Unbound in a 2-tier resolver architecture

[Frederik Pettai]

Hi,

I don’t know how common it is to run a 2-tier resolver architecture based on unbound, but some bigger user(s) has already written about that previously, for instance: https://www.mail-archive.com/unbound-users@nlnetlabs.nl/msg00786.html

One of the (classic) problem with a 2-tier setup is that the original source IP is not reported to the second tier (backend). But there are some possible solutions for that, for instance the use of ECS or XPF. 

As for unbound;

I don’t think there is way of turning on additional logging of the ECS in those logs where the client source IP is logged? The man page doesn’t mention much about ECS logging, and I haven’t manage to get something out of the higher verbosity levels.

XPF doesn’t seem supported at all

Just recently, dnsdist announced the availability of dnsdist 1.5.0 alpha1:
https://mailman.powerdns.com/pipermail/dnsdist/2020-March/000799.html
One of the new features is a proxy protocol that is intended to replace the above mentioned solutions.

I guess the main question is, if and how, unbound would or could solve the problem statement above?

One could argue that query logging and correlation would be a solution to the above too, but it would be much simpler and more convinient if the regular logs (warnings etc.) could supply all data available from the incoming query (for example; the new RPZ logging, rate limiting warnings etc.)

Personally, I’d be happy if the regular logging could append any supplied ECS-data (where applicable), but in the long term, perhaps that’s not the best or optimal solution…

Re,
/P