Configure unbound to send correct ECS like Google Public DNS

Igor Sverkos igor.sverkos at gmail.com
Tue Aug 9 15:19:03 UTC 2022 

Hi,

a simple query like

  $ dig +nocomment TXT whoami.ds.akahelp.net @8.8.8.8

will output

  ;; global options: +cmd
  ;whoami.ds.akahelp.net.         IN      TXT
  whoami.ds.akahelp.net.  20      IN      TXT     "ecs" "217.88.103.0/24/24"
  whoami.ds.akahelp.net.  20      IN      TXT     "ip" "217.88.103.14"
  whoami.ds.akahelp.net.  20      IN      TXT     "ns" "172.217.45.194"
  ;; Query time: 43 msec
  ;; SERVER: 8.8.8.8#53(8.8.8.8)
  ;; WHEN: Tue Aug 09 16:46:06 W. Europe Summer Time 2022
  ;; MSG SIZE  rcvd: 139

When I do the same against our local unbound resolver, i.e.

  $ dig +nocomment TXT whoami.ds.akahelp.net @192.168.0.1

the output will be just

  ; <<>> DiG 9.16.29 <<>> +nocomment TXT whoami.ds.akahelp.net
  ;; global options: +cmd
  ;whoami.ds.akahelp.net.         IN      TXT
  whoami.ds.akahelp.net.  6       IN      TXT     "ns" "217.88.103.14"
  ;; Query time: 0 msec
  ;; SERVER: 192.168.0.1#53(10.1.0.2)
  ;; WHEN: Tue Aug 09 16:37:36 W. Europe Summer Time 2022
  ;; MSG SIZE  rcvd: 78

So unbound is not sending EDNS query. If I add

  server:
          send-client-subnet: 0.0.0.0/0
          send-client-subnet: ::0/64

to my unbound.conf, response will look like

  ; <<>> DiG 9.16.29 <<>> +nocomment TXT whoami.ds.akahelp.net
  ;; global options: +cmd
  ;whoami.ds.akahelp.net.         IN      TXT
  whoami.ds.akahelp.net.  20      IN      TXT     "ip" "217.88.103.14"
  whoami.ds.akahelp.net.  20      IN      TXT     "ns" "217.88.103.14"
  whoami.ds.akahelp.net.  20      IN      TXT     "ecs" "192.168.0.0/24/24"
  ;; Query time: 165 msec
  ;; SERVER: 192.168.0.1#53(192.168.0.1)
  ;; WHEN: Tue Aug 09 17:06:43 W. Europe Summer Time 2022
  ;; MSG SIZE  rcvd: 137

While unbound is now doing EDNS queries, unbound is sending my local
subnet (192.168.0.0/24) whereas Google is sending my public net
(217.88.103.0/24).

How can I tell unbound to send the "correct" subnet?

My problem is, that the unbound server has no public IP address. It
has only a private (192.168.0.1) IP address and is accessing the
internet via router (192.168.0.254). The public IP address will change
whenever we restart the router.


-- 
Regards,
Igor

More information about the Unbound-users mailing list