Need help configuring EDNS0

ptruman · October 31, 2020, 9:43pm

Waiting for Support for add-subnet option from dnsmasq (ECS/EDNS0 Client Subnet) in main
(I just started playing with dnsdist today, in front of pihole as I want local DOH/DOT - and losing the client IP is a pain...as all I now see is the dnsdist IP)

Also I have a WireGuard subnet which I presume will be a separate challenge....

pihole is my DHCP server, and (mostly main) DNS server, but I have dnsdist optionally in front of it if I change my DNS server IP on a client.

If I'm right, should all I need to add to be ready is:

dnsdist.conf

on a "addDOHLocal" line, add the option trustForwardedForHeader=true
generally add setECSOverride(true)
generally add setECSSourcePrefixV4(16)

pihole 02-override.conf

add-mac
add-subnet=16,128

I run a /16 so presume I want the 15 subnet?

Or am I missing something?

Bucking_Horn · October 31, 2020, 9:57pm

(Moved to a new topic of its own, since this is a request for specific help rather than a discussion of the Feature Request it is related to.)

christian82 · November 1, 2020, 1:10pm

I am running DoT/DoH with dnsdist, unbound and pihole (dnsmasq).

add-subnet=32,128 -> this is correct
32 and 128 specify the subnet length, 32 = whole IPv4 address, 128 = whole ipv6 address.
With /16 you only get the /16 net (CIDR notation) of the IP address.

###haproxy###
frontend fe-https
....
option forwardfor
...

###dnsdist###
setECSOverride(true)
setECSSourcePrefixV4(32)
setECSSourcePrefixV6(128)

-- DNS over TLS
addTLSLocal("0.0.0.0:853", {"/dnsdist_certs/rsa/fullchain.cer", "/dnsdist_certs/ecdsa/fullchain.cer"}, {"/dnsdist_certs/rsa/test.de.key", "/dnsdist_certs/ecdsa/test.de.key"}, {doTCP=true, reusePort=true, provider='openssl', minTLSVersion='tls1.2', ciphers='HIGH:!RSA:!PSK:!LOW:!aNULL:!eNULL:!SHA1:!SHA256:!SHA384'})
addTLSLocal("[::]:853", {"/dnsdist_certs/rsa/fullchain.cer", "/dnsdist_certs/ecdsa/fullchain.cer"}, {"/dnsdist_certs/rsa/test.de.key", "/dnsdist_certs/ecdsa/test.de.key"}, {doTCP=true, reusePort=true, provider='openssl', minTLSVersion='tls1.2', ciphers='HIGH:!RSA:!PSK:!LOW:!aNULL:!eNULL:!SHA1:!SHA256:!SHA384'})

-- DNS over HTTP (HTTPS with haproxy)
addDOHLocal("0.0.0.0:80", nil, nil, {"/doh_874653", "/doh_874653_unbound", "/doh_874653_pihole"}, {serverTokens="h2o/dnsdist", tcpFastOpenSize=0, reusePort=true, trustForwardedForHeader=true})

-- Backend rule: DoH
addAction(AndRule({ DSTPortRule(80), HTTPPathRule("/doh_874653") }), PoolAction("pool-unbound"))
addAction(AndRule({ DSTPortRule(80), HTTPPathRule("/doh_874653_unbound") }), PoolAction("pool-unbound"))
addAction(AndRule({ DSTPortRule(80), HTTPPathRule("/doh_874653_pihole" ) }), PoolAction("pool-pihole") )

###dnsmasq (in pfsense)###
proxy-dnssec
cache-size=0
add-mac
add-subnet=32,128
server=x.x.x.x#53 (x.x.x.x = pihole ip)

###pihole###
echo y |pihole checkout ftl new/edns0

system · November 22, 2020, 1:10pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.