EDNS Client Subnet Module Options The ECS module must be configured in the module-config: "subnetcache validator iterator" directive and be compiled into the daemon to be enabled. These settings go in the server: section. If the destination address is allowed in the configuration Unbound will add the EDNS0 option to the query containing the relevant part of the client's address. When an answer contains the ECS option the response and the option are placed in a specialized cache. If the authority indicated no support, the response is stored in the regular cache. Additionally, when a client includes the option in its queries, Unbound will forward the option when sending the query to addresses that are explicitly allowed in the configuration using send-client-subnet. The option will always be forwarded, regardless the allowed addresses, if client-subnet-always-forward is set to yes. In this case the lookup in the regular cache is skipped. The maximum size of the ECS cache is controlled by 'msg-cache-size' in the configuration file. On top of that, for each query only 100 different subnets are allowed to be stored for each address family. Exceeding that number, older entries will be purged from cache. send-client-subnet: <IP address> Send client source address to this authority. Append /num to indicate a classless delegation netblock, for example like 10.2.3.4/24 or 2001::11/64. Can be given multiple times. Authorities not listed will not receive edns-subnet information, unless domain in query is specified in client-subnet-zone. client-subnet-zone: <domain> Send client source address in queries for this domain and its subdomains. Can be given multiple times. Zones not listed will not receive edns-subnet information, unless hosted by authority specified in send-client-subnet. client-subnet-always-forward: <yes or no> Specify whether the ECS address check (configured using send-client-subnet) is applied for all queries, even if the triggering query contains an ECS record, or only for queries for which the ECS record is generated using the querier address (and therefore did not contain ECS data in the client query). If enabled, the address check is skipped when the client query contains an ECS record. And the lookup in the regular cache is skipped. Default is no. max-client-subnet-ipv6: <number> Specifies the maximum prefix length of the client source address we are willing to expose to third parties for IPv6. Defaults to 56. max-client-subnet-ipv4: <number> Specifies the maximum prefix length of the client source address we are willing to expose to third parties for IPv4. Defaults to 24. min-client-subnet-ipv6: <number> Specifies the minimum prefix length of the IPv6 source mask we are willing to accept in queries. Shorter source masks result in REFUSED answers. Source mask of 0 is always accepted. Default is 0. min-client-subnet-ipv4: <number> Specifies the minimum prefix length of the IPv4 source mask we are willing to accept in queries. Shorter source masks result in REFUSED answers. Source mask of 0 is always accepted. Default is 0. max-ecs-tree-size-ipv4: <number> Specifies the maximum number of subnets ECS answers kept in the ECS radix tree. This number applies for each qname/qclass/qtype tuple. Defaults to 100. max-ecs-tree-size-ipv6: <number> Specifies the maximum number of subnets ECS answers kept in the ECS radix tree. This number applies for each qname/qclass/qtype tuple. Defaults to 100.
