Hello best,
We don’t know for you guys but we tried to connect DnsDist to Unbound by using the PROXYv2 protocol and we only get the IP of the DnsDist server instead the original IP of the PC client.
- Linux Debian 10
- DnsDist 1.7.2
- Unbound 1.17.0rc1
Client IP: 10.0.0.4
DnsDist conf (IP: 10.0.0.10):
newServer({
address=‘10.0.0.11:8053’,
useProxyProtocol=true
})
Unbound conf (IP: 10.0.0.11):
interface: 10.0.0.11@8053
proxy-protocol-port: 8053
in the Unbound log file we see the 10.0.0.10 instead of the 10.0.0.4
we surely miss a point here, any help/trick will be welcome, thanks.
Hi David,
I have tried with dnsdist 1.7.1 and I can't reproduce the issue. Haven't tested with 1.7.2 so I can't comment on that.
A couple of things that may help:
- Unbound will still log 10.0.0.10 for log messages that have to do with
network connectivity;
- Queries from dnsdist itself (i.e., health check queries) provide no
proxy address information, so dnsdist (10.0.0.10) is the actual client
for those queries;
- An easy way to see what is happening wrt client addresses is to enable
'log-queries: yes' and 'log-replies: yes', and bring down
'verbosity: 0';
- There is also an example program if you want to get dnsdist outside of
the troubleshooting chain. You can 'make streamtcp' and then use
something like './streamtcp -u -f 10.0.0.11@8053 -p 10.0.0.4
nlnetlabs.nl A IN' from the Unbound machine to simulate your setup.
Hope that is useful for now.
As a last note, while looking around, I did identify a bug when reading the PROXYv2 header on TCP connections when no addresses are provided. dnsdist does that for health check queries. I don't think you were hitting that bug though, since the bug results in error messages and no replies.
The fix is committed in the release branch:
https://github.com/NLnetLabs/unbound/tree/branch-1.17.0
Best regards,
-- George
Thanks George,
I will investigate, i’m closing the discuss