[dns-operations] EDNS client-subnet best practice?

Ralph Dolmans ralph at nlnetlabs.nl
Wed Jun 3 15:35:17 UTC 2020


Hi,

On 03-06-2020 15:52, Petr Špaček wrote:
> On 03. 06. 20 14:44, Chris Adams wrote:
>> These servers are not configured to send client-subnet to anybody
>> (pretty much default Unbound config).  They aren't serving clients from
>> outside the AS - I generally think of client-subnet as something you'd
>> use on a DNS server with a wide range of clients.  Is it expected that I
>> should be enabling EDNS client-subnet on recursive servers?
>>
>> I do have some recursive servers that have a large set of clients (where
>> client-subnet might be useful) - should I just enable it for all
>> requests?  In Unbound terms, enable "client-subnet-always-forward"?
> 
> In my view ECS is only useful if routing paths between:
> a) resolver & Internet 
> b) client sending query to resolver & Internet
> are different.
> 
> Netmasks in Unbound's max-client-subnet-ipv4/6 would ideally be as short as possible to cover just the prefix where causes the routing to differ and nothing more.
> 
> As for client-subnet-always-forward... I do not understand what the manual attempts to say :-/
> 

It attempts to say that, when enabled, for incoming queries that contain
and ECS option Unbound will skip the ECS whitelist check and will use
that ECS option in the upstream query.

I don't think the incoming queries in this scenario contain an ECS
option, so this configuration option is not needed here.

-- Ralph



More information about the dns-operations mailing list