Topology or Geolocation policy based on client IP address is not working as expected when incoming DNS request has been forwarded by another DNS server
search cancel

Topology or Geolocation policy based on client IP address is not working as expected when incoming DNS request has been forwarded by another DNS server

book

Article ID: 377470

calendar_today

Updated On:

Products

VMware Avi Load Balancer

Issue/Introduction

Some customers choose to have their internal corporate DNS servers forward DNS requests to the the load balancer's DNS virtual services, when it is for a subdomain serviced by the load balancer.
If a topology policy or geolocation policy is configured that is based on the original client's source IP address, this may not work as expected.

Cause

When a DNS request is forwarded to another DNS server, the forwarded request will then have the source IP address of the forwarding DNS server, not the IP address of the original client.

Resolution

In order to see the source IP address of the original client, there are two options.

1) Configure the forwarding DNS server to insert the ECS (EDNS Client Subnet) information (if supported).
ECS is an extension of EDNS which some DNS servers do not support.
Next make sure the Application Profile used by the DNS virtual service has the "Process EDNS Extensions" option checked.
Further details on this setting are mentioned in the following KB:
https://docs.vmware.com/en/VMware-Avi-Load-Balancer/30.2/Configuration-Guide/GUID-AA278E34-4F3F-4121-AE16-0FA33950DB2B.html

If the ECS information is being sent in the request, you will see information for "Client subnet" in the DNS request when looking at the DNS virtual service connection logs:

2) If ECS is not available, the other option would be to have the clients query the Avi DNS virtual service first. Then if request is not for an FQDN serviced by the load balancer, it will get sent to the upstream DNS server.
This will allow the load balancer see the original client's source IP address.

Additional Information

You can send test requests with ECS information inserted by using the "dig" command.

Further details on ECS and how to test ECS can be found at the following link:
https://packetpushers.net/blog/embedding-client-ip-in-dns-requests-edns-client-subnet-ecs/

 

Powered by Wolken Software