GEO: Ignore ECS for Public/Private Decisions
- Last Updated: November 7, 2023
- 2 minute read
- LoadMaster
- LoadMaster GA
- Documentation
Extended DNS (EDNS) Client Subnet (or ECS) is a GEO feature introduced in LMOS 7.2.57.0. This feature leverages a new field in Etended DNS packets that provides a client subnet value set by the client that provide better geographic location of the client compared to earlier versions of DNS without this capability.
Problem: When ECS in 7.2.57.0 is enabled, An incoming request that contains an ECS value always uses the ECS field value (and not the source IP of the request) to determine if a public or private IP should be returned to the client. With the default settings for Public and Private addresses, a private address is returned to the client that is likely not reachable from the client’s network.
Example: A client with a private IP address on Site A makes a DNS request to the local DNS server which forwards it to a public DNS server and then on to GEO. If all hops support ECS, then GEO sees the private IP address/subnet in the ECS field and so returns a private IP address. The client, however, will be unable to reach the expected application using that address.
Solution: The desired behavior is that GEO would instead use the source IP address of the request (which will be the last-hop public DNS server) to determine whether to return a public or private address.
- Change the ECS default behavior so that ECS is ignored and the source IP is checked when the public/private settings are not both set to “all sites”.
- Provide a switch (per FQDN) that allows the customer to opt-out of this new default behavior and honor the ECS instead.
The settings and corresponding behavior is summarized in the table below.
| ECS Setting | Public & Private Settings | Public / Private Behavior Determined By … | New FQDN Option Effect when Enabled |
|---|---|---|---|
| OFF | Any | Request source IP | When ECS is disabled, the new option is ignored. |
| ON | != "all sites" | Request source IP (ECS ignored) | The new FQDN option overrides the behavior at left, so that the request ECS value is used. |
| ON | != "all sites" | Request ECS value(source IP ignored) | When the Public & Private settings are both “All Sites”, the new option is ignored. |