Compile Unbound with ECS support

Question

Compile Unbound with ECS support

vampywiz17 opened this issue a year ago · 13 comments

vampywiz17 commented a year ago

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Is your feature request related to a problem? Please describe.

I would like to use Unbound DNS to forward mac/ip data to my upstream DNS server (Pi-hole). It work with Dnsmasq.

Describe the solution you like

Add --enable-subnet flag, when compile Unbound DNS, that support configs like:

module-config: "subnetcache validator iterator"
send-client-subnet: 0.0.0.0/0

Answer 1 · 2023-08-04T07:17:49.000Z

Seems to be the "SUBNET" option in the Unbound port. I'm a little undecided here. We don't use it. I haven't heard of it before and this is the first time it's being asked for.. needless to say FreeBSD does not have this enabled by default.

Cheers,
Franco

Answer 2 · 2023-11-14T21:41:52.000Z

ECS support allows for sending sanitized information to assist with geolocation and appropriate responses for CDN backed resources.

https://www.akamai.com/blog/developers/introducing-new-whoami-tool-dns-resolver-information

Enabling this module would be very helpful for people to retain some anonymity without incurring the quite real possibility of being routed to IPs that are located very far away while servers very near could be used. The performance improvements are quite real. Enabling the module in build will not expose any more information by default, it is up to the individual user/admin to configure the extent of the masking.

https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#edns-client-subnet-module-options

Answer 3 · 2023-11-15T07:08:42.000Z

I'm happy to enable the option but what is the plan for integrating this? For one overriding module-config isn't easily possible at the moment and the Python module may be interfering.

Answer 4 · 2023-11-18T21:44:37.000Z

Thanks for the reply. Basically for Pi-hole use (I'm the co-founder), we can point Pi-hole at the unbound instance, set unbound to do EDNS-0/ECS and pass a user-defined subnet mask. Where this helps is mostly with CDN content, as it is now there is no real mechanism to let the authoritative resolvers know where to consider the client's location. A common complaint/issue that gets assigned to DNS is increased latency. It's not DNS of course, but it is the client getting an IP that is not local.

The added capabilities are not limited to sinkholes like Pi-hole, they would help with anything that uses unbound in recursive configuration.

dan@Viking:~$ dig +short TXT whoami.ds.akahelp.net
"ns" "172.90.x.y
dan@Viking:~$ dig +short TXT whoami.ds.akahelp.net @192.168.88.254
"ns" "172.90.x.y"
dan@Viking:~$ dig +short TXT whoami.ds.akahelp.net @1.1.1.1
"ip" "172.88.0.46"
"ecs" "172.88.0.0/24/24"
"ns" "172.70.213.100"

In the above example the first two dig calls are to the system DNS resover and then the OPNsense unbound resolver in it's current mode.

The last is a dig direct with ECS data passed. The IP is not the actual client IP but a random IP that is located in the subnet passed with the query. Recursive resolvers don’t send the actual client IP they observe, in order to reduce the privacy impacts of ECS.

Edit: There is no need to override module-config. You can enable the module and nothing will change unless you include the additional configuration directives. Everything is set to default off by unbound. I don't think you'd even need to expose the configuration lines on the web interface at the start, adding in config snippets in a .d/ subdirectory should be enough for power users to get started.

Edit2: Sorry for the edits, here is an example of the potential use in action: https://www.reddit.com/r/pihole/comments/17v56cd/pihole_with_unbound/

Answer 5 · 2023-12-07T22:39:34.000Z

@dschaper

It sound very good! I hope it will enable it.

Answer 6 · 2024-01-08T12:59:40.000Z

Hi,
Small note to add to the discussion that if Unbound is compiled with --enable-subnet the default module-config: value changes from "validator iterator" to "subnetcache validator iterator".
Although from a privacy perspective Unbound does not enable any ECS options, the presence of the subnetcache module alone does change client query aggregation as every client query needs to be inspected individually wrt ECS.
Based on the incoming traffic that could translate to lower resolution performance compared to a default Unbound configuration without --enable-subnet.
So, if Unbound is compiled with ECS support, make sure to explicitly set module-config: "validator iterator" to keep the previous default and have no surprises to other users.

Answer 7 · 2024-01-10T18:00:52.000Z

So, if Unbound is compiled with ECS support, make sure to explicitly set module-config: "validator iterator" to keep the previous default and have no surprises to other users.

I think the previous comment(s) would prevent this option.

For one overriding module-config isn't easily possible at the moment and the Python module may be interfering.

So explicitly setting the module-config to disable subnetcache means compiling with --enable-subnet would be useless.