bind 9.11 ECS基本测试

9.11 中增加了多EDNS Client Subnet(ECS)的支持。但是目前网上都还没有相关的测试,仅仅在邮件列表有点没配置成功的咨询。
在9.11中需要开启ECS需要在编译的时候指定Geoip

yum install -y  GeoIP 
./configure --with-geoip=--with-geoip=/usr/share/GeoIP/

目前bind的ACL中是把ECS 带的Client地址作为一个独立的特征做匹配


单ECS本身还是做IP地址匹配,非常容易与现有的地址匹配混淆。最开始以为可以这样搞

acl zone1 { ecs 10.0.0.0/8 ;  10.0.0.0/8;  };
acl zone2 { ecs 172.0.0.0/8; 172.0.0.0/8; };
view  "zone1" { match-clients  {zone1;}; zone "test.org" { type master; file "zone/test.org" ;}; };
view  "zone2" { match-clients  {zone2;}; zone "test.org" { type master; file "zone2/test.org" ;}; };

发现走10.0.0.0/8内的源地址带172.0.0.0/8的subnet时始终命中zone1,无法到达预期的效果。目前测试OK的配置只能是把ECS的ACL做独立的view匹配。
而且鉴于bind acl并非是最精确匹配,只是线性匹配,配置的时候必须要把ecs view写在最前面,否则即使请求带了ECS OPTION,也会因为源地址先匹配到其他view而达不到效果。。

acl zone1 { ecs 10.0.0.0/8;  10.0.0.0/8;  };
acl zone2 { ecs 172.0.0.0/8;172.0.0.0/8; };
acl ecs-zone1 { ecs 10.0.0.0/8;  };
acl ecs-zone2 { ecs 172.0.0.0/8;};
view  "ecs-zone1" { match-clients  {ecs-zone1;}; zone "test.org" { type master; file "ecszone/test.org" ;}; };
view  "ecs-zone2" { match-clients  {ecs-zone2;}; zone "test.org" { type master; file "ecszone2/test.org" ;}; };
view  "zone1" { match-clients  {zone1;}; zone "test.org" { type master; file "zone/test.org" ;}; };
view  "zone2" { match-clients  {zone2;}; zone "test.org" { type master; file "zone2/test.org" ;}; };

实际测试的命令

dig @10.10.0.15 test100.test.org
dig @172.18.0.6 test100.test.org
dig @10.10.0.15 test100.test.org  +subnet=172.1.1.1/24
dig @10.10.0.15 test100.test.org  +subnet=10.1.1.1/24
dig @172.18.0.6 test100.test.org  +subnet=10.1.1.1/24
dig @172.18.0.6 test100.test.org  +subnet=172.1.1.1/24

对应日志中显示的view 匹配

09-Mar-2017 08:36:59.784 queries: client @0x7f83d40a9780 10.10.0.15#43153 (test100.test.org): view zone1: query: test100.test.org IN A +E(0)K (10.10.0.15)
09-Mar-2017 08:37:03.387 queries: client @0x7f83d4003960 172.18.0.6#35845 (test100.test.org): view zone2: query: test100.test.org IN A +E(0)K (172.18.0.6)
09-Mar-2017 08:37:09.289 queries: client @0x7f83d40a9780 10.10.0.15#59444 (test100.test.org): view ecs-zone2: query: test100.test.org IN A +E(0)K (10.10.0.15)
09-Mar-2017 08:37:16.402 queries: client @0x7f83d40a9780 10.10.0.15#47162 (test100.test.org): view ecs-zone1: query: test100.test.org IN A +E(0)K (10.10.0.15)
09-Mar-2017 08:37:23.009 queries: client @0x7f83d4003960 172.18.0.6#51519 (test100.test.org): view ecs-zone1: query: test100.test.org IN A +E(0)K (172.18.0.6)
09-Mar-2017 08:37:34.102 queries: client @0x7f83d4003960 172.18.0.6#39007 (test100.test.org): view ecs-zone2: query: test100.test.org IN A +E(0)K (172.18.0.6)

isc在bind 9.11的开发分支中对目前ECS的支持有特殊的说明

Miscellaneous Notes

Authoritative server support for the EDNS Client Subnet option (ECS), introduced in BIND 9.11.0, was based on an early version of the specification, and is now known to have incompatibilities with other ECS implementations. It is also inefficient, requiring a separate view for each answer, and is unable to correct for overlapping subnets in the configuration. It is intended for testing purposes but is not recommended for for production use. This was not made sufficiently clear in the documentation at the time of release.


参考:
1. bind各个版本的特性矩阵:https://kb.isc.org/article/AA-01310/109/BIND9-Significant-Features-Matrix.html
2. https://ftp.isc.org/isc/bind9/9.11.1rc1/RELEASE-NOTES-bind-9.11.1rc1.html

此条目发表在dns分类目录。将固定链接加入收藏夹。

bind 9.11 ECS基本测试》有2条回应

  1. liyong说:

    有性能对比不?

发表评论