Using Client Subnet in DNS Requests
BIG-IP DNS 14.0 now supports edns-client-subnet (ECS) for both responding to client requests (GSLB) or forwarding client requests (screening). The following is a quick start on using this feature.
What is EDNS-Client-Subnet (ECS)
If you are familiar with X-Forwarded-For headers in HTTP requests, ECS solves a similar problem. The problem is how to forward a DNS request through a proxy and preserve information about the original request (IP Address). Some of this discussion I also cover in a previous article,Implementing Client Subnet in DNS Requests .
Traditional DNS Requests
When a traditional DNS request is made, a client makes a request to a “local” DNS server (LDNS), and that request is forwarded to the authoritative DNS server for that domain. When a topology (send different responses based on the source address) record is evaluated it will use the source IP of the LDNS server. Usually this is OK for most applications, but it would be ideal to be able to forward more precise information from the LDNS server.
ECS DNS Requests
Using ECS a LDNS server can inject additional meta-data about the request that includes information about the source IP address of the client. In the following example a “Client Subnet” of 192.0.2.0/24 is forwarded to the DNS server.
ECS on BIG-IP DNS
F5 BIG-IP DNS can use ECS in two ways.
- Use ECS when handling topology requests
- Inject ECS when “screening” a DNS server
Using ECS with BIG-IP DNS Topology
There are two methods of configuring BIG-IP DNS to use ECS. Either at the wide-ip or globally.
To configure ECS on a wide-ip:
To configure ECS globally. Under DNS Settings.
Injecting ECS records
BIG-IP DNS can also proxy requests to other DNS servers (BIG-IP DNS or other vendors). When you modify the DNS profile to insert an ECS record.
You will observe that the original /32 address will be forwarded to any DNS servers that are in the pool for that particular Virtual Server.
The following is a diagram of the above.
Published Sep 14, 2018
Version 1.0
Eric_Chen
Employee
EmployeeEric_ChenEmployee
Employee
Hao_AdminNimbostratus
I want to insert 'client subnet' in 'add OPT', The purpose is to display the source IP address in the real DNS Server log file, So use the following iRules script:
when DNS_REQUEST {
DNS::edns0 subnet address [IP::client_addr]
DNS::edns0 subnet source 32
}Now through packet capture, the request data packet received by SLB can display the effect of inserting the 'client_addr' field into 'add OPT'.
But, when the backend server sends back the package, it displays' Flags: 0x8101 Standard query response, Format error ', Failed to resolve the A record of the domain name,
So, do you have any good ideas to rule out this problem? Thanks!
johnny_f5Update! Found I can do something like this:
when DNS_REQUEST { if { [DNS::edns0 subnet address] contains "10.3.0.0" } { pool test member 10.2.0.11 80 } else { pool test } }Also, i found you can lower the TTL for a F5-DNS pool to zero so that there is no TTL to do more of an active/active setup for internal GSLB.
Thanks for you help!
- johnny_f5
Robin, Thank you for the link. However, I don't understand how to set DNS load-balancing method via iRule. Any ideas?
- Robin_Mordasiew
Eric Chen wrote this article based on the GUI features available in 14, however in version 13 ECS was available as a feature to be used within an irule. Eric’s previous article which was based on v13 has some iRules examples that you could use as your starting point. https://devcentral.f5.com/s/articles/implementing-client-subnet-dns-requests
 
- johnny_f5
Robin, thanks for your response. I was assuming that it would be possible with an iRule (unless 14.1+ have additional ECS features). I did some searching but couldn’t find an example. Anyone have a good example of an iRule to do this?
- Robin_Mordasiew
Short answer is, yes this can be done, but you would need to use an irule.
- johnny_f5
Can these ECS records be used to make load-balancing decisions that aren't based on topology?
I was thinking of using this for a delegation subzone between F5-DNS and Infoblox in which all traffic would hit Infoblox and then get delegated to F5 via CNAME. If traffic to F5 is only being sent from the same Infoblox Device, I want to do active/active and get different results based on the client that sends the original DNS query and thought that ECS might be able to accomplish this, but haven't been able to setup correctly so far. I see the ECS entry send from Infoblox to F5 but it doesn't seem to affect load-balancing decision so far.
dragonflymrCirrostratus
Thanks Leo, know about global setting :-)
Piotr
Leonardo_SouzaCirrocumulus
The information about Prefer Client Subnet as described in this article and help menus, was created with the topology in mind, but as indicated above, also applies to persistence.
Your conclusion is correct.
Also, just extra information, there is also a global setting for Prefer Client Subnet, besides the wide ip setting as you said.
(v14.1.0) DNS > Setting > GSLB > Load BalancingIn relation to windows server, I can't add anything helpful.
- dragonflymr
Hi,
Great article!
I have still some small doubts how ECS and Persistence works. Based on previous posts from Robin (thanks a lot Robin for sharing) it seems to work like that (for WideIP):
- Persistence enabled at WideIP
- Prefer Client Subnet checked
Result: Source IP of DNS server sending query is disregarded, persistence record is created based on Client Subnet in the query
- Persistence enabled at WideIP
- Prefer Client Subnet not checked
Result: Client subnet info in request is ignored, persistence record is based on IP of DNS server sending query.
Am I right with above?
Is that schema valid for any other LB used? For example RR, so if there is not persistence record (based on client subnet in request) LB is performed. If persistence record exists then LB is ignored and same IP is returned.
I am as well curious if anyone succeeded with enabling ECS on any version of Windows Srv?
Piotr