Configure unbound to send correct ECS like Google Public DNS

John Todd jtodd at loligo.com
Tue Aug 9 16:41:07 UTC 2022 

On 9 Aug 2022, at 8:19, Igor Sverkos via Unbound-users wrote:

> Hi,
>
> a simple query like
>
>   $ dig +nocomment TXT whoami.ds.akahelp.net @8.8.8.8
>
> will output
>
>   ;; global options: +cmd
>   ;whoami.ds.akahelp.net.         IN      TXT
>   whoami.ds.akahelp.net.  20      IN      TXT     "ecs" "217.88.103.0/24/24"
>   whoami.ds.akahelp.net.  20      IN      TXT     "ip" "217.88.103.14"
>   whoami.ds.akahelp.net.  20      IN      TXT     "ns" "172.217.45.194"
>   ;; Query time: 43 msec
>   ;; SERVER: 8.8.8.8#53(8.8.8.8)
>   ;; WHEN: Tue Aug 09 16:46:06 W. Europe Summer Time 2022
>   ;; MSG SIZE  rcvd: 139
>
> When I do the same against our local unbound resolver, i.e.
>
>   $ dig +nocomment TXT whoami.ds.akahelp.net @192.168.0.1
>
> the output will be just
>
>   ; <<>> DiG 9.16.29 <<>> +nocomment TXT whoami.ds.akahelp.net
>   ;; global options: +cmd
>   ;whoami.ds.akahelp.net.         IN      TXT
>   whoami.ds.akahelp.net.  6       IN      TXT     "ns" "217.88.103.14"
>   ;; Query time: 0 msec
>   ;; SERVER: 192.168.0.1#53(10.1.0.2)
>   ;; WHEN: Tue Aug 09 16:37:36 W. Europe Summer Time 2022
>   ;; MSG SIZE  rcvd: 78
>
> So unbound is not sending EDNS query. If I add
>
>   server:
>           send-client-subnet: 0.0.0.0/0
>           send-client-subnet: ::0/64
>
> to my unbound.conf, response will look like
>
>   ; <<>> DiG 9.16.29 <<>> +nocomment TXT whoami.ds.akahelp.net
>   ;; global options: +cmd
>   ;whoami.ds.akahelp.net.         IN      TXT
>   whoami.ds.akahelp.net.  20      IN      TXT     "ip" "217.88.103.14"
>   whoami.ds.akahelp.net.  20      IN      TXT     "ns" "217.88.103.14"
>   whoami.ds.akahelp.net.  20      IN      TXT     "ecs" "192.168.0.0/24/24"
>   ;; Query time: 165 msec
>   ;; SERVER: 192.168.0.1#53(192.168.0.1)
>   ;; WHEN: Tue Aug 09 17:06:43 W. Europe Summer Time 2022
>   ;; MSG SIZE  rcvd: 137
>
> While unbound is now doing EDNS queries, unbound is sending my local
> subnet (192.168.0.0/24) whereas Google is sending my public net
> (217.88.103.0/24).
>
> How can I tell unbound to send the "correct" subnet?
>
> My problem is, that the unbound server has no public IP address. It
> has only a private (192.168.0.1) IP address and is accessing the
> internet via router (192.168.0.254). The public IP address will change
> whenever we restart the router.
>
>
> -- 
> Regards,
> Igor

The last paragraph is the one that describes your problem. It looks like you’ve configured ECS correctly on Unbound, but since you’re using RFC1918 address space that’s what’s being sent.  So unbound is doing what you’ve told it to do.

More clarity is needed: Why are you sending ECS?  If your queries originate from your “public” IP address, then any system that cares about ECS should (I know “should” is a dangerous word) look at the originating IP address if there is no ECS data.  In any case, at least some of the largest CDN/authoritative servers will ignore your ECS data unless you have an agreement with them so it’s probably not super-useful even if you did manage to send ECS somehow.  Google sends ECS because to them, you appear to be coming from a public IP address, and they relay that information to authoritative servers so the authoritative server sees something other than the IP address of the Google egress resolver.  You don’t have the same diagram; it’s unclear why you’d ever use ECS.

You can’t send “correct” ECS since you’re using RFC1918 space for your clients. ECS is meant to send data about the IP address of the actual client so that it can be used for remote identification (usually this is for geolocation.)  That won’t work with RFC1918 space. But you don’t need ECS - you’re originating queries from an IP address that is somehow associated with your system, even if ultimately appears via two NATs it will have a real public IP on it somewhere.

JT

More information about the Unbound-users mailing list