Enabling Recursive Resolution Using EDNS Client Subnet (ECS) Option
- Sri Raghu
The EDNS Client Subnet (ECS) option is a DNS extension you use to optimize recursive resolution for query sources that are not topologically close to the recursive resolvers. When you enable ECS for recursive resolution, the application includes subnet information of the NIOS-X Server that originates a DNS query. Thus, your recursive resolver can perform geotargeting by passing the subnet information to authoritative servers so that the response will be more optimized for the end clients. For example, when you enable ECS and/or ECS forwarding on your recursive resolver, CDNs (Content Delivery Networks) can deliver content faster and more efficiently to the end user by providing information about the end user's subnet to the authoritative DNS server operated by the CDNs.
You can enable the application to handle recursive queries using the ECS option and enable ECS forwarding support. You can then add whitelisted zone names that are subject to ECS recursion and specify the source prefix length for IPv4 and IPv6 addresses. Make sure you enter only apex zones. Example: foo.com, corpxyz.com, etc. The whitelisted zone name indicates the zone to which ECS tagged queries must be sent.
Note the following while adding whitelisted zone names:
ECS options are sent only when the name being queried, and the apex of the zone being queried both match ECS zones. For example, if the zone "foo.com" contains a subdomain "www.foo.com", then you must configure "foo.com" as ECS zone and not "www.foo.com". The latter configuration might result in no ECS queries being sent, because the apex zone, "foo.com" does not match with "www.foo.com".
Queries for subdomains of the specified zone name, with prefix lengths greater than the specified prefix length is not applicable for the subdomains of the specified zone name. For example, if you specify “foo.com” with IPv4 prefix length 20, then IPv4 queries with prefix length greater than 20 is not applicable for the subdomains of “foo.com”.
You can exclude certain subdomains by adding a leading exclamation mark (!) to the subdomain name. For example: ! foo.example.org, ! test.foo.com, etc.
Guidelines for Using ECS and ECS Forwarding
The following are the guidelines for using ECS and ECS forwarding:
- When recursive ECS is enabled, the application applies ECS handling for queries that meet both of the following criteria:
- If the source prefix length is not set to zero.
- If the query name matches one of the listed whitelisted zone names.
If you enable ECS forwarding, all queries that contain a valid ECS option will be forwarded to the authoritative server.
Queries with the source prefix length set to zero will be forwarded unchanged, regardless of whether ECS forwarding is enabled or disabled.
When recursive ECS and ECS forwarding are enabled, then response to queries that contain a valid ECS option with a non-zero source prefix length will contain an ECS option.
When recursive ECS is enabled and ECS forwarding is disabled, and if the original query contains a valid ECS option with a non-zero source prefix length, then the resolver returns a REFUSED response.
To enable recursive ECS and configure DNS resolver parameters, complete the following:
From the Infoblox Portal, click Configure > Networking > DNS, and click Global DNS Configuration.
In the Global DNS Configuration page, click EDNS Client Subnet Configuration, and complete the following:
- Enable Recursive EDNS Client Subnet: Select this check box to enable recursive resolution using EDNS client subnet. This is disabled by default. If recursive EDNS client subnet is enabled, the application applies EDNS client subnet handling for queries that meet both of the following criteria:
If the source prefix length is not set to zero.
If the query zone name is listed in the whitelisted domains.
Enable EDNS Client Subnet Forwarding: Select this check box to enable EDNS client subnet forwarding. If you enable ECS forwarding, all queries containing a valid EDNS client subnet option will be forwarded to the authoritative server.
Note
Queries with the source prefix length set to zero will be forwarded unchanged, regardless of whether EDNS client subnet forwarding is enabled or disabled.
- QUERY ZONE PERMISSIONS: Click Add to add a list of query zone names that are subject to ECS recursion and the corresponding permission. The application adds a row to the table. Complete the following:
- Zone: Enter the zone name.
- Permission: Select Allow or Deny from the drop-down list.
- QUERY ZONE PERMISSIONS: Click Add to add a list of query zone names that are subject to ECS recursion and the corresponding permission. The application adds a row to the table. Complete the following:
To delete a query zone from the list, select the check box and click the Remove button.
- IPv4 Source Prefix: Specify the IPv4 source prefix length. You can enter a value between 1 and 24. The default value is 24.
- IPv6 Source Prefix: Specify the IPv6 source prefix length. You can enter a value between 1 and 56. The default value is 56.
- Enable Recursive EDNS Client Subnet: Select this check box to enable recursive resolution using EDNS client subnet. This is disabled by default. If recursive EDNS client subnet is enabled, the application applies EDNS client subnet handling for queries that meet both of the following criteria:
Click Save & Close to save