This section focuses on how EDNS and the ECS option work with Avi Load Balancer DNS.

Enabling EDNS on the Avi Load Balancer DNS Virtual Service

The Avi Load Balancer DNS virtual service can directly profit from the information in OPT RR and the ECS option while acting as an authoritative DNS. To have it parse that information and append EDNS extension information into the client logs, check the Process EDNS Extensions box in the Avi Load Balancer UI as shown in the screenshot below, or set the corresponding EDNS parameter to True in the Avi Load Balancer CLI.

Case 1: Avi Load Balancer DNS Virtual Service is Authoritative, OPT RR + ECS Option is Received

In addition to selecting the Process EDNS Extensions check box, make sure a list of authoritative domain names is given. For instance, in the below Avi Load Balancer CLI sequence:

configure applicationprofile System-DNS
dns_service_profile
authoritative_domain_names avi.com
authoritative_domain_names foo.com
save
save

Assume the inbound DNS request in the below image is for one of the following domains:

  • The client system sends a traditional DNS query to its DNS resolver. Note that the request it sends contains neither an OPT RR nor an ECS option.

  • Based on the source address of the client, the DNS resolver may amend the DNS query it receives. It does this to enable the authoritative DNS to respond in a more informed way, that is, based on the address of the client, as opposed to the source IP of the DNS resolver itself.

  • The Avi Load Balancer DNS forms the response based on address information it finds within the ECS option.

Case 2: Avi Load Balancer DNS Virtual Service is not Authoritative, OPT RR + ECS Option is Received

In contrast to Case 1, the image below shows a query for which the Avi Load Balancer DNS virtual service is not authoritative. If a DNS server pool has been defined for the Avi Load Balancer DNS virtual service, the request will be passed through to it. The client subnet address information incorporated in the ECS option of the forwarded request depends on two values:

  1. The value of the subnet prefix length parameter contained within the ECS option attached and sent by the DNS resolver.

  2. edns_client_subnet_prefix_len, an Avi Load Balancer DNS virtual service application profile parameter set by the administrator through the CLI. Its value ranges between 1 and 32.

Either prefix length is interpreted in two ways:

  1. It indicates the leading number of address bits after which all address bits are zero.

  2. When rounded up to an integer multiple of eight bits, it specifies the number of octets needing to be passed.

For instance, a prefix length of 19 implies the following about the subnet:

  • Bits 20 through 32 in the subnet address are zero.

  • 24 bits, that is, three octets to be passed to identify the subnet. A fourth octet would be superfluous.

When passing the ECS option through the DNS server, the Avi Load Balancer DNS virtual service will ensure the client subnet address is governed by the lesser of the two prefix lengths.

  • If the incoming subnet prefix length is less than the value of the Avi Load Balancer DNS’s edns_client_subnet_prefix_len parameter, the ECS option will be untouched as it passes through.

  • If the incoming subnet prefix length, for instance, 26, is greater than the value of the Avi Load Balancer DNS’s edns_client_subnet_prefix_len parameter, for instance, 16, Avi Load Balancer will zero out some incoming bits, for instance, 10 in this case, and, if the lengths are sufficiently far apart, forward fewer octets, for instance, 2 not 4 to the DNS server.

Case 3: Avi Load Balancer DNS Virtual Service is not Authoritative, neither OPT RR nor ECS Option is Received

The image below shows a DNS request arriving from the DNS resolver with no EDNS information. In addition, the DNS request is for a domain for which the Avi Load Balancer DNS is not authoritative. As a result, a pass-through is required. In this case, the Avi Load Balancer DNS virtual service will create an OPT RR, and, for the ECS option, insert a client subnet address with 1 to 4 octets and an appropriate number of trailing zeroes, as mentioned above.

EDNS Option Enabled by Default

The EDNS option is enabled by default for the System-DNS profile. If Avi Load Balancer is upgraded from an older version, EDNS is deselected by default in the existing DNS profile. However, if a new DNS profile is created on the same Avi Load Balancer Controller, EDNS is selected by default.

Execute the show application profile <profile name> command to check the value for the EDNS flag which is set to True as shown below:

[admin:10-155-1-175]: > show applicationprofile DNS_profile1

| uuid | applicationprofile-104c53ff-eca7-4fed-9480-33e00c23bf8b |

| name | new -DNS|

| type | APPLICATION_PROFILE_TYPE_DNS |

| dos_rl_profile | |

| dos_profile | |

| thresh_period | 5 sec |

| dns_service_profile | |

| num_dns_ip | 1 |

| ttl | 30 sec |

| error_response | DNS_ERROR_RESPONSE_NONE |

| edns | True |

The Process EDNS Extensions is the option available for the EDNS feature on Avi Load Balancer Controller UI.

  1. To check the option, navigate to Templates > Profiles > Application, and select the desired DNS profile or the System-DNS profile as required.

  2. Enable the check box for Process EDNS Extensions if the option is deselected.



ECS Information in Response

Avi Load Balancer supports ECS information in the response. If a DNS request from the client contains ECS information and the application profile has Process EDNS Extensions selected, Avi Load Balancer Controller DNS for SE generated responses will add the ECS information to the response. Scope prefix length in response will be equal to source prefix length in the request.