3

What is EDNS Client-Subnet (ECS)?

EDNS Client-Subnet (ECS) is an extension to the DNS protocol to include components of the end-user IP address data in requests that are sent to the authoritative DNS servers. This means that there is a privacy “leakage” for recursive resolvers that send ECS data, where components of the end user’s IP address are transmitted to the remote site. This is typically used to improve the performance of Content Distribution Networks (CDNs).

NextDNS has invented and implemented a technology to prevent privacy “leakage” while keeping the performance benefit of ECS. While we think it is a good tradeoff, you still have full control on whether any ECS information is transmitted at all. For more information on our smart ECS technology, read How we made DNS both fast and private with ECS.

17 replies

null
    • Gerry_Paradis
    • 3 yrs ago
    • Reported - view

    I have enabled this option in the settings..
    "Anonymized EDNS Client Subnet"

    However, when I do a DNS Query for youtube.com, I get a server that is farther than my current location using NextDNS. Here's some tests between NextDNS and Google's DNS attached as pictures here...

    I'm located in Ottawa, ON, Canada
     

      • Tobias.1
      • 10 mths ago
      • Reported - view

       isto é o servidor principal do Google, não o YouTube, o conteúdo ou réplicas, são IPs e domínios totalmente diferentes, sempre começa com R de router, geralmente dentro do próprio CDN do Google no servidor da operadora, estes IPs do teste são do Google, não são únicos dos conteúdos do YouTube.

    • Daniel_Pernold
    • 3 yrs ago
    • Reported - view

    That's also an issue for me and a reason not using NextDNS at the moment. My network noticeably slows down when switching to NextDNS since it resolves IPs somewhere in the US when using it in Europe, whereas Quad9 gives me geolocated IPs.

      • olivier
      • 3 yrs ago
      • Reported - view

      Daniel Pernold please share examples and a https://nextdns.io/diag

      • Daniel_Pernold
      • 3 yrs ago
      • Reported - view

      Olivier Poitrey sure. 

      Server:        <Quad9 ECS>
Address:    <Quad9 ECS>#53

Non-authoritative answer:
Name:    google.com
Address: 172.217.23.110
Name:    google.com
Address: 2a00:1450:4014:80c::200e
      Server:        <NextDNS>
Address:    <NextDNS>#53

Non-authoritative answer:
Name:    google.com
Address: 142.250.186.142
Name:    google.com
Address: 2a00:1450:4014:80c::200e
      PING 172.217.23.238 (172.217.23.238) 56(84) bytes of data.
64 bytes from 172.217.23.238: icmp_seq=1 ttl=120 time=13.9 ms
64 bytes from 172.217.23.238: icmp_seq=2 ttl=120 time=13.9 ms
64 bytes from 172.217.23.238: icmp_seq=3 ttl=120 time=14.2 ms
64 bytes from 172.217.23.238: icmp_seq=4 ttl=120 time=13.8 ms
64 bytes from 172.217.23.238: icmp_seq=5 ttl=120 time=13.8 ms

--- 172.217.23.238 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 13.758/13.907/14.167/0.138 ms

      PING 142.250.186.142 (142.250.186.142) 56(84) bytes of data.
64 bytes from 142.250.186.142: icmp_seq=1 ttl=120 time=20.3 ms
64 bytes from 142.250.186.142: icmp_seq=2 ttl=120 time=20.6 ms
64 bytes from 142.250.186.142: icmp_seq=3 ttl=120 time=20.6 ms
64 bytes from 142.250.186.142: icmp_seq=4 ttl=120 time=20.7 ms
64 bytes from 142.250.186.142: icmp_seq=5 ttl=120 time=20.3 ms

--- 142.250.186.142 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4007ms
rtt min/avg/max/mdev = 20.252/20.484/20.657/0.158 ms
      • olivier
      • 3 yrs ago
      • Reported - view

      Daniel Pernold I mean an example where we would resolve to a US IP. Your example give similar results between quad9 and NextDNS.

      • Daniel_Pernold
      • 3 yrs ago
      • Reported - view

      Olivier Poitrey Are those different IPv4 just a matter of Google?

      • olivier
      • 3 yrs ago
      • Reported - view

      Daniel Pernold not sure to get the question.

      • Daniel_Pernold
      • 3 yrs ago
      • Reported - view

      Olivier Poitrey never mind, these IPs are both Europe Google subnet. Not able to reproduce the problem. Maybe a past (already fixed?) misconfiguration.

    • Johan_de_Jong
    • 3 yrs ago
    • Reported - view

    Does ecs-test.nextdns.io (as listed in the article: How we made DNS both fast and private with ECS.) intentionally have an ipv6 ip address only?

      • olivier
      • 3 yrs ago
      • Reported - view

      Johan de Jong yes, that’s the only way to link it to a custom conf without requiring DoH, DoT or link-ip.

      • Tobias.1
      • 1 yr ago
      • Reported - view

      Johan de Jong o teste é em ecs-test.dns.nextdns.io estava fazendo seguindo o q vi aqui, mas tá errado da forma q mostrou, vai dar erro de certificado.

    • Dan.11
    • 3 yrs ago
    • Reported - view

    hello, what exactly does the setting "Enable Anonymized EDNS Client Subnet" do?

    I mean, in case of such setting disabled, would nextdns send EDNS not anonymized, or would not send EDNS at all?

      • olivier
      • 3 yrs ago
      • Reported - view

      Danilo Mascheretti it would disable EDNS altogether. We don't have non-anonymized EDNS, it doesn't match our values.

    • Idig
    • 2 mths ago
    • Reported - view

    Hello,

    @Olivier Poitrey

    Hi very happy with nextdns but have a question as a newbie .  

     

    reddiit user

    l4jos

    is saying to disable this and not use it, I want to confirm does these comments apply to NEXTDNS design and implementation of it bc I am reading your design does it differently to help us.

     

    Manily the additonal  location info they would not have  if  EDNS was off in NEXTDNS

    https://www.reddit.com/r/nextdns/comments/r50q75/what_will_happen_if_disable_anonymized_edns/

     

    nextDNS prevent DNS poisoning bc we are using DoT or DoH on endpoint correct? 

    or can  this happen 

    EDNS enabled:

    client with nextDNS DoT/DoH >> DNS resolver >> ECS subnet provided to >> AUTH DNS >> 

    AUTH DNS returns poisoned DNS record   

     

    EDNS not enabled:

    client with nextDNS DoT/DoH >> DNS resolver >> IP provided to AUTHDNS >> AUTH DNS >> 

    AUTH DNS returns poisoned DNS record

     

    thank you !

      • NextDNs
      • 2 mths ago
      • Reported - view

       if the auth returns a response, by definition it is not poisoned. ECS does not protect against DNS cache poisoning, nor does it worsen it.

      The privacy risk mentioned in the reddit comment is precisely what our anonymized ECS implementation is alleviating.

      • Idig
      • 2 mths ago
      • Reported - view

        thank you I  thought so I will leave mine enabled, everyone need to read the medium article where it stated you designed around the mentioned issue

Login to reply

Content aside

Related Articles
How to download logs?
Affiliation Program
What is DNS?
What is DNS over TLS (DoT), DNS over Quic (DoQ) and DNS over HTTPS (DoH & DoH3)?
What is Linked IP
What happens after 300k queries?
What is a malware?
Does NextDNS collect and store personal data?
Does NextDNS share the DNS data that is generated?
What is phishing?
Will NextDNS filter content?
How is NextDNS different from traditional adblockers?
Why is mode 3 required on Firefox?
What is Anycast and Ultralow?
What is DNS Rebinding Protection?
Why is DNSSEC % of queries so low?
How to customize the upstream resolver?
What A and AAAA labels mean in the logs?
What is the advantage of using NextDNS over Pi-hole®?
What is Handshake?
What is EDNS Client-Subnet (ECS)?
Translations
Who is behind NextDNS?
Which setup type to use?
How to get help or report issues?