1

EDNS Client-Subnet (ECS) not working

This blog post implies that NextDNS supports ECS:
https://medium.com/nextdns/how-we-made-dns-both-fast-and-private-with-ecs-4970d70401e5

But then why isn't this test working?

> dig o-o.myaddr.google.com txt @45.90.30.0

;; ANSWER SECTION:
o-o.myaddr.google.com.    60    IN    TXT    "178.255.153.47"

Compare with a test using Google's DNS which supports ECS:

> dig o-o.myaddr.google.com txt @8.8.8.8

;; ANSWER SECTION:
o-o.myaddr.google.com.    60    IN    TXT    "74.125.181.129"
o-o.myaddr.google.com.    60    IN    TXT    "edns0-client-subnet 66.60.135.0/24"

Observe the missing edns0-client-subnet in the reply when using NextDNS, which makes me think that NextDNS servers do not send ECS.

Do you need to add o-o.myaddr.google.com to the ECS allow list on your side to make the test work?

10 replies

null
    • Siam_Mehedi
    • 2 yrs ago
    • Reported - view

    That's probably how Anonymized ECS works, but who am I to judge, that's for the nextdns staff to deal with, sending a nextdns diag will be useful: nextdns.io/diag

    • Pro subscriber ✓
    • DynamicNotSlow
    • 2 yrs ago
    • Reported - view

    Can you re-test with Quad9?

    they provide a version without ECS (default) and one with ECS

    • NDH
    • 2 yrs ago
    • Reported - view

    Yes 9.9.9.11 supports ECS and works correctly.

    • NextDNs
    • 2 yrs ago
    • Reported - view

    You are not using any configuration in your test. You need to test using a configuration that enables ECS.

      • Jason_Hawkins
      • 2 yrs ago
      • Reported - view

      NextDNS Oliver’s write up on AECS is great but I’ve always wanted a way to test to see if it’s working for particular domains. Any ideas? Thanks!

      • NextDNs
      • 2 yrs ago
      • Reported - view

      Jason Hawkins you can test it with a configuration having it enabled.

      • NDH
      • 2 yrs ago
      • Reported - view

      NextDNS I tried it with a config that has ECS enabled, via your nextdns cli, same result, it does not work. Do you need to add o-o.myaddr.google.com to the ECS allow list on your side to make the test work?

      • NextDNs
      • 2 yrs ago
      • Reported - view

      NDH our ECS allowlist pipeline does not detect this domain as being ECS aware as it does not return ECS response for the A/AAAA types (only TXT type) as it should. We will see if it is worse taking this edge case in consideration.

      • Tobias.1
      • 1 yr ago
      • Reported - view

      NextDNS tem  link pra testar o ECS?

    • NDH
    • 2 yrs ago
    • Reported - view

    I tried it with a config that has ECS enabled, via your nextdns cli, same result, it does not work. Do you need to add o-o.myaddr.google.com to the ECS allow list on your side to make the test work?

Content aside

  • 1 Likes
  • 1 yr agoLast active
  • 10Replies
  • 534Views
  • 5 Following