What is the meaning of an ecs log
Greg Choules
gregchoules+bindusers at googlemail.com
Thu Dec 8 08:25:11 UTC 2022
Hi Mik.
The Client Subnet in DNS Queries <https://www.rfc-editor.org/rfc/rfc7871> RFC
should explain all.
Essentially there are two masks in the ECS option - source prefix length
and scope prefix length.
ECS-enabled recursive servers (like Google or BIND -S edition) will set the
source prefix length to whatever has been configured; in this case /24. But
they MUST set the scope prefix length to zero because this field is
intended for use by an ECS enabled authoritative server to signal (in its
response) the prefix to which it applies.
I hope that helps.
Cheers, Greg
On Thu, 8 Dec 2022 at 07:04, Mik J via bind-users <bind-users at lists.isc.org>
wrote:
> Thank you for your answer and pointing out this information.
>
> When I showed you this message
> client @0x53eda9122d0 172.16.11.2#48171 (example.org): query: example.org
> IN A -E(0)DC (1.2.3.4) [ECS 192.168.2.0/24/0
>
> This query was to my authoritative server which holds example.org
> The client IP is a Google DNS public IP (I had changed the IP to
> 172.16.11.2)
> And the 192.168.2.0/24 prefix is a prefix from a hosting company in
> Turkey (I had changed the IP)
>
> So I suppose that a machine hosted in that 192.168.2.0/24 subnet use
> google DNS as a resolver. And that resolver is quering my authoritative DNS.
>
> I had read the documentation and this /0 is noted as a scope
> "a statement which appears in a zone block has scope only for that zone"
> I understand this sentence but I don't understand this /0
>
> In my logs it's always a /0
> I'm wondering in which case it could be different that a /0
>
>
>
>
> Le jeudi 8 décembre 2022 à 02:36:40 UTC+1, Darren Ankney <
> darren.ankney at gmail.com> a écrit :
>
>
>
>
>
> Found the answer in the manual:
>
> "Finally, if any CLIENT-SUBNET option was present in the client query,
> it is included in square brackets in the format [ECS
> address/source/scope]."
>
> https://bind9.readthedocs.io/en/v9_18_9/reference.html#namedconf-statement-category
>
> On Wed, Dec 7, 2022 at 8:25 PM Mik J via bind-users
> <bind-users at lists.isc.org> wrote:
> >
> > Hello Daren,
> >
> > The entire message is
> > client @0x53eda9122d0 172.16.11.2#48171 (example.org): query:
> example.org IN A -E(0)DC (1.2.3.4) [ECS 192.168.2.0/24/0]
> >
> > The version is: 9.18.7
> > It's both autoritative and recursive
> >
> >
> >
> >
> > Le jeudi 8 décembre 2022 à 01:56:57 UTC+1, Darren Ankney <
> darren.ankney at gmail.com> a écrit :
> >
> >
> >
> >
> >
> > Is that the entire log message or just part of it? Is this a
> > recursive or authoritative name server? What version of bind?
> >
> > Logging is covered in the manual though I don't really see a
> > comprehensive explanation of message format (maybe it's there and I'm
> > just not seeing it).
> >
> https://bind9.readthedocs.io/en/v9_18_9/reference.html#logging-block-grammar
> >
> > On Wed, Dec 7, 2022 at 7:42 PM Mik J via bind-users
> > <bind-users at lists.isc.org> wrote:
> > >
> > > Hello,
> > > I see logs like [ECS 192.168.2.0/24/0] but I don't understand what is
> the last /0 part.
> > > Where can I get an explanation ?
> > > Regards
> > --
> > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
> >
> > ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
> >
> >
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> > --
> > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
> >
> > ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
> >
> >
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20221208/c4d3366f/attachment-0001.htm>
More information about the bind-users
mailing list