search

NLnetLabs / unbound

Unbound is a validating, recursive, and caching DNS resolver.
https://nlnetlabs.nl/unbound
BSD 3-Clause "New" or "Revised" License
3.06k stars 349 forks source link

EDNS information logging in log #1082

Open dtouzeau opened 4 months ago

dtouzeau commented 4 months ago

I have implemented EDNS on two unbound. The first unbound correctly sends the subnet information to the front-end unbound.

This is the debug on the front-end server

Jun  2 19:23:18 dns unbound: [8351:1] debug: answer has edns subnet 192.168.1.0/24 scope /0
Jun  2 19:23:18 dns unbound: [8351:1] debug: EDNS lookup known=1 vs=0
Jun  2 19:23:18 dns unbound: [8351:1] debug: reply has edns subnet 192.168.1.190/32 scope /0
Jun  2 19:23:18 dns unbound: [8351:0] debug: query has edns subnet 192.168.1.190/32 scope /0
Jun  2 19:23:18 dns unbound: [8351:0] debug: reply has edns subnet 192.168.1.190/32 scope /0
Jun  2 19:23:18 dns unbound: [8351:1] debug: reply has edns subnet 192.168.1.190/32 scope /0
Jun  2 19:23:24 dns unbound: [8351:3] debug: query has edns subnet 127.0.0.1/32 scope /0
Jun  2 19:23:24 dns unbound: [8351:3] debug: EDNS lookup known=1 vs=0

How can I force Unbound to write the EDNS subnet information to the Unbound requests logs? I can't figure out how? The DNS service still log the IP address of the first Unbound server

wcawijngaards commented 4 months ago

The unbound that wants to log queries, there the edns subnet mod prints query has edns subnet ... and this is the subnet information for the incoming query.

The set up sounds similar to the use of proxy-protocol. With that the downstream IP address would be logged with log-queries: yes, due to the proxy protocol carrying that to the server. Proxy protocol processing, if that sort of load balancing towards some servers is considered as useful, is enabled with proxy-protocol-port: <port> for the server that performs recursion.

dtouzeau commented 4 months ago

hi Make sense... This is one of the methods I wanted to implement, but it doesn't work in a purely "unbound" ecosystem. In fact, I didn't see the possibility of enabling the proxy protocol in forward-addr/stub-addr

When you have Unboud backends servers to Unboud front-ends, this architecture using Proxy-Protocol doesn't currently seem to be supported.

For PowerDNS/DnsDist to Unboud, no problem.

However, I was able to answer this question using DNSTAP where EDNS can be extracted.

Hexen1988 commented 3 weeks ago

Hello ,

You can do that easily with dnstap !

You may use a dnstap collector on the same server and configure unbound to forward queries to the collector. You will be able to see all details including EDNS/ECS. Plus, this is much less resource expensive in contrast with normal query logging.