Reply
Highlighted
Accepted Solution

Support for RFC 7871 (Client Subnet in DNS Queries)

Expert
Posts: 225
7222     0

Does anyone know if Infoblox supports RFC 7871 (Client Subnet in DNS Queries) or plans to support it in the future?

 

Cheers,

 

Paul

 

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE

Re: Support for RFC 7871 (Client Subnet in DNS Queries)

AJobai
Techie
Posts: 11
7223     0

Hi Paul,

 

Infoblox supports this from 8.1.x NIOS version.

 

Snippet from 8.1.0 Release notes:

 

Support for EDNS Client Subnet (RFE-3315)
This release adds support for the EDNS Client Subnet (ECS) option for recursive DNS. When using this option, the recursive DNS resolver provides the client subnet to the authoritative DNS server so it can build an optimized reply.

 

-

Anto

Re: Support for RFC 7871 (Client Subnet in DNS Queries)

Expert
Posts: 225
7223     0

Doh! I did check the release notes but couldn't find it because I was searching for "RFC 7871"! I see it now, and have just read the admin guide - as usual should check the docs first before asking stupid questions! :-)

 

Thanks.

 

Paul

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE

Re: Support for RFC 7871 (Client Subnet in DNS Queries)

shaukat
Techie
Posts: 8
7223     0

Hi,
I have 8.1.5 version is installed on my IB-4030 Caching machine , can any body let me know how to verify that it is enabled and it is working.
can i verify through traffic capture or log .
Under Data managment>DNS>Grid properies ECS is disabled by default.
complete steps of verification EDNS Client subnet will be highly appreciated.

Regards

Shaukat Ali

00923119659771

Re: Support for RFC 7871 (Client Subnet in DNS Queries)

Expert
Posts: 225
7223     0

Without wishing to state the obvious :-) have you actually enabled it? The context help should help you understand the various options.

 

You can test using dig, e.g.: here are some queries I did via google verses locally with the +subnet option...

 

The first query is to google public DNS (which supports the ECS option), you can see that the EDNS client subnet option is included (highlighted) - you should be able to test this against Infoblox once you have enabled ECS:

 

paul@ubuntu-dev-1:~$ dig @8.8.8.8 www.microsoft.com +subnet=81.174.169.137/24

 

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @8.8.8.8 www.microsoft.com +subnet=81.174.169.137/24

; (1 server found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10072

;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

 

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 512

; CLIENT-SUBNET: 81.174.169.0/24/0

;; QUESTION SECTION:

;www.microsoft.com.             IN      A

 

;; ANSWER SECTION:

www.microsoft.com.      2613    IN      CNAME   www.microsoft.com-c-2.edgekey.net.

www.microsoft.com-c-2.edgekey.net. 871 IN CNAME www.microsoft.com-c-2.edgekey.net.globalredir.akadns.net.

www.microsoft.com-c-2.edgekey.net.globalredir.akadns.net. 885 IN CNAME e1863.dspb.akamaiedge.net.

e1863.dspb.akamaiedge.net. 5    IN      A       2.20.202.119

 

;; Query time: 21 msec

;; SERVER: 8.8.8.8#53(8.8.8.8)

;; WHEN: Fri Jun 09 17:34:13 BST 2017

;; MSG SIZE  rcvd: 223

 

 

When I query my local DNS server (which does not support ECS) the EDNS client subnet option gets dropped, this will be the same as if ECS is disabled on Infoblox:

 

paul@ubuntu-dev-1:~$ dig @192.168.0.37 www.microsoft.com +subnet=81.174.169.137/24

 

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @192.168.0.37 www.microsoft.com +subnet=81.174.169.137/24

; (1 server found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46299

;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

 

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;www.microsoft.com.             IN      A

 

;; ANSWER SECTION:

www.microsoft.com.      827     IN      CNAME   www.microsoft.com-c-2.edgekey.net.

www.microsoft.com-c-2.edgekey.net. 10277 IN CNAME www.microsoft.com-c-2.edgekey.net.globalredir.akadns.net.

www.microsoft.com-c-2.edgekey.net.globalredir.akadns.net. 841 IN CNAME e1863.dspb.akamaiedge.net.

e1863.dspb.akamaiedge.net. 20   IN      A       2.19.61.200

 

;; Query time: 87 msec

;; SERVER: 192.168.0.37#53(192.168.0.37)

;; WHEN: Fri Jun 09 17:34:39 BST 2017

;; MSG SIZE  rcvd: 212

 

 

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE

Re: Support for RFC 7871 (Client Subnet in DNS Queries)

shaukat
Techie
Posts: 8
7223     0

Thanks Paulr,

 

thanks for your response ,when i run dig command with +subnet option response is invalid option 

 

D:\dns\bin>dig @8.8.8.8 www.microsoft.com +subnet=2.20.202.119/24
Invalid option: +subnet=2.20.202.119/24
Usage: dig [@global-server] [domain] [q-type] [q-class] {q-opt}
{global-d-opt} host [@local-server] {local-d-opt}
[ host [@local-server] {local-d-opt} [...]]

Use "dig -h" (or "dig -h | more") for complete list of options

 

Can you hep in this regard

Re: Support for RFC 7871 (Client Subnet in DNS Queries)

shaukat
Techie
Posts: 8
7223     0

Thanks Paulr,

 

thanks for your response ,when i run dig command with +subnet option response is invalid option 

 

D:\dns\bin>dig @8.8.8.8 www.microsoft.com +subnet=2.20.202.119/24
Invalid option: +subnet=2.20.202.119/24
Usage: dig [@global-server] [domain] [q-type] [q-class] {q-opt}
{global-d-opt} host [@local-server] {local-d-opt}
[ host [@local-server] {local-d-opt} [...]]

Use "dig -h" (or "dig -h | more") for complete list of options

 

Can you hep in this regard

Re: Support for RFC 7871 (Client Subnet in DNS Queries)

Expert
Posts: 225
7223     0

You need a newer version of dig.

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE

Re: Support for RFC 7871 (Client Subnet in DNS Queries)

shaukat
Techie
Posts: 8
7223     0

I tied to reinstall the new version but same situation. Can you please let me know which version have this support.My OS is window 8.1.

 

###############

C:\BIND9.9.10-P2.x64> dig @8.8.8.8 www.microsoft.com +subnet=81.174.169.137/24
Invalid option: +subnet=81.174.169.137/24
Usage: dig [@global-server] [domain] [q-type] [q-class] {q-opt}
{global-d-opt} host [@local-server] {local-d-opt}
[ host [@local-server] {local-d-opt} [...]]

Use "dig -h" (or "dig -h | more") for complete list of options

Re: Support for RFC 7871 (Client Subnet in DNS Queries)

Expert
Posts: 225
7223     0

You need BIND 9.10.

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE

Re: Support for RFC 7871 (Client Subnet in DNS Queries)

shaukat
Techie
Posts: 8
7223     0

Thanks,

I have caching machine soloution of IB-4030 connected with Grid.
do i need to add the domain under Data Managment > DNS > Grid DNS Prperties or only i need to enable Recurisive ECS.

Please eloborate.

Regards

 

Re: Support for RFC 7871 (Client Subnet in DNS Queries)

ebre
Techie
Posts: 8
7223     0

Thanks Paul.

 

What is the meaning of the "/0" from ; CLIENT-SUBNET: 81.174.169.0/24/0

 

Because some domain will not tell you /0 but for example; CLIENT-SUBNET: 2x.x.x.x/28/24

 

 

Showing results for 
Search instead for 
Do you mean 

Recommended for You