unbound icon indicating copy to clipboard operation
unbound copied to clipboard

Published 20 hours ago verified publisher icon NLnetLabs

EDNS information logging in log

Open dtouzeau opened this issue 1 year ago • 3 comments

I have implemented EDNS on two unbound. The first unbound correctly sends the subnet information to the front-end unbound.

This is the debug on the front-end server

Jun  2 19:23:18 dns unbound: [8351:1] debug: answer has edns subnet 192.168.1.0/24 scope /0
Jun  2 19:23:18 dns unbound: [8351:1] debug: EDNS lookup known=1 vs=0
Jun  2 19:23:18 dns unbound: [8351:1] debug: reply has edns subnet 192.168.1.190/32 scope /0
Jun  2 19:23:18 dns unbound: [8351:0] debug: query has edns subnet 192.168.1.190/32 scope /0
Jun  2 19:23:18 dns unbound: [8351:0] debug: reply has edns subnet 192.168.1.190/32 scope /0
Jun  2 19:23:18 dns unbound: [8351:1] debug: reply has edns subnet 192.168.1.190/32 scope /0
Jun  2 19:23:24 dns unbound: [8351:3] debug: query has edns subnet 127.0.0.1/32 scope /0
Jun  2 19:23:24 dns unbound: [8351:3] debug: EDNS lookup known=1 vs=0

How can I force Unbound to write the EDNS subnet information to the Unbound requests logs? I can't figure out how? The DNS service still log the IP address of the first Unbound server

dtouzeau avatar Jun 02 '24 17:06 dtouzeau

The unbound that wants to log queries, there the edns subnet mod prints query has edns subnet ... and this is the subnet information for the incoming query.

The set up sounds similar to the use of proxy-protocol. With that the downstream IP address would be logged with log-queries: yes, due to the proxy protocol carrying that to the server. Proxy protocol processing, if that sort of load balancing towards some servers is considered as useful, is enabled with proxy-protocol-port: <port> for the server that performs recursion.

wcawijngaards avatar Jun 03 '24 12:06 wcawijngaards

hi Make sense... This is one of the methods I wanted to implement, but it doesn't work in a purely "unbound" ecosystem. In fact, I didn't see the possibility of enabling the proxy protocol in forward-addr/stub-addr

When you have Unboud backends servers to Unboud front-ends, this architecture using Proxy-Protocol doesn't currently seem to be supported.

For PowerDNS/DnsDist to Unboud, no problem.

However, I was able to answer this question using DNSTAP where EDNS can be extracted.

dtouzeau avatar Jun 04 '24 12:06 dtouzeau

Hello ,

You can do that easily with dnstap !

You may use a dnstap collector on the same server and configure unbound to forward queries to the collector. You will be able to see all details including EDNS/ECS. Plus, this is much less resource expensive in contrast with normal query logging.

Hexen1988 avatar Sep 11 '24 17:09 Hexen1988