{"id":2000,"date":"2018-01-18T06:13:14","date_gmt":"2018-01-18T06:13:14","guid":{"rendered":"http:\/\/www.mtin.net\/blog\/?p=2000"},"modified":"2018-01-18T06:13:14","modified_gmt":"2018-01-18T06:13:14","slug":"client-subnet-in-dns-requests","status":"publish","type":"post","link":"http:\/\/www.mtin.net\/blog\/client-subnet-in-dns-requests\/","title":{"rendered":"Client subnet in DNS requests"},"content":{"rendered":"<p>Some Light Reading:<br \/>\n<a href=\"https:\/\/tools.ietf.org\/html\/draft-vandergaast-edns-client-subnet-00\">https:\/\/tools.ietf.org\/html\/draft-vandergaast-edns-client-subnet-00<\/a><\/p>\n<pre class=\"newpage\">Many Authoritative nameservers today return different replies based\r\n   on the perceived topological location of the user.  These servers use\r\n   the IP address of the incoming query to identify that location.\r\n   Since most queries come from intermediate recursive resolvers, the\r\n   source address is that of the recursive rather than of the query\r\n   originator.\r\n\r\n   Traditionally and probably still in the majority of instances,\r\n   recursive resolvers are reasonably close in the topological sense to\r\n   the stub resolvers or forwarders that are the source of queries.  For\r\n   these resolvers, using their own IP address is sufficient for\r\n   authority servers that tailor responses based upon location of the\r\n   querier.\r\n\r\n   Increasingly though a class of remote recursive servers has arisen\r\n   that serves query sources without regard to topology.  The motivation\r\n   for a query source to use a remote recursive server varies but is\r\n   usually because of some enhanced experience, such as greater cache\r\n   security or applying policies regarding where users may connect.\r\n   (Although political censorship usually comes to mind here, the same\r\n   actions may be used by a parent when setting controls on where a\r\n   minor may connect.)  When using a remote recursive server, there can\r\n   no longer be any assumption of close proximity between the originator\r\n   and the recursive, leading to less than optimal replies from the\r\n   authority servers.\r\n\r\n   A similar situation exists within some ISPs where the recursive\r\n   servers are topologically distant from some edges of the ISP network,\r\n   resulting in less than optimal replies from the authority servers.\r\n\r\n   This draft defines an EDNS0 option to convey network information that\r\n   is relevant to the message but not otherwise included in the\r\n   datagram.  This will provide the mechanism to carry sufficient\r\n   network information about the originator for the authority server to\r\n   tailor responses.  It also provides for the authority server to\r\n   indicate the scope of network addresses that the tailored answer is\r\n   intended.  This EDNS0 option is intended for those recursive and\r\n   authority servers that would benefit from the extension and not for\r\n   general purpose deployment.  It is completely optional and can safely\r\n   be ignored by servers that choose not to implement it or enable it.\r\n\r\n   This draft also includes guidelines on how to best cache those\r\n   results and provides recommendations on when this protocol extension\r\n   should be used.<\/pre>\n<p>For those of you running BIND here is some practical information<br \/>\n<a href=\"https:\/\/ftp.isc.org\/isc\/dnssec-guide\/html\/dnssec-guide.html#whats-edns0-all-about\">https:\/\/ftp.isc.org\/isc\/dnssec-guide\/html\/dnssec-guide.html#whats-edns0-all-about<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Some Light Reading: https:\/\/tools.ietf.org\/html\/draft-vandergaast-edns-client-subnet-00 Many Authoritative nameservers today return different replies based on the perceived topological location of the user. These servers use the IP address of the incoming query to identify that location. Since most queries come from intermediate recursive resolvers, the source address is that of the recursive rather than of the query [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false}}},"categories":[2],"tags":[199,40,510],"jetpack_publicize_connections":[],"aioseo_notices":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p6VLMf-wg","jetpack-related-posts":[{"id":2517,"url":"http:\/\/www.mtin.net\/blog\/updating-your-bind-dns-for-latest-trust-anchors\/","url_meta":{"origin":2000,"position":0},"title":"Updating your Bind DNS for latest trust anchors","author":"j2sw","date":"October 16, 2018","format":false,"excerpt":"A little Background on the rollover From:\u00a0https:\/\/www.icann.org\/resources\/pages\/ksk-rollover\/#overview ICANN\u00a0is planning to perform a\u00a0Root Zone\u00a0Domain Name\u00a0System\u00a0Security\u00a0Extensions (DNSSEC) KSK rollover as required in the\u00a0Root Zone\u00a0KSK Operator\u00a0DNSSEC\u00a0Practice Statement\u00a0[TXT, 99 KB]. Rolling the KSK means generating a new cryptographic public and private key pair and distributing the new public component to parties who operate validating\u2026","rel":"","context":"In &quot;Networking&quot;","block_context":{"text":"Networking","link":"http:\/\/www.mtin.net\/blog\/category\/networking\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":342,"url":"http:\/\/www.mtin.net\/blog\/change-to-h-root-servers-net\/","url_meta":{"origin":2000,"position":1},"title":"Change to H.ROOT-SERVERS.NET","author":"j2sw","date":"August 31, 2015","format":false,"excerpt":"Posted to NANOG This is advance notice that there is a scheduled change to the IP addresses for one of the authorities listed for the DNS root zone and the .ARPA TLD. The change is to H.ROOT-SERVERS.NET, which is administered by the U.S. Army Research Laboratory. The new IPv4 address\u2026","rel":"","context":"In &quot;Networking&quot;","block_context":{"text":"Networking","link":"http:\/\/www.mtin.net\/blog\/category\/networking\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":297,"url":"http:\/\/www.mtin.net\/blog\/protecting-your-mikrotik-from-dns-amplification\/","url_meta":{"origin":2000,"position":2},"title":"Protecting your Mikrotik from DNS Amplification","author":"j2sw","date":"May 8, 2015","format":false,"excerpt":"There are several reasons and benefits to using your Mikrotik as a DNS caching server. \u00a0Queries to the client are just a tad faster, which makes the overall user experience seem snappier. \u00a0It also allows you to quickly change upstream DNS servers in the even of an outage, attack, etc.\u2026","rel":"","context":"In \"amplification\"","block_context":{"text":"amplification","link":"http:\/\/www.mtin.net\/blog\/tag\/amplification\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1353,"url":"http:\/\/www.mtin.net\/blog\/mikrotik-router-os-6-36-2\/","url_meta":{"origin":2000,"position":3},"title":"Mikrotik Router OS 6.36.2","author":"j2sw","date":"August 26, 2016","format":false,"excerpt":"To upgrade, click \"Check for updates\" at \/system package in your RouterOS configuration interface, or head to our download page: http:\/\/www.mikrotik.com\/download v6.36.2 forum topic discussion, http:\/\/forum.mikrotik.com\/viewtopic.php?f=21&t=111450 What's new in 6.36.2 (2016-Aug-22 12:54): *) arm - show cpu frequency under resources menu; *) capsman - fixed upgrade policy; *) ccr\/crs -\u2026","rel":"","context":"In &quot;Mikrotik&quot;","block_context":{"text":"Mikrotik","link":"http:\/\/www.mtin.net\/blog\/category\/mikrotik\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1728,"url":"http:\/\/www.mtin.net\/blog\/dns-naming-convention-quick-tips\/","url_meta":{"origin":2000,"position":4},"title":"DNS naming convention (Quick Tips)","author":"j2sw","date":"August 13, 2017","format":false,"excerpt":"For years we have done the following naming conventions for our DNS servers. NS is reserved for authoritative\u00a0name servers DNS is reserved for caching servers. For MTIN we have NS1.MTIN.NET and NS2.MTIN.NET which are authoritative for domains we host. DNS1.MTIN.NET and DNS2.MTIN.NET are for managed DNS customers.","rel":"","context":"In &quot;WISP&quot;","block_context":{"text":"WISP","link":"http:\/\/www.mtin.net\/blog\/category\/wisp\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2063,"url":"http:\/\/www.mtin.net\/blog\/everything-you-wanted-to-know-about-root-name-servers\/","url_meta":{"origin":2000,"position":5},"title":"Everything you wanted to know about Root Name Servers","author":"j2sw","date":"February 14, 2018","format":false,"excerpt":"One of the foundations of the Internet is DNS.\u00a0 We have talked about DNS alot. http:\/\/www.mtin.net\/blog\/?s=DNS&submit=Search There have been TBW Podcasts about DNS So are you ready to get your geek on? Let's start with who operates the root name Servers. A quick visit to: http:\/\/www.root-servers.org\/ NetNod will explain the\u2026","rel":"","context":"In &quot;Networking&quot;","block_context":{"text":"Networking","link":"http:\/\/www.mtin.net\/blog\/category\/networking\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"jetpack_likes_enabled":true,"_links":{"self":[{"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/posts\/2000"}],"collection":[{"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/comments?post=2000"}],"version-history":[{"count":1,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/posts\/2000\/revisions"}],"predecessor-version":[{"id":2001,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/posts\/2000\/revisions\/2001"}],"wp:attachment":[{"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/media?parent=2000"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/categories?post=2000"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/tags?post=2000"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}