Maintained by: NLnet Labs

[Unbound-users] How to config whitelist for EDNS client subnetin unbound

余坤
Wed Dec 24 10:07:52 CET 2014


Hi Larry, Yuri
After a few days of testing, I'm afraid that this branch is not ready for
production use yet. First, just like Larry has pointed out, RTT value in
ECS cache does not decrease.
Second, when a domain supports ECS partially, unbound may cache suboptimal
results. For instance, www.qq.com supports ECS in China, i.e. all name
servers of qq.com in China responses correctly when ECS is set in the
query. But qq.com uses Akamai to deliver contents outside China. When
unbound receives a query of www.qq.com with client=18.0.0.0/8, the name
server of qq.com will redirect this query to Akamai. As we all know, Akamai
doesn's support ECS, so name server of Akamai will rerurn a resource record
without ECS option. This record ends up in the ordinary cache of unbount!
How did I find out this record is cached in the ordinary cache? Because the
TTL value of this records does decrease!
So subsequent queries of qq.com without ECS option will be replied with an
IP address in America! This may cause severe performance downgrade.
A more specific example:
dig @121.194.13.147 www.qq.com
;; ANSWER SECTION:
www.qq.com. 300 IN A 115.25.209.39  <= IP in Beijing China

./dig @121.194.13.147 www.qq.com +client=60.255.0.0/16
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; CLIENT-SUBNET: 60.255.0.0/16/24
;; QUESTION SECTION:
;www.qq.com. IN A

;; ANSWER SECTION:
www.qq.com. 300 IN A 175.155.116.108 <= IP in another city of China

So far so good, now ask unbound with an IP address in America:

./dig @121.194.13.147 www.qq.com +client=18.0.0.0/8
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; CLIENT-SUBNET: 18.0.0.0/8/0
;; QUESTION SECTION:
;www.qq.com. IN A

;; ANSWER SECTION:
www.qq.com. 299 IN CNAME qq.com.edgesuite.net.
qq.com.edgesuite.net. 21600 IN CNAME a1574.b.akamai.net.
a1574.b.akamai.net. 20 IN A 23.201.102.40  <= Akamai's IP address
a1574.b.akamai.net. 20 IN A 23.201.102.41

Now query unbound without ECS option:
./dig @121.194.13.147 www.qq.com
;; ANSWER SECTION:
www.qq.com. 292 IN CNAME qq.com.edgesuite.net.
qq.com.edgesuite.net. 21593 IN CNAME a1574.b.akamai.net.
a1574.b.akamai.net. 13 IN A 23.201.102.40  <= Still Akamai's address!
a1574.b.akamai.net. 13 IN A 23.201.102.41

;; Query time: 0 msec <= get result from cache

In this way, unbound stores a sub optimal record in the main cache,
subsequent queries will all get this record. This is not acceptable because
it will cause too much inter-continent traffic.
Since ECS is not a RFC yet, I assume partial support of ECS is quite
common. Return sub optimal results to clients can cause serious performance
problems.
IMHO, unbound should provide a way to config which domain should be stored
in ECS cache. In this way, even some of the name servers of a domain do not
support ECS, all the records of this domain will be stored in ECS cache.
Records without ECS information will have a subnet of 0.0.0.0/0. The best
choice can be determined by longest prefix match of client subnet.

Regards,
Kun


On Fri, Dec 19, 2014 at 2:03 AM, Larry Havemann <larry at edgecast.com> wrote:

> Just a simple warning on using this branch, none of the issues detailed in
> this mailing list thread have been addressed:
> http://t28223.network-dns-unbound-user.dnstalk.us/edns-client-subnets-t28223.html
>
> -Larry
>
> -Larry
>
> On Thu, Dec 18, 2014 at 2:13 AM, Yuri Schaeffer <yuri at nlnetlabs.nl> wrote:
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> > very thanks. Do the unbound cache the result that contain
>> > edns-client-subnet information?
>>
>> Yes!
>> It has an additional cache for ECS responses. For performance reasons
>> lookups in this cache are only done when there are reasons to believe
>> it is necessary. I.e. 1) When an answer is not found in the regular
>> cache and the authority server is whitelisted. or 2) The client
>> includes ECS option.
>>
>> //Yuri
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1
>>
>> iEYEARECAAYFAlSSqLoACgkQI3PTR4mhaviDBgCgzrnSOCX0wggIdjF2WkCtDbiR
>> WcUAn3zQ0WDD9lsonKs3XdB8PKmEmXjM
>> =3o06
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> Unbound-users mailing list
>> Unbound-users at unbound.net
>> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>>
>
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>



-- 
Kun YU
Ph.D. Candidate, Department of Electronic Engineering, Tsinghua University,
Beijing, 100084, China.
Mobile Phone:+86 13466535220
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20141224/9138bf1d/attachment.html>