Using Client Subnet in DNS Requests

BIG-IP DNS 14.0 now supports edns-client-subnet (ECS) for both responding to client requests (GSLB) or forwarding client requests (screening). The following is a quick start on using this feature.

What is EDNS-Client-Subnet (ECS)

If you are familiar with X-Forwarded-For headers in HTTP requests, ECS solves a similar problem.  The problem is how to forward a DNS request through a proxy and preserve information about the original request (IP Address).  Some of this discussion I also cover in a previous article,Implementing Client Subnet in DNS Requests .

Traditional DNS Requests

When a traditional DNS request is made, a client makes a request to a “local” DNS server (LDNS), and that request is forwarded to the authoritative DNS server for that domain.  When a topology (send different responses based on the source address) record is evaluated it will use the source IP of the LDNS server.  Usually this is OK for most applications, but it would be ideal to be able to forward more precise information from the LDNS server.

ECS DNS Requests

Using ECS a LDNS server can inject additional meta-data about the request that includes information about the source IP address of the client.  In the following example a “Client Subnet” of 192.0.2.0/24 is forwarded to the DNS server.

ECS on BIG-IP DNS

F5 BIG-IP DNS can use ECS in two ways.

  • Use ECS when handling topology requests
  • Inject ECS when “screening” a DNS server

Using ECS with BIG-IP DNS Topology

There are two methods of configuring BIG-IP DNS to use ECS.  Either at the wide-ip or globally.

To configure ECS on a wide-ip:

To configure ECS globally.  Under DNS Settings.

Injecting ECS records

BIG-IP DNS can also proxy requests to other DNS servers (BIG-IP DNS or other vendors).  When you modify the DNS profile to insert an ECS record.

You will observe that the original /32 address will be forwarded to any DNS servers that are in the pool for that particular Virtual Server.

The following is a diagram of the above.

Published Sep 14, 2018
Version 1.0

Was this article helpful?

27 Comments