes queries stop working. Or perhaps use log-servfail: yes.
consultoriaheitor
commented
2 months ago I understand that sending to everyone is not in line with what would be correct, but I am an ISP, and how will I know which domains use this? We also have a lot of clients, and listing them didn’t work. Could an alternative be using private-address to exclude the addresses I don't want from the recursive query?
wcawijngaards
commented
2 months ago There is no signalling method that I know, so there is no method to figure that out. Not using edns subnet, as the configuration is the set up that works for unknown participants, I think. Yes private address is an option that filters IP addresses from replies. And it can be used to rewrite in that sense. Other ways to rewrite the replies are with respip, with like response-ip: 192.0.2.0/24 redirect and response-ip-data: 192.0.2.0/24 "A 192.0.2.1" and the respip module enabled in module-conf. Or rewrite the reply with an RPZ zone, that also needs the respip module enabled, that can also act on the IP address in the answer and then perform actions that filter the response, like give out specific A records. It is also possible to use local-data: "www.example.com. A 192.0.2.1", or with a local-zone definition, that sets an answer that is returned for queries for that name; it is not a filter afterward.
consultoriaheitor
commented
2 months ago Thanks for the help
Instead of selecting the network to which I want to send the EDNS with send-client-subnet, I would like to have an option to exclude certain networks, such as 100.64.0.0/10. When I send this network, I receive a response that does not match the expected location. Is it possible to configure this, or do I have to explicitly define the networks that should be sent?