ECS implementation in Unbound and Privacy Concerns

Yorgos Thessalonikefs yorgos at nlnetlabs.nl
Mon May 5 13:19:42 UTC 2025 

Hi Isaac,

I believe this message comes from running unbound-checkconf.
The message there was less clear than running unbound itself; I have 
synced both messages now to make more sense:
https://github.com/NLnetLabs/unbound/commit/5dd14e26443a3801eea1e04cd650822183fe4762

The error is there because the subnetcache module is not compiled in by 
default.
If you want to compile it you need to use '--enable-subnet' in your 
./configure line.

With all that said, are you sure ECS is going to help in your use case?
ECS is only useful when the resolver and the clients are on different 
regions; think open public resolvers.

If that is not your use case and instead Unbound is close to the clients 
it serves, ECS will hamper performance for no real benefit.

As for ECS and privacy concerns, you can read the ECS section in the 
manpage or also online at 
https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#edns-client-subnet-module-options 
for the latest version.
Unbound by default masks /24 for IPv4 and /56 for IPv6 (the max-client-* 
options).

Performance is impacted because of the extra caching functionality ECS 
imposes (cache per IP network segments), and the singularity of the 
client queries since different networks may yield different responses 
for the same query. That means queries that could have been aggregated 
without ECS because they have the same question, with ECS they are 
treated as separate queries because their client information may yield 
different results.

Best regards,
-- Yorgos

On 05/05/2025 12:35, sir izake via Unbound-users wrote:
> Dear All,
> 
> I have Unbound 1.20 DNS recursive  resolver. I intend to enable ECS to 
> improve geo-location response to CDN resources.
> 
> Unfortunately,  i got below error after i enabled subnetcache in modules
> 
> module-config: "respip validator subnetcache iterator"
> 
> fatal error: module_conf lists module 'subnetcache' but that module is 
> not available
> 
> How do I get this to work?
> 
> If anyone has successfully set this up in their environment, how did you 
> minimize exposure to users IP info. Did you observe any performance 
> related issues?
> 
> Warm regards
> Isaac
>

More information about the Unbound-users mailing list