What is dnspython-clientsubnetoption?
EDNS-client-subnet is an open IETF proposed standard which helps better direct content to users thereby decreasing latency, decreasing congestion, increasing transfer speeds and helping the Internet to scale faster and further. You can find more information on the Faster Internet project's site:
http://www.afasterinternet.com/
dnspython-clientsubnetoption is a python class written by OpenDNS that adds edns-client-subnet support to dnspython.
This allows one to test support for edns-client-subnet by directly sending DNS queries to a given authoritative nameserver containing clientsubnet data, and then testing the response for proper support.
While this library/tool has been found to be useful and we encourage its use for testing edns-client-subnet, OpenDNS does not offer any official support for this tool.
Setup
Install dnspython on your system
You must have dnspython 1.10.0 or later. No previous versions have been tested! All instructions here should get you at least 1.10.0.
Mac OS X w/ MacPorts
sudo port install python27 py27-dnspython
sudo port select python python27
Debian
If you are using squeeze then you need to install using easy_install or pip. Otherwise:
apt-get install python-dnspython
pip
pip is the replacement for easy_install. It lets you do stuff like uninstall python packages.
pip install dnspython
easy_install
easy_install dnspython
Otherwise
Get the source from dnspython or the github repo and install according to best practices.
Install OpenDNS's EDNS Check Script
git clone git://github.com/opendns/dnspython-clientsubnetoption.git
Optional: Disable checks for draft option code
The draft option code is no longer supported by OpenDNS. You can disable the checks for this code by commented out the following lines at the bottom of clientsubnetoption.py:
# CheckForClientSubnetOption(addr, args, DRAFT_OPTION_CODE)
# print >> sys.stderr
CheckForClientSubnetOption(addr, args, ASSIGNED_OPTION_CODE)
Usage
usage: clientsubnetoption.py [-h] [-s SUBNET] [-m MASK] [--timeout TIMEOUT] [-t TYPE] nameserver rr
draft-vandergaast-edns-client-subnet-01 tester
positional arguments:
nameserverThe nameserver to test
rr
DNS record that should return an EDNS enabled response
optional arguments:
-h, --helpshow this help message and exit
-s SUBNET, --subnet SUBNET
Specifies an IP to pass as the client subnet.
-m MASK, --mask MASK
CIDR mask to use for subnet
--timeout TIMEOUT
Set the timeout for query to TIMEOUT seconds, default=10
-t TYPE, --type TYPE
DNS query type, default=A
Be sure to run this twice: once with an IPv4 SUBNET, and once with an IPv6 SUBNET. OpenDNS requires that both transports be supported.
Note that the MASK will default to /24 for IPv4 SUBNETs, and /48 for IPv6 SUBNETs.
The output will either be Success! or an error message.
-
Success!
Indicates that we received an EDNS clientsubnet enabled response and everything checks out.
-
Timeout: No answer received from NAMESERVER_TO_TEST
The tested nameserver does not appear to be responding to DNS queries at all.
-
Warning: scope indicates edns-clientsubnet data is not used
EDNS clientsubnet specifies that an authoritative host must return data indicating if the passed subnet information was used. If it was, the authoritative server should respond with a SCOPE, the SCOPE will be lower than the passed netmask if the server actually could have made the match using fewer bits. It will be higher if the server could have given a better match with more bits. If it is exactly equal if just the right amount of information was passed or the server really didn't care. The SCOPE should only be 0 if the server is not using the information at all! OpenDNS does not whitelist authoritative namservers which are not actively using the passed data. - Exception: Nameservers may return a 0 scope for one transport but not the other, e.g., it is acceptable for responses to queries with an IPv6 client address to have a SCOPE of 0, as long as responses to queries with an IPv4 client address have a non-zero SCOPE.
-
Failed: No ClientSubnetOption returned
We received a DNS response without any EDNS clientsubnet information.