Using Client Subnet in DNS Requests
BIG-IP DNS 14.0 now supports edns-client-subnet (ECS) for both responding to client requests (GSLB) or forwarding client requests (screening). The following is a quick start on using this feature.
What is EDNS-Client-Subnet (ECS)
If you are familiar with X-Forwarded-For headers in HTTP requests, ECS solves a similar problem. The problem is how to forward a DNS request through a proxy and preserve information about the original request (IP Address). Some of this discussion I also cover in a previous article,Implementing Client Subnet in DNS Requests .
Traditional DNS Requests
When a traditional DNS request is made, a client makes a request to a “local” DNS server (LDNS), and that request is forwarded to the authoritative DNS server for that domain. When a topology (send different responses based on the source address) record is evaluated it will use the source IP of the LDNS server. Usually this is OK for most applications, but it would be ideal to be able to forward more precise information from the LDNS server.
ECS DNS Requests
Using ECS a LDNS server can inject additional meta-data about the request that includes information about the source IP address of the client. In the following example a “Client Subnet” of 192.0.2.0/24 is forwarded to the DNS server.
ECS on BIG-IP DNS
F5 BIG-IP DNS can use ECS in two ways.
- Use ECS when handling topology requests
- Inject ECS when “screening” a DNS server
Using ECS with BIG-IP DNS Topology
There are two methods of configuring BIG-IP DNS to use ECS. Either at the wide-ip or globally.
To configure ECS on a wide-ip:
To configure ECS globally. Under DNS Settings.
Injecting ECS records
BIG-IP DNS can also proxy requests to other DNS servers (BIG-IP DNS or other vendors). When you modify the DNS profile to insert an ECS record.
You will observe that the original /32 address will be forwarded to any DNS servers that are in the pool for that particular Virtual Server.
The following is a diagram of the above.
- James_379753Nimbostratus
This seems to be exactly what we need in our architecture but has anybody got this working where the LDNS server is a Windows 2016 server?
In our lab we can see the Windows 2016 server forward the request to the F5 but we cannot see any eDNS client subnet field in a wireshark trace of that request. As such the solution doesn't work.
Does anybody know if we need to 'turn on' the client subnet somewhere on the Windows 2016 server? Thanks.
- Leonardo_SouzaCirrocumulus
Ok, great.
- Robin_Mordasie1Historic F5 Account
A question was asked above regarding persistence, and yes when you apply a persistence profile you will see the client IP address in the persistence record, which means that if the user does start using a different local DNS resolver which supports client-subnet insertion, the GTM persistence record will be used.
- Kevin_BaslerAltostratus
Thanks for your quick reply, Eric.
Looking at the irule, I see it doing a whereis on the ECS subnet and logging the response. I fail to see how GTM then knows how to use this information for its topology load balancing. Can you help me understand how this works?
Thanks
Kevin
- Eric_ChenEmployee
@Kevin Basler,
 
In version 13.1.1 you would have to consider an iRule to emulate the behavior that is described in this article. My previous article covers this here: Implementing Client Subnet in DNS Requests.
 
- Kevin_BaslerAltostratus
What steps are needed to configure this in 13.1.1?
- Leonardo_SouzaCirrocumulus
The external part that complicates the test, I could do with internal names/DNS/IPs, but that is why I said I don't have an easy way.
F5 PD could have been a little bit more friendly, providing extra information. :P
https://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote-bigip-14-0-0.html "Support for EDNS0 For this release, the BIG-IP system now supports certain functionality associated with the Extended DNS (EDNS0 or EDNS) client subnet option."
Based on the number of comments so far, you can see this is a very helpful improvement for GTM.
Anyway, let's wait for @mwalkup69 tests.
- Eric_ChenEmployee
@leonardo. "dig" is your friend for testing (modern versions):
$ dig @203.0.113.13 test.example.com +short 203.0.113.250 $ dig +subnet=192.0.2.0/24 @203.0.113.13 test.example.com +short 192.0.2.2
You will also have to ensure that the DNS provider is sending ECS records. In the past I know that you had to register your BIG-IP DNS IPs with OpenDNS to have them forward ECS requests.
- walkman69Altostratus
@Leonardo Souza Great Idea!
- Leonardo_SouzaCirrocumulus
@mwalkup69 if you lab this, can you test the persistence and let us know if it takes into account the ECS?
I have no easy way to test this, but I had many projects in the past that had problems with Google DNS and similar services.