EDNS client subnet support for BIND

Vincent Bernat March 18, 2014

To provide geolocation-aware answers with BIND, a common solution is to use a patch adding GeoIP support. A client can be directed to the closest (and hopefully fastest) web server:

view "FRANCE" {
     match-clients { geoip_cityDB_country_FR; };
     zone "example.com" in {
         type master;
         file "france.example.com.dns";
     };
};
view "GERMANY" {
     match-clients { geoip_cityDB_country_DE; };
     zone "example.com" in {
         type master;
         file "germany.example.com.dns";
     };
};
/* […] */
view "DEFAULT" {
    zone "example.com" in {
        type master;
        file "example.com.dns";
    };
};

However, an end user does not usually talk directly to authoritative servers. They proxy the query to a third-party recursor server which will query the authoritative server on their behalf. The recursor also caches the answer to be able to serve it directly to other clients.

On most cases, we can still rely on the recursor GeoIP location to forward the client to the closest web server because it is located in the client’s ISP network, as shown on the following schema:

Query for www.example.com through an ISP recursor — Ideal case: the recursor is located close to the end user.

Juan is located in China and wants to know the IP address of www.example.com. She queries her ISP resolver.
The resolver asks the authoritative server for the answer.
Because the IP address of the resolver is located in China, the authoritative server decides to answer with the IP address of the web server located in Japan which is the closest one.
Juan can now enjoy short round-trips with the web server.

However, this is not the case when using a public recursor as provided by Google or OpenDNS. In this case, the IP address of the end client and the source IP address of the recursor may not share the same locality. For example, in the following schema, the authoritative server now thinks it is in relation with a European customer and answers with the IP address of the web server located in Europe:

Query for www.example.com through an open recursor — Worst case: the recursor queries the authoritative server through a remote node.

Moreover, caching makes the problem worse.

To solve this problem, a new EDNS extension to expose the client subnet has been proposed. When using this extension, the recursor will provide the client subnet to the authoritative server for it to build an optimized reply. The subnet is vague enough to respect client’s privacy but precise enough to be able to locate it. A patched version of dig allows one to make queries with this new extension:

$ geoiplookup 138.231.136.0
GeoIP Country Edition: FR, France
$ ./bin/dig/dig @dns-02.dailymotion.com www.dailymotion.com \
>     +client=138.231.136.0/24

; <<>> DiG 9.8.1-P1-geoip-1.3 <<>> @dns-02.dailymotion.com www.dailymotion.com +client=138.231.136.0/24
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23312
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; CLIENT-SUBNET: 138.231.136.0/24/24
;; QUESTION SECTION:
;www.dailymotion.com.           IN      A

;; ANSWER SECTION:
www.dailymotion.com.    600     IN      A       195.8.215.136
www.dailymotion.com.    600     IN      A       195.8.215.137

;; Query time: 20 msec
;; SERVER: 188.65.127.2#53(188.65.127.2)
;; WHEN: Sun Oct 20 15:44:47 2013
;; MSG SIZE  rcvd: 91

$ geoiplookup 195.8.215.136
GeoIP Country Edition: FR, France

In the above example, a client located in France gets a reply with two IP addresses located in France. If we now are a US client, we will get IP addresses located in the US:

$ geoiplookup 170.149.100.0
GeoIP Country Edition: US, United States
$ ./bin/dig/dig @dns-02.dailymotion.com www.dailymotion.com \
>     +client=170.149.100.0/24

; <<>> DiG 9.8.1-P1-geoip-1.3 <<>> @dns-02.dailymotion.com www.dailymotion.com +client=170.149.100.0/24
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23187
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; CLIENT-SUBNET: 170.149.100.0/24/24
;; QUESTION SECTION:
;www.dailymotion.com.           IN      A

;; ANSWER SECTION:
www.dailymotion.com.    600     IN      A       188.65.120.135
www.dailymotion.com.    600     IN      A       188.65.120.136

;; Query time: 18 msec
;; SERVER: 188.65.127.2#53(188.65.127.2)
;; WHEN: Sun Oct 20 15:47:22 2013
;; MSG SIZE  rcvd: 91

$ geoiplookup 188.65.120.135
GeoIP Country Edition: US, United States

The recursor is expected to cache the two different answers and only serve them if the client matches the appropriate subnet (the one confirmed in the answer from the authoritative server). With this new extension, the authoritative server knows that Juan is located in China and answers with the appropriate IP address:

Query for www.example.com through an open recursor with client subnet — Corrected case: the recursor queries the authoritative server through a remote node but provides the client subnet.

Not many authoritative servers support this extension (PowerDNS and gdnsd, as far as I know). At Dailymotion, we have built a patch for BIND.¹ It only works when BIND is configured as an authoritative server and it doesn’t expose any configuration knobs. Feel free to use it (at your own risk). ~~Once installed, you need to register yourself to OpenDNS and to Google to receive queries with the extension enabled.~~

The exact version of BIND for this patch is 9.8.1-p1 with the matching geoip patch. You also need to apply the patch for dig. ↩︎