Differences

This shows you the differences between two versions of the page.

--- infoblox_nios:ecs [2024/12/21 13:25] – bstafford
+++ infoblox_nios:ecs [2025/02/21 09:03] (current) – [NIOS-X] bstafford
@@ Line 5: / Line 5: @@
 By default, when ECS queries come into NIOS, NIOS will strip the ECS data when forwarding. To keep the ECS data when forwarding on a domain-by-domain basis, add the domain to the "Query Zone Permissions" and set "Permission" to allow. You have the ability to set the "Permission" to Deny but this doesn't block the domain from resolving, it just removes the ECS data from the domain (i.e. Deny NIOS the ability to forward ECS data).
-If you include +subnet=10.10.10.0/24 in a dig request and "Recursive ECS" is disabled, then you will get an answer for anything the NIOS is authoritative for but NOT for anything else (i.e. recursive queries will get refused).
+If you include +subnet=10.10.10.0/24 in a dig request and "Recursive ECS" is disabled, then you will get an answer for anything the NIOS is authoritative for but NOT for anything else (i.e. recursive queries will get refused... yes, you can break general recursion for domains that have ECS added by disabling this feature. Obviously, a lot of queries probably won't have this so most recursion would still work).
 If you include +subnet=10.10.10.0/24 in a dig request and "Recursive ECS" is enabled, but NOT "ECS Forwarding", then you will get an answer for anything the NIOS is authoritative for but NOT for anything else (i.e. recursive queries will get refused).
@@ Line 12: / Line 12: @@
 IPv4 Source Prefix: 16 - This is configuration but (for example) a value of 16 means that when we receive a query with ECS, if the query has a more specific subnet (e.g. /24) then the subnet will be rounded up to the value of this source prefix when forwarding to the next server. i.e. if you query NIOS with +subnet=10.10.10.0/24, then when NIOS forwards to the next NIOS and ECS is copied over (i.e. the domain is in the "Query Zone Permission" list) and forwarded to the next server (or root, etc), then the value of the ECS field will be changed from 10.10.10.0/24 to 10.10.0.0/16.
+===== NIOS-X =====
+If a client queries NIOS-X and the NIOS-X server has ECS0 enabled, then DTC further up the chain get the ECS subnet. If the DNS query hitting the NIOS-X server already has ECS0 data, that data is copied over to the server that the NIOS-X forwards the queries to.
+==== DFP =====
+DFP by itself will not ADD EDNS0 but it will COPY EDNS0 if present.
+===== DTC =====
+When using DTC, if you want DTC to consider EDNS0 option, select "When DNS Traffic Control is enabled, direct traffic according to EDNS0 Client Subnet when possible" from Grid Properties > Traffic Control.
+Note: DTC takes no notice of the Add/Copy source IP feature.