From sirizake at gmail.com Mon May 5 10:35:51 2025 From: sirizake at gmail.com (sir izake) Date: Mon, 5 May 2025 10:35:51 +0000 Subject: ECS implementation in Unbound and Privacy Concerns Message-ID: Dear All, I have Unbound 1.20 DNS recursive resolver. I intend to enable ECS to improve geo-location response to CDN resources. Unfortunately, i got below error after i enabled subnetcache in modules module-config: "respip validator subnetcache iterator" fatal error: module_conf lists module 'subnetcache' but that module is not available How do I get this to work? If anyone has successfully set this up in their environment, how did you minimize exposure to users IP info. Did you observe any performance related issues? Warm regards Isaac -------------- next part -------------- An HTML attachment was scrubbed... URL: From yorgos at nlnetlabs.nl Mon May 5 13:19:42 2025 From: yorgos at nlnetlabs.nl (Yorgos Thessalonikefs) Date: Mon, 5 May 2025 15:19:42 +0200 Subject: ECS implementation in Unbound and Privacy Concerns In-Reply-To: References: Message-ID: <9001365d-0daa-4261-aa60-54ab0f7e2d72@nlnetlabs.nl> Hi Isaac, I believe this message comes from running unbound-checkconf. The message there was less clear than running unbound itself; I have synced both messages now to make more sense: https://github.com/NLnetLabs/unbound/commit/5dd14e26443a3801eea1e04cd650822183fe4762 The error is there because the subnetcache module is not compiled in by default. If you want to compile it you need to use '--enable-subnet' in your ./configure line. With all that said, are you sure ECS is going to help in your use case? ECS is only useful when the resolver and the clients are on different regions; think open public resolvers. If that is not your use case and instead Unbound is close to the clients it serves, ECS will hamper performance for no real benefit. As for ECS and privacy concerns, you can read the ECS section in the manpage or also online at https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#edns-client-subnet-module-options for the latest version. Unbound by default masks /24 for IPv4 and /56 for IPv6 (the max-client-* options). Performance is impacted because of the extra caching functionality ECS imposes (cache per IP network segments), and the singularity of the client queries since different networks may yield different responses for the same query. That means queries that could have been aggregated without ECS because they have the same question, with ECS they are treated as separate queries because their client information may yield different results. Best regards, -- Yorgos On 05/05/2025 12:35, sir izake via Unbound-users wrote: > Dear All, > > I have Unbound 1.20 DNS recursive? resolver. I intend to enable ECS to > improve geo-location response to CDN resources. > > Unfortunately,? i got below error after i enabled subnetcache in modules > > module-config: "respip validator subnetcache iterator" > > fatal error: module_conf lists module 'subnetcache' but that module is > not available > > How do I get this to work? > > If anyone has successfully set this up in their environment, how did you > minimize exposure to users IP info. Did you observe any performance > related issues? > > Warm?regards > Isaac >