1

EDNS Client-Subnet (ECS) not working

This blog post implies that NextDNS supports ECS:
https://medium.com/nextdns/how-we-made-dns-both-fast-and-private-with-ecs-4970d70401e5

But then why isn't this test working?

> dig o-o.myaddr.google.com txt @45.90.30.0

;; ANSWER SECTION:
o-o.myaddr.google.com.    60    IN    TXT    "178.255.153.47"

Compare with a test using Google's DNS which supports ECS:

> dig o-o.myaddr.google.com txt @8.8.8.8

;; ANSWER SECTION:
o-o.myaddr.google.com.    60    IN    TXT    "74.125.181.129"
o-o.myaddr.google.com.    60    IN    TXT    "edns0-client-subnet 66.60.135.0/24"

Observe the missing edns0-client-subnet in the reply when using NextDNS, which makes me think that NextDNS servers do not send ECS.

Do you need to add o-o.myaddr.google.com to the ECS allow list on your side to make the test work?

9replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • That's probably how Anonymized ECS works, but who am I to judge, that's for the nextdns staff to deal with, sending a nextdns diag will be useful: nextdns.io/diag

    Like
  • Can you re-test with Quad9?

    they provide a version without ECS (default) and one with ECS

    Like
  • Yes 9.9.9.11 supports ECS and works correctly.

    Like 1
  • You are not using any configuration in your test. You need to test using a configuration that enables ECS.

    Like
    • NextDNS Oliver’s write up on AECS is great but I’ve always wanted a way to test to see if it’s working for particular domains. Any ideas? Thanks!

      Like
    • Jason Hawkins you can test it with a configuration having it enabled.

      Like
      • NDH
      • NDH
      • 2 mths ago
      • 1
      • Reported - view

      NextDNS I tried it with a config that has ECS enabled, via your nextdns cli, same result, it does not work. Do you need to add o-o.myaddr.google.com to the ECS allow list on your side to make the test work?

      Like 1
    • NDH our ECS allowlist pipeline does not detect this domain as being ECS aware as it does not return ECS response for the A/AAAA types (only TXT type) as it should. We will see if it is worse taking this edge case in consideration.

      Like
  • I tried it with a config that has ECS enabled, via your nextdns cli, same result, it does not work. Do you need to add o-o.myaddr.google.com to the ECS allow list on your side to make the test work?

    Like 1
Like1 Follow
  • 1 Likes
  • 2 mths agoLast active
  • 9Replies
  • 147Views
  • 4 Following