Adding ecs is not suitable for public network vps servers

[liang-hiwin]

From the documentation, we know that when add is used to add ecs and ecs-address does not write anything, the client's IP is used to make the request.

I need to change to when ecs-address does not write anything, use the client's ecs subnet ip to make requests

add - Add an ECS option to a query. If there is one already it is replaced. If no ecs-address is provided, the address of the client is used (with ecs-prefix4 or ecs-prefix6 applied).

[folbricht]

Not sure I understand the ask. Can you provide more details or an example? Is this about using a specific interface to send the DNS requests, or about adding something to the ECS record?

[liang-hiwin]

Not sure I understand the ask. Can you provide more details or an example? Is this about using a specific interface to send the DNS requests, or about adding something to the ECS record?

For example, use dig to attach ecs for testing
dig a +subnet=211.139.5.0/24 @127.0.0.1 -p 5500 www.taobao.com
Normally, the results obtained by the above command should be 117.187.7.190, 117.187.7.189, but the results obtained through testing are the results near my server.

[liang-hiwin]

The normal value of CLIENT-SUBNET should not be 127.0.0.0/24/24, but 211.139.5.0/24

[liang-hiwin]

The reproduction method is very simple. You use https://dns.google/dns-query (8.8.8.8) as the upstream of routedns, and then use dig a +subnet=211.139.5.0/24 @127.0.0.1 -p 5500 www.taobao .com, where 5500 is the listening port of routedns. You will find that the result of the parsing is different from the result of directly requesting https://dns.google/query?name=www.taobao.com&rr_type=A&ecs=211.139.5.0%2F24.

[folbricht]

Can you show me your config as well? Or at least the ECS part of it.

When I test with a plain config I'm getting the expected results.

$ dig a +subnet=211.139.5.0/24 @127.0.0.1 -p 1153 www.taobao.com

; <<>> DiG 9.18.24 <<>> a +subnet @127.0.0.1 -p 1153 www.taobao.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20275
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
; CLIENT-SUBNET: 211.139.5.0/24/24
;; QUESTION SECTION:
;www.taobao.com.			IN	A

;; ANSWER SECTION:
www.taobao.com.		600	IN	CNAME	www.taobao.com.danuoyi.tbcache.com.
www.taobao.com.danuoyi.tbcache.com. 60 IN A	117.187.7.190
www.taobao.com.danuoyi.tbcache.com. 60 IN A	117.187.7.189

;; Query time: 32 msec
;; SERVER: 127.0.0.1#1153(127.0.0.1) (UDP)
;; WHEN: Tue May 07 10:04:13 CEST 2024
;; MSG SIZE  rcvd: 216

[liang-hiwin]

Can you show me your config as well? Or at least the ECS part of it.

When I test with a plain config I'm getting the expected results.

$ dig a +subnet=211.139.5.0/24 @127.0.0.1 -p 1153 www.taobao.com

; <<>> DiG 9.18.24 <<>> a +subnet @127.0.0.1 -p 1153 www.taobao.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20275
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
; CLIENT-SUBNET: 211.139.5.0/24/24
;; QUESTION SECTION:
;www.taobao.com.			IN	A

;; ANSWER SECTION:
www.taobao.com.		600	IN	CNAME	www.taobao.com.danuoyi.tbcache.com.
www.taobao.com.danuoyi.tbcache.com. 60 IN A	117.187.7.190
www.taobao.com.danuoyi.tbcache.com. 60 IN A	117.187.7.189

;; Query time: 32 msec
;; SERVER: 127.0.0.1#1153(127.0.0.1) (UDP)
;; WHEN: Tue May 07 10:04:13 CEST 2024
;; MSG SIZE  rcvd: 216

here

#### BOOTSTRAP ####
[bootstrap-resolver]
protocol = "doh"
address = "https://223.5.5.5:443/dns-query"
#bootstrap-address = "223.5.5.5"

#### LISTENERS ####
[listeners.dns-udp]
address = ":5500"
protocol = "udp"
resolver = "ecs"

[listeners.dns-tcp]
address = ":5500"
protocol = "tcp"
resolver = "ecs"

# ECS
[groups.ecs]
type = "ecs-modifier"
resolvers = ["rrl"]
ecs-op = "add"
ecs-prefix4 = 24
ecs-prefix6 = 64

[groups.rrl]
type = "rate-limiter"
resolvers = ["cache"]
limit-resolver = "static-refused"
requests = 360
window = 60
prefix4 = 24
prefix6 = 64

[groups.static-refused]
type = "static-responder"
#rcode = 5                                                           # REFUSED
edns0-ede = { code = 15, text = "The number of requests has exceeded 360 per minute and will be released automatically after 1 minute." } # Valid codes defined in https://datatracker.ietf.org/doc/html/rfc8914

# Cache
[groups.cache]
type = "cache"
resolvers = ["ttl"]
cache-size = 4096
cache-negative-ttl = 60
cache-prefetch-trigger = 10
cache-prefetch-eligible = 20
gc-period = 60
cache-answer-shuffle = "round-robin"
cache-harden-below-nxdomain = true
cache-flush-query = "flush.cache."
#backend = { type = "memory", size = 100000, filename = "/opt/routedns/cache.json", save-interval = 60 }
backend = { type = "redis", redis-address = "10.10.10.12:6379", redis-db = 0, redis-key-prefix = "routedns-" }

# TTL
[groups.ttl]
type = "ttl-modifier"
resolvers = ["concurrent-dns"]
ttl-min = 10                   # 10 s
ttl-max = 180                  # 3 Minutes

# Block IP-DATA
[groups.blocklist-ip]
type = "response-blocklist-ip"
resolvers = ["concurrent-dns"]
filter = true
blocklist-refresh = 600
blocklist-source = [
	{ format = "cidr", source = "/opt/mosdns/rules/china_ip_list.txt" },
	{ format = "cidr", source = "/opt/routedns/white-ip.txt" },
]

# Internet
[resolvers.internet-udp]
protocol = "udp"
address = "127.0.0.1:35354"

[resolvers.internet-tcp]
protocol = "tcp"
address = "127.0.0.1:35354"

[groups.concurrent-dns]
resolvers = ["internet-udp", "internet-tcp"]
type = "round-robin"

# [groups.dns-logged]
# type = "syslog"
# resolvers = ["concurrent-dns"]
# network = "tcp"
# address = "127.0.0.1:514"
# priority = "debug"
# tag = "routedns"
# log-request = true
# log-response = true

[liang-hiwin]

5500 is the port of rouredns, of which 35354 is tested normally. It is another dns program.

[folbricht]

I think I understand now. So you want to add only if there isn't an ECS option in the query from the client already. If so, can you try out the issue-383 branch and modify your config to this?

[groups.ecs]
type = "ecs-modifier"
resolvers = ["rrl"]
ecs-op = "add-if-missing"
ecs-prefix4 = 24
ecs-prefix6 = 64

[liang-hiwin]

I think I understand now. So you want to add only if there isn't an ECS option in the query from the client already. If so, can you try out the issue-383 branch and modify your config to this?

[groups.ecs]
type = "ecs-modifier"
resolvers = ["rrl"]
ecs-op = "add-if-missing"
ecs-prefix4 = 24
ecs-prefix6 = 64

Thank you, wait a moment

[liang-hiwin]

I think I understand now. So you want to add only if there isn't an ECS option in the query from the client already. If so, can you try out the issue-383 branch and modify your config to this?

[groups.ecs]
type = "ecs-modifier"
resolvers = ["rrl"]
ecs-op = "add-if-missing"
ecs-prefix4 = 24
ecs-prefix6 = 64

There is still a problem when executing
dig a +subnet=211.139.5.0/24 @127.0.0.1 -p 5500 www.taobao.com
Got 117.187.7.190 and 117.187.7.189.
But I changed another ecs request and got the same result, such as
dig a +subnet=218.203.160.0/24 @127.0.0.1 -p 5500 www.taobao.com,
you will still get 117.187.7.190 and 117.187.7.189, normally it should be 111.51.140.179 and 111.51.140.180

[liang-hiwin]

The value of CLIENT-SUBNET is randomly lost when requesting

[folbricht]

Not sure what happened in your case there. It looks like your dig didn't actually send the ECS option? If I run it here I get the IPs you mentioned.

$ dig a +subnet=218.203.160.0/24 @127.0.0.1 -p 5500 www.taobao.com

; <<>> DiG 9.18.24 <<>> a +subnet @127.0.0.1 -p 5500 www.taobao.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64245
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
; CLIENT-SUBNET: 218.203.160.0/24/24
;; QUESTION SECTION:
;www.taobao.com.			IN	A

;; ANSWER SECTION:
www.taobao.com.		147	IN	CNAME	www.taobao.com.danuoyi.tbcache.com.
www.taobao.com.danuoyi.tbcache.com. 27 IN A	111.51.140.180
www.taobao.com.danuoyi.tbcache.com. 27 IN A	111.51.140.179

;; Query time: 1 msec
;; SERVER: 127.0.0.1#5500(127.0.0.1) (UDP)
;; WHEN: Fri May 10 10:19:27 CEST 2024
;; MSG SIZE  rcvd: 216

[liang-hiwin]

Not sure what happened in your case there. It looks like your dig didn't actually send the ECS option? If I run it here I get the IPs you mentioned.

$ dig a +subnet=218.203.160.0/24 @127.0.0.1 -p 5500 www.taobao.com

; <<>> DiG 9.18.24 <<>> a +subnet @127.0.0.1 -p 5500 www.taobao.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64245
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
; CLIENT-SUBNET: 218.203.160.0/24/24
;; QUESTION SECTION:
;www.taobao.com.			IN	A

;; ANSWER SECTION:
www.taobao.com.		147	IN	CNAME	www.taobao.com.danuoyi.tbcache.com.
www.taobao.com.danuoyi.tbcache.com. 27 IN A	111.51.140.180
www.taobao.com.danuoyi.tbcache.com. 27 IN A	111.51.140.179

;; Query time: 1 msec
;; SERVER: 127.0.0.1#5500(127.0.0.1) (UDP)
;; WHEN: Fri May 10 10:19:27 CEST 2024
;; MSG SIZE  rcvd: 216

My upstream test here is normal, but when testing routedns, the value of CLIENT-SUBNET will occasionally be lost.

[folbricht]

Does it only happen sometimes? Can you test without the cache? I wonder if that plays into this issue

[liang-hiwin]

Does it only happen sometimes? Can you test without the cache? I wonder if that plays into this issue

Your thoughts are the same as mine. It is normal for me to test ecs after not using cache.

[liang-hiwin]

I have now changed to another server. It does not have a proxy environment, and the cache test seems to be normal. Could it be that the proxy affects ecs?

[liang-hiwin]

Currently, when testing regular DNS and building an encrypted DNS server, empty resolution occurs. The same situation occurs when configuring content without any filtering.