Saucepan

User Tools

Site Tools

Trace: nslookup microsoft policy_format dns aws tokens versions ntp dns ecs
infoblox_nios:ecs

This is an old revision of the document!

DNS ECS

Grid Properties > Queries > Advanced and then enable “Recursive ECS” and “ECS Forwarding”

Query Zone Permissions: By default, when ECS queries come into NIOS, NIOS will strip the ECS data when forwarding. To keep the ECS data when forwarding on a domain-by-domain basis, add the domain to the “Query Zone Permissions” and set “Permission” to allow. You have the ability to set the “Permission” to Deny but this doesn't block the domain from resolving, it just removes the ECS data from the domain (i.e. Deny NIOS the ability to forward ECS data“.

If you include +subnet=10.10.10.0/24 in a dig request and “Recursive ECS” is disabled, then you will get an answer for anything the NIOS is authoritative for but NOT for anything else (i.e. recursive queries will get refused).

If you include +subnet=10.10.10.0/24 in a dig request and “Recursive ECS” is enabled, but NOT “ECS Forwarding”, then you will get an answer for anything the NIOS is authoritative for but NOT for anything else (i.e. recursive queries will get refused).

If you include +subnet=10.10.10.0/24 in a dig request and “Recursive ECS” is enabled and “ECS Forwarding” is enabled, then you will get an answer for anything the NIOS is authoritative for and for anything else. However, you will need to put at least one domain in the “Query Zone Permissions”. For the “Query Zone Permissions” list, the domains that are in the list AND have “Permission” set to “Allow”, then queries to those domains will have the ECS data forwarded from NIOS to the next server. Any domain not in the list OR is in the list with “Permission” set to “Deny” will not have its ECS data forwarded.

IPv4 Source Prefix: 16 - This is configuration but (for example) a value of 16 means that when we receive a query with ECS, if the query has a more specific subnet (e.g. /24) then the subnet will be rounded up to the value of this source prefix when forwarding to the next server. i.e. if you query NIOS with +subnet=10.10.10.0/24, then when NIOS forwards to the next NIOS and ECS is copied over (i.e. the domain is in the “Query Zone Permission” list) and forwarded to the next server (or root, etc), then the value of the ECS field will be changed from 10.10.10.0/24 to 10.10.0.0/16.

infoblox_nios/ecs.1686062115.txt.gz · Last modified: by bstafford