Table Based Proxy Mapping

Starting with version 4.7.0, the PowerDNS Recursor has the ability to map source IP addresses to alternative addresses, which is for example useful when some clients reach the recursor via a reverse-proxy. The mapped address is used internally for ACL and similar checks. If the proxy-protocol-from is also used, the substitution is done on the source address specified in the proxy protocol header.

Depending on context, the incoming address can be

The interface address I
the source network interface address of the client
The source address S
the source address as specified in the Proxy protocol
The mapped address M
the source address mapped by Table Based Proxy Mapping

S equals I if no Proxy Protocol is used.

M equals S if no Table Based Proxy Mapping is used.

I determines if the Proxy Protocol is used (proxy-protocol-from).

S is passed to Lua functions and RPZ processing

M is used for incoming ACL checking (allow-from) and to determine the ECS processing (ecs-add-for).

An example use:

addProxyMapping("127.0.0.0/24", "203.0.113.1")
domains = { "example.com", "example.net" }
addProxyMapping("10.0.0.0/8", "203.0.113.2", domains)

The following function is available to configure table based proxy mapping. Reloading the Lua configuration will replace the current configuration with the new one. If the subnets specified in multiple addProxyMapping() calls overlap, the most specific one is used. By default, the address before mapping S is used for internal logging and Protobuf messages. See protobufServer() on how to tune the source address logged in Protobuf messages.

addProxyMapping(subnet, ip[, domains])

New in version 4.7.0.

New in version 5.1.0: Alternative equivalent YAML setting: incoming.proxymappings.

Specify a table based mapping for a subnet.

Parameters:
  • subnet (string) – a subnet to match
  • ip (string) – the IP address or IPaddress port combination to match the subnet to.
  • domains (array) – An array of strings used to fill a DNS Suffix Match Group.

If the optional domains argument is given to this function, only queries for names matching the DNS Suffix Match Group will use the value M to determine the outgoing ECS; other queries will use the value S. The ACL check will be done against the mapped address M for all queries, independent of the name queried. If the domains argument is absent, no extra condition (apart from matching the subnet) applies to determine the outgoing ECS value.