EDNS with /24 subnet

Hey guys,

is this an expected behavior? As mentioned in the title, pihole discards EDNS information emebdded in the dns-query when the "client subnet" field doesnt contain the whole ip address. (/32)

Expected Behaviour:

Pihole forwards EDNS information to upstream resolver even when only the client network address (e.g. 94.112.65.0) is provided in the "client subnet" field. The client could benefit from edns without leaking the whole client ip.

Actual Behaviour:

EDNS information embedded in dns-query get discarded. pihole-FTL logs the following message:
Found malicious EDNS payload, skipping record.

Debug Token:

Please provide more details about your configuration. Which config lines did you use to configure this? How did you find out it is discarded (I guess you did some packet inspection)? We need these information to know where we should be looking at together.

Can you quote the exact lines? I'd also be interesting to see what FTL tries to parse here. Please add

DEBUG_EDNS0=true

to the file /etc/pihole/pihole-FTL.conf (create if it does not exist) and run

pihole restartdns

Iam using dnsmasq as resolver in my local network and pihole as upstream resolver on a VPS.

Ive tested the following two configurations to activate ECS/EDNS0 Client Subnet.

add-subnet=MY_IP_ADDRESS/32 <- works as expected, pihole-FTL.log doesn't show any error and the complete client ip gets forwarded to the upstream resolver definded in pihole.

add-subnet=MY_IP_ADDRESS/24 <- Doesn't work, pihole-FTL.log shows the following error, client-ip is not visible on upstream resolver defined in pihole:

[2022-02-02 08:13:48.461 3746M] EDNS(0) pheader[0] = 0x00
[2022-02-02 08:13:48.461 3746M] EDNS(0) pheader[1] = 0x00
[2022-02-02 08:13:48.462 3746M] EDNS(0) pheader[2] = 0x29
[2022-02-02 08:13:48.462 3746M] EDNS(0) pheader[3] = 0x02
[2022-02-02 08:13:48.462 3746M] EDNS(0) pheader[4] = 0x00
[2022-02-02 08:13:48.462 3746M] EDNS(0) pheader[5] = 0x00
[2022-02-02 08:13:48.462 3746M] EDNS(0) pheader[6] = 0x00
[2022-02-02 08:13:48.462 3746M] EDNS(0) pheader[7] = 0x00
[2022-02-02 08:13:48.462 3746M] EDNS(0) pheader[8] = 0x00
[2022-02-02 08:13:48.462 3746M] EDNS(0) pheader[9] = 0x00
[2022-02-02 08:13:48.462 3746M] EDNS(0) pheader[10] = 0x0b
[2022-02-02 08:13:48.462 3746M] EDNS(0) pheader[11] = 0x00
[2022-02-02 08:13:48.462 3746M] EDNS(0) pheader[12] = 0x08
[2022-02-02 08:13:48.462 3746M] EDNS(0) pheader[13] = 0x00
[2022-02-02 08:13:48.462 3746M] EDNS(0) pheader[14] = 0x07
[2022-02-02 08:13:48.462 3746M] EDNS(0) pheader[15] = 0x00
[2022-02-02 08:13:48.462 3746M] EDNS(0) pheader[16] = 0x01
[2022-02-02 08:13:48.462 3746M] EDNS(0) pheader[17] = 0x18
[2022-02-02 08:13:48.462 3746M] EDNS(0) pheader[18] = 0x00
[2022-02-02 08:13:48.462 3746M] EDNS(0) pheader[19] = 0x58
[2022-02-02 08:13:48.462 3746M] EDNS(0) pheader[20] = 0x99
[2022-02-02 08:13:48.462 3746M] EDNS(0) pheader[21] = 0x42
[2022-02-02 08:13:48.462 3746M] EDNS(0) requestor's UDP payload size: 512 bytes
[2022-02-02 08:13:48.462 3746M] EDNS(0) code 8, optlen 7 (bytes 4 - 11 of 11)
[2022-02-02 08:13:48.462 3746M] Found malicious EDNS payload, skipping record.

The source package which is received on the VPS always shows the correct data.

• My complete public ip address when using the first option
• My public network address (e.g. 88.150.62.0) when using the second option

Unfortunately pihole doesn't accept my public network address as ECS/EDNS0 Client Subnet.

tcpdump906×621 94 KB

Thanks for the debug data, I'll check this in s few hours when I'm back from work

Sorry, it's still somewhat unclear to me what you want to achieve, you'll only be able to benefit from EDNS when providing a public IP address to the resolver (so it can give you the best CDN nodes, for example).

Thank you very much in advance!

I would like to benefit from EDNS but don't want to forward the full IP to the upstream resolver/CDN Provider.

Okay, I tried this now and found two things: (1) FTL incorrectly logs an error because it expected a 32 bit address, however, (2) it still forwards the ECS data correctly.

I repeated my test with a packet dump to confirm this. Let me describe how I tried to reproduce it so you can compare this to your setup:

1. A client calls dig google.com @127.0.0.0 -p 5355
2. 127.0.0.1:5355 is a dnsmasq instance is listening with the configuration

   server=127.0.0.1#53
   add-subnet=1.2.3.0/24
   

3. 127.0.0.1:53 is my Pi-hole in turn asking 127.0.0.1:5353 as upstream resolver
4. 127.0.0.1:5353 is a local unbound instance

This tries to replicate your setup albeit everything locally (which shouldn't matter).

The pcaps now looks exactly as expected.

1. The client asks the dnsmasq instance:
   

   

   Screenshot from 2022-02-02 21-06-291331×823 168 KB

2. This one adds the add-subnet=1.2.3.0/24 information and forwards to the Pi-hole:
   

   

   Screenshot from 2022-02-02 21-06-351331×823 173 KB

3. The Pi-hole takes the query and forwards it upstream to unbound (ECS still present):
   

   

   Screenshot from 2022-02-02 21-06-421331×823 172 KB

4. Unbound replies to Pi-hole (ECS still present):
   

   

   Screenshot from 2022-02-02 21-06-461331×823 168 KB

5. Pi-hole replies to dnsmasq (ECS still present):
   

   

   Screenshot from 2022-02-02 21-06-521331×823 170 KB

6. dnsmasq replies to original client (ECS still present):
   

   

   Screenshot from 2022-02-02 21-06-551331×823 170 KB

@brotaxt

1. Can you please also check on the VPS if the ECS data is really not getting forwarded (despite the incorrect error)?

2. Please try the fixed version using

   pihole checkout ftl fix/sparse_ecs
   

   You should now see a log message like

   [2022-02-02 21:24:55.427 3936184M] EDNS(0) CLIENT SUBNET: 1.2.3.0/24 found (IPv4)
   

   instead of the incorrect warning.

   Bugfix: Do not warn about less-than-full addresses when analyzing EDNS(0) packets by DL6ER · Pull Request #1296 · pi-hole/FTL · GitHub

Hey DL6ER,

thanks for the quick test & response.

I did another pcap to check if the ECS data gets processed correctly. (why didn't I do it directly ) The requests getting processed by dnsmasq and forwarded to my upstream resolver, even when I set my network address (.0/24) as edns-client-subnet. That seems to work as expected.

I'll test your fixed version tomorrow.

Hi @DL6ER,

I've tested your fix and can confirm that everyhting works as expected now.

Best regards!

[2022-02-04 16:22:56.094 12251M] EDNS(0) pheader[0] = 0x00
[2022-02-04 16:22:56.094 12251M] EDNS(0) pheader[1] = 0x00
[2022-02-04 16:22:56.094 12251M] EDNS(0) pheader[2] = 0x29
[2022-02-04 16:22:56.094 12251M] EDNS(0) pheader[3] = 0x02
[2022-02-04 16:22:56.094 12251M] EDNS(0) pheader[4] = 0x00
[2022-02-04 16:22:56.094 12251M] EDNS(0) pheader[5] = 0x00
[2022-02-04 16:22:56.094 12251M] EDNS(0) pheader[6] = 0x00
[2022-02-04 16:22:56.094 12251M] EDNS(0) pheader[7] = 0x00
[2022-02-04 16:22:56.094 12251M] EDNS(0) pheader[8] = 0x00
[2022-02-04 16:22:56.094 12251M] EDNS(0) pheader[9] = 0x00
[2022-02-04 16:22:56.094 12251M] EDNS(0) pheader[10] = 0x0b
[2022-02-04 16:22:56.094 12251M] EDNS(0) pheader[11] = 0x00
[2022-02-04 16:22:56.094 12251M] EDNS(0) pheader[12] = 0x08
[2022-02-04 16:22:56.094 12251M] EDNS(0) pheader[13] = 0x00
[2022-02-04 16:22:56.094 12251M] EDNS(0) pheader[14] = 0x07
[2022-02-04 16:22:56.094 12251M] EDNS(0) pheader[15] = 0x00
[2022-02-04 16:22:56.094 12251M] EDNS(0) pheader[16] = 0x01
[2022-02-04 16:22:56.094 12251M] EDNS(0) pheader[17] = 0x18
[2022-02-04 16:22:56.094 12251M] EDNS(0) pheader[18] = 0x00
[2022-02-04 16:22:56.094 12251M] EDNS(0) pheader[19] = 0x58
[2022-02-04 16:22:56.094 12251M] EDNS(0) pheader[20] = 0x99
[2022-02-04 16:22:56.094 12251M] EDNS(0) pheader[21] = 0x42
[2022-02-04 16:22:56.094 12251M] EDNS(0) requestor's UDP payload size: 512 bytes
[2022-02-04 16:22:56.094 12251M] EDNS(0) code 8, optlen 7 (bytes 4 - 11 of 11)
[2022-02-04 16:22:56.094 12251M] EDNS(0) CLIENT SUBNET: XXX.XXX.XXX.0/24 found (IPv4)

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.