Issue between DnsDIST an Unbound 1.17 using PROXYv2
George (Yorgos) Thessalonikefs
george at nlnetlabs.nl
Tue Oct 11 15:50:58 UTC 2022
Hi David,
I have tried with dnsdist 1.7.1 and I can't reproduce the issue. Haven't
tested with 1.7.2 so I can't comment on that.
A couple of things that may help:
- Unbound will still log 10.0.0.10 for log messages that have to do with
network connectivity;
- Queries from dnsdist itself (i.e., health check queries) provide no
proxy address information, so dnsdist (10.0.0.10) is the actual client
for those queries;
- An easy way to see what is happening wrt client addresses is to enable
'log-queries: yes' and 'log-replies: yes', and bring down
'verbosity: 0';
- There is also an example program if you want to get dnsdist outside of
the troubleshooting chain. You can 'make streamtcp' and then use
something like './streamtcp -u -f 10.0.0.11 at 8053 -p 10.0.0.4
nlnetlabs.nl A IN' from the Unbound machine to simulate your setup.
Hope that is useful for now.
As a last note, while looking around, I did identify a bug when reading
the PROXYv2 header on TCP connections when no addresses are provided.
dnsdist does that for health check queries. I don't think you were
hitting that bug though, since the bug results in error messages and no
replies.
The fix is committed in the release branch:
https://github.com/NLnetLabs/unbound/tree/branch-1.17.0
Best regards,
-- George
On 11/10/2022 15:27, David Touzeau via Unbound-users wrote:
> Hello best,
>
> We don't know for you guys but we tried to connect DnsDist to Unbound by
> using the PROXYv2 protocol and we only get the IP of the DnsDist server
> instead the original IP of the PC client.
> - Linux Debian 10
> - DnsDist 1.7.2
> - Unbound 1.17.0rc1
>
> Client IP: 10.0.0.4
>
> DnsDist conf (IP: 10.0.0.10):
> newServer({
> address='10.0.0.11:8053',
> useProxyProtocol=true
> })
>
> Unbound conf (IP: 10.0.0.11):
> interface: 10.0.0.11 at 8053
> proxy-protocol-port: 8053
>
> in the Unbound log file we see the 10.0.0.10 instead of the 10.0.0.4
>
> we surely miss a point here, any help/trick will be welcome, thanks.
>
> --
More information about the Unbound-users
mailing list