From sirizake at gmail.com Mon May 5 10:35:51 2025 From: sirizake at gmail.com (sir izake) Date: Mon, 5 May 2025 10:35:51 +0000 Subject: ECS implementation in Unbound and Privacy Concerns Message-ID: Dear All, I have Unbound 1.20 DNS recursive resolver. I intend to enable ECS to improve geo-location response to CDN resources. Unfortunately, i got below error after i enabled subnetcache in modules module-config: "respip validator subnetcache iterator" fatal error: module_conf lists module 'subnetcache' but that module is not available How do I get this to work? If anyone has successfully set this up in their environment, how did you minimize exposure to users IP info. Did you observe any performance related issues? Warm regards Isaac -------------- next part -------------- An HTML attachment was scrubbed... URL: From yorgos at nlnetlabs.nl Mon May 5 13:19:42 2025 From: yorgos at nlnetlabs.nl (Yorgos Thessalonikefs) Date: Mon, 5 May 2025 15:19:42 +0200 Subject: ECS implementation in Unbound and Privacy Concerns In-Reply-To: References: Message-ID: <9001365d-0daa-4261-aa60-54ab0f7e2d72@nlnetlabs.nl> Hi Isaac, I believe this message comes from running unbound-checkconf. The message there was less clear than running unbound itself; I have synced both messages now to make more sense: https://github.com/NLnetLabs/unbound/commit/5dd14e26443a3801eea1e04cd650822183fe4762 The error is there because the subnetcache module is not compiled in by default. If you want to compile it you need to use '--enable-subnet' in your ./configure line. With all that said, are you sure ECS is going to help in your use case? ECS is only useful when the resolver and the clients are on different regions; think open public resolvers. If that is not your use case and instead Unbound is close to the clients it serves, ECS will hamper performance for no real benefit. As for ECS and privacy concerns, you can read the ECS section in the manpage or also online at https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#edns-client-subnet-module-options for the latest version. Unbound by default masks /24 for IPv4 and /56 for IPv6 (the max-client-* options). Performance is impacted because of the extra caching functionality ECS imposes (cache per IP network segments), and the singularity of the client queries since different networks may yield different responses for the same query. That means queries that could have been aggregated without ECS because they have the same question, with ECS they are treated as separate queries because their client information may yield different results. Best regards, -- Yorgos On 05/05/2025 12:35, sir izake via Unbound-users wrote: > Dear All, > > I have Unbound 1.20 DNS recursive? resolver. I intend to enable ECS to > improve geo-location response to CDN resources. > > Unfortunately,? i got below error after i enabled subnetcache in modules > > module-config: "respip validator subnetcache iterator" > > fatal error: module_conf lists module 'subnetcache' but that module is > not available > > How do I get this to work? > > If anyone has successfully set this up in their environment, how did you > minimize exposure to users IP info. Did you observe any performance > related issues? > > Warm?regards > Isaac > From sirizake at gmail.com Mon May 12 08:58:33 2025 From: sirizake at gmail.com (sir izake) Date: Mon, 12 May 2025 08:58:33 +0000 Subject: Unbound-users Digest, Vol 65, Issue 2 In-Reply-To: References: Message-ID: Thanks for the detailed information On Tue, May 6, 2025 at 12:00?PM wrote: > Send Unbound-users mailing list submissions to > unbound-users at lists.nlnetlabs.nl > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users > or, via email, send a message with subject or body 'help' to > unbound-users-request at lists.nlnetlabs.nl > > You can reach the person managing the list at > unbound-users-owner at lists.nlnetlabs.nl > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Unbound-users digest..." > > > Today's Topics: > > 1. Re: ECS implementation in Unbound and Privacy Concerns > (Yorgos Thessalonikefs) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 5 May 2025 15:19:42 +0200 > From: Yorgos Thessalonikefs > To: unbound-users at lists.nlnetlabs.nl > Subject: Re: ECS implementation in Unbound and Privacy Concerns > Message-ID: <9001365d-0daa-4261-aa60-54ab0f7e2d72 at nlnetlabs.nl> > Content-Type: text/plain; charset=UTF-8; format=flowed > > Hi Isaac, > > I believe this message comes from running unbound-checkconf. > The message there was less clear than running unbound itself; I have > synced both messages now to make more sense: > > https://github.com/NLnetLabs/unbound/commit/5dd14e26443a3801eea1e04cd650822183fe4762 > > The error is there because the subnetcache module is not compiled in by > default. > If you want to compile it you need to use '--enable-subnet' in your > ./configure line. > > With all that said, are you sure ECS is going to help in your use case? > ECS is only useful when the resolver and the clients are on different > regions; think open public resolvers. > > If that is not your use case and instead Unbound is close to the clients > it serves, ECS will hamper performance for no real benefit. > > As for ECS and privacy concerns, you can read the ECS section in the > manpage or also online at > > https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#edns-client-subnet-module-options > for the latest version. > Unbound by default masks /24 for IPv4 and /56 for IPv6 (the max-client-* > options). > > Performance is impacted because of the extra caching functionality ECS > imposes (cache per IP network segments), and the singularity of the > client queries since different networks may yield different responses > for the same query. That means queries that could have been aggregated > without ECS because they have the same question, with ECS they are > treated as separate queries because their client information may yield > different results. > > Best regards, > -- Yorgos > > On 05/05/2025 12:35, sir izake via Unbound-users wrote: > > Dear All, > > > > I have Unbound 1.20 DNS recursive? resolver. I intend to enable ECS to > > improve geo-location response to CDN resources. > > > > Unfortunately,? i got below error after i enabled subnetcache in modules > > > > module-config: "respip validator subnetcache iterator" > > > > fatal error: module_conf lists module 'subnetcache' but that module is > > not available > > > > How do I get this to work? > > > > If anyone has successfully set this up in their environment, how did you > > minimize exposure to users IP info. Did you observe any performance > > related issues? > > > > Warm?regards > > Isaac > > > > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > Unbound-users mailing list > Unbound-users at lists.nlnetlabs.nl > https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users > > > ------------------------------ > > End of Unbound-users Digest, Vol 65, Issue 2 > ******************************************** > -------------- next part -------------- An HTML attachment was scrubbed... URL: From marek.w.abram at gmail.com Wed May 14 18:31:34 2025 From: marek.w.abram at gmail.com (Marek Abram) Date: Wed, 14 May 2025 12:31:34 -0600 Subject: Domain resolution Message-ID: It has happened to me few times when my local Unbound was unable to resolve domain name but when I used external web dns to IP it works. For example my local DNS is unbelievable to resolve router91405.cdn-akm.me. Do I have my unbound.conf missing a config value? Mark -------------- next part -------------- An HTML attachment was scrubbed... URL: From mike at celtic-dreamer.com Tue May 20 16:37:50 2025 From: mike at celtic-dreamer.com (Mike Durkin) Date: Tue, 20 May 2025 12:37:50 -0400 Subject: Question about thread logging statistics Message-ID: Hi We are using unbound docker containers (version 1.22) in our corporate environment and after fixing an issue with DNSSEC records, I wanted to ask about some of the logging statistics to see if there still might be an performance issue. Last week, we were getting reports of certain domains not resolving and I saw error messages like the following in the logs: ? ? [1747490624] unbound[1:2] info: validation failure : SERVFAIL [exceeded the maximum number of sends] no DS for DS domain.com. while building chain of trust ??? [1747493945] unbound[1:1] error: SERVFAIL : exceeded the maximum number of sends I ended up adding the following which seemed to resolve the issue: ??? ??? max-sent-count: 200 I had tried some lower values initially, but that didn't resolve the problem until I bumped it up to 200. So at the moment we are not getting any reports for DNS client failues, but I am seeing the following in the logs: [1747757273] unbound[1:0] info: server stats for thread 0: requestlist max 78 avg 68.4251 exceeded 84 jostled 0 [1747757333] unbound[1:0] info: server stats for thread 0: requestlist max 72 avg 66.9528 exceeded 55 jostled 0 [1747757393] unbound[1:0] info: server stats for thread 0: requestlist max 78 avg 66.9892 exceeded 62 jostled 0 The thread server stats is always showing a significant number for exceeded. The host where the container is running is not overloaded. I do see in the logs that there are a significant number of requests for legacy subdomains that are no longer in use and cause error messages like the following: [1747758108] unbound[1:0] error: SERVFAIL : all the configured stub or forward servers failed, at zone domain.com. from 10.10.32.2 got SERVFAIL My main question is, would those requests that are being forwarded and timing out with a client error "no servers could be reached" be a source for the "exceeded" count in the thread server stats? Thanks, -Mike Durkin -------------- next part -------------- An HTML attachment was scrubbed... URL: From yorgos at nlnetlabs.nl Wed May 21 08:24:15 2025 From: yorgos at nlnetlabs.nl (Yorgos Thessalonikefs) Date: Wed, 21 May 2025 10:24:15 +0200 Subject: Question about thread logging statistics In-Reply-To: References: Message-ID: <09d7a0de-cc2d-44fc-8b88-87fecf79959d@nlnetlabs.nl> Hi Mike, The "exceeded" number are queries that were dropped because the request list (queries from clients) was full. However versions 1.21.0 up to and including 1.23.0 wrongfully use the statistic for queries that exceed the discard-timeout [1] and/or wait-limit [2] options. Version 1.23.0 fixes that by introducing an explicit counter for that accessible from the 'stats' command (total.num.queries_discard_timeout and total.num.queries_wait_limit [3]) and stop counting those drops in the "exceeded". What I believe happens in your case is because you increased max-sent-count to 200, those queries are now slow to respond back and Unbound drops the replies to those clients because discard-timeout is exceeded, or because they are slow those clients exceed their wait-limit. (And wrongfully counts those in the "exceeded" in the log output) Btw, did increasing max-sent-count actually help in your case? Is your Unbound configured specially for domain.com or it just uses a '.' forwarder? I mainly am asking about the last error log you shared. Best regards, -- Yorgos [1] https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#unbound-conf-discard-timeout" [2] https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#unbound-conf-wait-limit [3] https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound-control.html#statistic-counters On 20/05/2025 18:37, Mike Durkin via Unbound-users wrote: > Hi > > We are using unbound docker containers (version 1.22) in our corporate > environment and after fixing an issue with DNSSEC records, I wanted to > ask about some of the logging statistics to see if there still might be > an performance issue. > > Last week, we were getting reports of certain domains not resolving and > I saw error messages like the following in the logs: > > ? ? [1747490624] unbound[1:2] info: validation failure > : SERVFAIL [exceeded the maximum number of sends] > no DS for DS domain.com. while building chain of trust > ??? [1747493945] unbound[1:1] error: SERVFAIL : > exceeded the maximum number of sends > > I ended up adding the following which seemed to resolve the issue: > > ??? ??? max-sent-count: 200 > > I had tried some lower values initially, but that didn't resolve the > problem until I bumped it up to 200. > > > So at the moment we are not getting any reports for DNS client failues, > but I am seeing the following in the logs: > > [1747757273] unbound[1:0] info: server stats for thread 0: > requestlist max 78 avg 68.4251 exceeded 84 jostled 0 > [1747757333] unbound[1:0] info: server stats for thread 0: > requestlist max 72 avg 66.9528 exceeded 55 jostled 0 > [1747757393] unbound[1:0] info: server stats for thread 0: > requestlist max 78 avg 66.9892 exceeded 62 jostled 0 > > > The thread server stats is always showing a significant number for > exceeded. The host where the container is running is not overloaded. I > do see in the logs that there are a significant number of requests for > legacy subdomains that are no longer in use and cause error messages > like the following: > > [1747758108] unbound[1:0] error: SERVFAIL A IN>: all the configured stub or forward servers failed, at zone > domain.com. from 10.10.32.2 got SERVFAIL > > My main question is, would those requests that are being forwarded and > timing out with a client error "no servers could be reached" be a source > for the "exceeded" count in the thread server stats? > > Thanks, > > -Mike Durkin > > > > > > From mike at celtic-dreamer.com Wed May 21 19:20:08 2025 From: mike at celtic-dreamer.com (Mike Durkin) Date: Wed, 21 May 2025 15:20:08 -0400 Subject: Question about thread logging statistics In-Reply-To: References: Message-ID: Thanks Yorgos, I updated one of the server to 1.23 and now the requestlist stats are consistently 0 for exceeded: [1747854620] unbound[1:6] info: server stats for thread 6: requestlist max 73 avg 63.6041 exceeded 0 jostled 0 [1747854620] unbound[1:2] info: server stats for thread 2: requestlist max 71 avg 59.7928 exceeded 0 jostled 0 [1747854620] unbound[1:3] info: server stats for thread 3: requestlist max 72 avg 64.8742 exceeded 0 jostled 0 Increasing *max-sent-count* definitely resolved for our initial problem where the DNSSEC records were failing for some domains that are frequently used by DNS clients. This unbound server forwards all requests for "domain.com" to a set of internal DNS servers, and I can see in the logs that there are a couple of valid hostnames within that domain, however subdomains like "dev.domain.com" are probably configured on those internal nameservers to forward to some IP addresses that were retired a couple of years ago. I'm working with the admin of those nameservers to verify which DNS records are valid and hopefully stop forwarding requests to dead IP addresses. -Mike Durkin On 5/21/25 8:00 AM, unbound-users-request at lists.nlnetlabs.nl wrote: > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 20 May 2025 12:37:50 -0400 > From: Mike Durkin > To:unbound-users at lists.nlnetlabs.nl > Subject: Question about thread logging statistics > Message-ID: > Content-Type: text/plain; charset="utf-8"; Format="flowed" > > Hi > > We are using unbound docker containers (version 1.22) in our corporate > environment and after fixing an issue with DNSSEC records, I wanted to > ask about some of the logging statistics to see if there still might be > an performance issue. > > Last week, we were getting reports of certain domains not resolving and > I saw error messages like the following in the logs: > > ? ? [1747490624] unbound[1:2] info: validation failure > : SERVFAIL [exceeded the maximum number of sends] > no DS for DS domain.com. while building chain of trust > ??? [1747493945] unbound[1:1] error: SERVFAIL : > exceeded the maximum number of sends > > I ended up adding the following which seemed to resolve the issue: > > ??? ??? max-sent-count: 200 > > I had tried some lower values initially, but that didn't resolve the > problem until I bumped it up to 200. > > > So at the moment we are not getting any reports for DNS client failues, > but I am seeing the following in the logs: > > [1747757273] unbound[1:0] info: server stats for thread 0: > requestlist max 78 avg 68.4251 exceeded 84 jostled 0 > [1747757333] unbound[1:0] info: server stats for thread 0: > requestlist max 72 avg 66.9528 exceeded 55 jostled 0 > [1747757393] unbound[1:0] info: server stats for thread 0: > requestlist max 78 avg 66.9892 exceeded 62 jostled 0 > > > The thread server stats is always showing a significant number for > exceeded. The host where the container is running is not overloaded. I > do see in the logs that there are a significant number of requests for > legacy subdomains that are no longer in use and cause error messages > like the following: > > [1747758108] unbound[1:0] error: SERVFAIL A IN>: all the configured stub or forward servers failed, at zone > domain.com. from 10.10.32.2 got SERVFAIL > > My main question is, would those requests that are being forwarded and > timing out with a client error "no servers could be reached" be a source > for the "exceeded" count in the thread server stats? > > Thanks, > > -Mike Durkin > > > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > > ------------------------------ > > Message: 2 > Date: Wed, 21 May 2025 10:24:15 +0200 > From: Yorgos Thessalonikefs > To:unbound-users at lists.nlnetlabs.nl > Subject: Re: Question about thread logging statistics > Message-ID:<09d7a0de-cc2d-44fc-8b88-87fecf79959d at nlnetlabs.nl> > Content-Type: text/plain; charset=UTF-8; format=flowed > > Hi Mike, > > The "exceeded" number are queries that were dropped because the request > list (queries from clients) was full. > > However versions 1.21.0 up to and including 1.23.0 wrongfully use > the statistic for queries that exceed the discard-timeout [1] and/or > wait-limit [2] options. > > Version 1.23.0 fixes that by introducing an explicit counter for that > accessible from the 'stats' command (total.num.queries_discard_timeout > and total.num.queries_wait_limit [3]) and stop counting those drops in > the "exceeded". > > What I believe happens in your case is because you increased > max-sent-count to 200, those queries are now slow to respond back and > Unbound drops the replies to those clients because discard-timeout is > exceeded, or because they are slow those clients exceed their wait-limit. > (And wrongfully counts those in the "exceeded" in the log output) > > Btw, did increasing max-sent-count actually help in your case? > > Is your Unbound configured specially for domain.com or it just uses a > '.' forwarder? > I mainly am asking about the last error log you shared. > > Best regards, > -- Yorgos > > [1] > https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#unbound-conf-discard-timeout" > [2] > https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#unbound-conf-wait-limit > [3] > https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound-control.html#statistic-counters > > On 20/05/2025 18:37, Mike Durkin via Unbound-users wrote: >> Hi >> >> We are using unbound docker containers (version 1.22) in our corporate >> environment and after fixing an issue with DNSSEC records, I wanted to >> ask about some of the logging statistics to see if there still might be >> an performance issue. >> >> Last week, we were getting reports of certain domains not resolving and >> I saw error messages like the following in the logs: >> >> ? ? [1747490624] unbound[1:2] info: validation failure >> : SERVFAIL [exceeded the maximum number of sends] >> no DS for DS domain.com. while building chain of trust >> ??? [1747493945] unbound[1:1] error: SERVFAIL : >> exceeded the maximum number of sends >> >> I ended up adding the following which seemed to resolve the issue: >> >> ??? ??? max-sent-count: 200 >> >> I had tried some lower values initially, but that didn't resolve the >> problem until I bumped it up to 200. >> >> >> So at the moment we are not getting any reports for DNS client failues, >> but I am seeing the following in the logs: >> >> [1747757273] unbound[1:0] info: server stats for thread 0: >> requestlist max 78 avg 68.4251 exceeded 84 jostled 0 >> [1747757333] unbound[1:0] info: server stats for thread 0: >> requestlist max 72 avg 66.9528 exceeded 55 jostled 0 >> [1747757393] unbound[1:0] info: server stats for thread 0: >> requestlist max 78 avg 66.9892 exceeded 62 jostled 0 >> >> >> The thread server stats is always showing a significant number for >> exceeded. The host where the container is running is not overloaded. I >> do see in the logs that there are a significant number of requests for >> legacy subdomains that are no longer in use and cause error messages >> like the following: >> >> [1747758108] unbound[1:0] error: SERVFAIL > A IN>: all the configured stub or forward servers failed, at zone >> domain.com. from 10.10.32.2 got SERVFAIL >> >> My main question is, would those requests that are being forwarded and >> timing out with a client error "no servers could be reached" be a source >> for the "exceeded" count in the thread server stats? >> >> Thanks, >> >> -Mike Durkin >> >> >> >> >> >> > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > Unbound-users mailing list > Unbound-users at lists.nlnetlabs.nl > https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users > > > ------------------------------ > > End of Unbound-users Digest, Vol 65, Issue 5 > ******************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: