2

What is EDNS Client-Subnet (ECS)?

EDNS Client-Subnet (ECS) is an extension to the DNS protocol to include components of the end-user IP address data in requests that are sent to the authoritative DNS servers. This means that there is a privacy “leakage” for recursive resolvers that send ECS data, where components of the end user’s IP address are transmitted to the remote site. This is typically used to improve the performance of Content Distribution Networks (CDNs).

NextDNS has invented and implemented a technology to prevent privacy “leakage” while keeping the performance benefit of ECS. While we think it is a good tradeoff, you still have full control on whether any ECS information is transmitted at all. For more information on our smart ECS technology, read How we made DNS both fast and private with ECS.

12replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • I have enabled this option in the settings..
    "Anonymized EDNS Client Subnet"

    However, when I do a DNS Query for youtube.com, I get a server that is farther than my current location using NextDNS. Here's some tests between NextDNS and Google's DNS attached as pictures here...

    I'm located in Ottawa, ON, Canada
     

    Like
  • That's also an issue for me and a reason not using NextDNS at the moment. My network noticeably slows down when switching to NextDNS since it resolves IPs somewhere in the US when using it in Europe, whereas Quad9 gives me geolocated IPs.

    Like
    • Daniel Pernold please share examples and a https://nextdns.io/diag

      Like
    • Olivier Poitrey sure.

      Server:        <Quad9 ECS>
      Address:    <Quad9 ECS>#53
      
      Non-authoritative answer:
      Name:    google.com
      Address: 172.217.23.110
      Name:    google.com
      Address: 2a00:1450:4014:80c::200e
      Server:        <NextDNS>
      Address:    <NextDNS>#53
      
      Non-authoritative answer:
      Name:    google.com
      Address: 142.250.186.142
      Name:    google.com
      Address: 2a00:1450:4014:80c::200e
      PING 172.217.23.238 (172.217.23.238) 56(84) bytes of data.
      64 bytes from 172.217.23.238: icmp_seq=1 ttl=120 time=13.9 ms
      64 bytes from 172.217.23.238: icmp_seq=2 ttl=120 time=13.9 ms
      64 bytes from 172.217.23.238: icmp_seq=3 ttl=120 time=14.2 ms
      64 bytes from 172.217.23.238: icmp_seq=4 ttl=120 time=13.8 ms
      64 bytes from 172.217.23.238: icmp_seq=5 ttl=120 time=13.8 ms
      
      --- 172.217.23.238 ping statistics ---
      5 packets transmitted, 5 received, 0% packet loss, time 4006ms
      rtt min/avg/max/mdev = 13.758/13.907/14.167/0.138 ms
      
      PING 142.250.186.142 (142.250.186.142) 56(84) bytes of data.
      64 bytes from 142.250.186.142: icmp_seq=1 ttl=120 time=20.3 ms
      64 bytes from 142.250.186.142: icmp_seq=2 ttl=120 time=20.6 ms
      64 bytes from 142.250.186.142: icmp_seq=3 ttl=120 time=20.6 ms
      64 bytes from 142.250.186.142: icmp_seq=4 ttl=120 time=20.7 ms
      64 bytes from 142.250.186.142: icmp_seq=5 ttl=120 time=20.3 ms
      
      --- 142.250.186.142 ping statistics ---
      5 packets transmitted, 5 received, 0% packet loss, time 4007ms
      rtt min/avg/max/mdev = 20.252/20.484/20.657/0.158 ms
      
      Like
    • Daniel Pernold I mean an example where we would resolve to a US IP. Your example give similar results between quad9 and NextDNS.

      Like
    • Olivier Poitrey Are those different IPv4 just a matter of Google?

      Like
    • Daniel Pernold not sure to get the question.

      Like
    • Olivier Poitrey never mind, these IPs are both Europe Google subnet. Not able to reproduce the problem. Maybe a past (already fixed?) misconfiguration.

      Like
  • Does ecs-test.nextdns.io (as listed in the article: How we made DNS both fast and private with ECS.) intentionally have an ipv6 ip address only?

    Like
    • Johan de Jong yes, that’s the only way to link it to a custom conf without requiring DoH, DoT or link-ip.

      Like
  • hello, what exactly does the setting "Enable Anonymized EDNS Client Subnet" do?

    I mean, in case of such setting disabled, would nextdns send EDNS not anonymized, or would not send EDNS at all?

    Like 1
    • Danilo Mascheretti it would disable EDNS altogether. We don't have non-anonymized EDNS, it doesn't match our values.

      Like 1