Unbound with ECS and DNSSEC

The issue I am facing:
ECS doesn't seem to work correctly when using unbound. I used these commands to test at first, and it seemed fine. Both returned my IP.

dig TXT o-o.myaddr.l.google.com +short @8.8.8.8
dig TXT o-o.myaddr.l.google.com +short @192.168.0.42 -p 5335

However, when going on Apple's CDN Troubleshooting Gizmo using unbound, the part where it says (And it said your IP was xxx.xxx.xxx.xxx/24) says that the reported IP is 127.0.0.0/24. Using Google's DNS works correctly and shows my IP (parts of it anyway)

Details about my system:
Running on an RPi 3B. Nothing really special.

What I have changed since installing Pi-hole:
Added a couple of blocklists, and enabled the advanced DNS settings.
I compiled unbound manually, with the --enable-subnet flag, to enable ECS support. Here is the relevant part of the config (the other 2 files are for DNSSEC, and the one from the pihole docs/guides)

# Enable ECS
module-config: "subnetcache validator iterator"
# TODO: Find an actual list of IPs or domains
send-client-subnet: 0.0.0.0/0
send-client-subnet: ::0/64
#client-subnet-zone: google.com

This question may get better responses in an unbound forum.

1 Like

Yeah, I assumed that the reason it didn't work was because of pi-hole (since the first dig commands worked fine), but after testing a bit more, it seems that the same issue arises when using unbound directly too. I actually figured out why it does that and not sure I can fix it easily.

Since ECS sends part of the requesting IP, when using a remote DNS server, it works, as the public IP is the requesting one. However, since unbound is run locally, it forwards part of the requesting IP, which is also local. I guess I'd have to run unbound on a VPS or something to benefit from ECS using it. I'm unsure whether or not I want to do that. I'd use Quad9, but I've had lots of issues with them. Especially with DNSSEC.

Have you verified this by inspection of the unbound log? Unbound is running on your public IP, as will be shown on a DNS leak check site. You aren't checking for a DNS leak, but the site will show the IP of your DNS server.

Indeed, using a DNS leak test only showed my public IP. I'm not sure how to check the unbound logs for this however, but I'll ask on an unbound forum.

However, it's of my understanding that with ECS, the DNS server sends part of the requesting IP. So with Google's DNS, they see my public IP as the requesting one, whereas when using Unbound, it sees my LAN IP. Since I'm not forwarding it to any other resolver, I'm not even sure Unbound knows my public IP. I might misunderstand everything though.

Here are some other tests I ran.

dig TXT whoami.ds.akahelp.net @192.168.0.42 -p 5353 +short
"ns" "MY_IP"
"ip" "MY_IP"
"ecs" "192.168.0.0/24/24"

dig TXT whoami.ds.akahelp.net @8.8.8.8 +short
"ip" "MY_IP"
"ns" "172.217.43.2"
"ecs" "PART_OF_MY_IP"

What's your motivation for using ECS with unbound?

Mostly to make sure I connect to local servers when streaming stuff. My ISP has an Apple Edge server, so it should also help with downloading apps and updates too.

I just want a privacy-oriented DNS with ECS support. Google is not it, OpenDNS seems shady from what I’ve heard. Quad9 is perfect in theory but it doesn’t resolve some domains and has issues with DNSSEC for some of them.

Do you actually see delays while streaming? I run unbound in recursive mode and have not noticed any delays or other problems streaming any content.

Honestly, I’ve been having weird issues with my internet since I moved and changed provider, but I can’t pin down the cause, since it’s intermittent.

Sometimes a website takes a suuuper long time to respond but loads fast. Speedtest doesn’t report high ping time. I thought it might be my router, but I’m in a very small apartment and it seems quite capable, for an ISP router. Sometimes YouTube will be super slow to load videos and I’ll have to pause and wait for it to buffer a bit. This was all using CloudFlare DNS, but I highly doubt DNS is the cause anyways.

I could probably run unbound without ECS, I just would’ve preferred having it since my ISP’s datacenter is in the same city as me. I live in Montréal and use Ebox, if that’s any relevant.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.