What is EDNS Client-Subnet (ECS)?
EDNS Client-Subnet (ECS) is an extension to the DNS protocol to include components of the end-user IP address data in requests that are sent to the authoritative DNS servers. This means that there is a privacy “leakage” for recursive resolvers that send ECS data, where components of the end user’s IP address are transmitted to the remote site. This is typically used to improve the performance of Content Distribution Networks (CDNs).
NextDNS has invented and implemented a technology to prevent privacy “leakage” while keeping the performance benefit of ECS. While we think it is a good tradeoff, you still have full control on whether any ECS information is transmitted at all. For more information on our smart ECS technology, read How we made DNS both fast and private with ECS.
-
I have enabled this option in the settings..
"Anonymized EDNS Client Subnet"
However, when I do a DNS Query for youtube.com, I get a server that is farther than my current location using NextDNS. Here's some tests between NextDNS and Google's DNS attached as pictures here...I'm located in Ottawa, ON, Canada
-
That's also an issue for me and a reason not using NextDNS at the moment. My network noticeably slows down when switching to NextDNS since it resolves IPs somewhere in the US when using it in Europe, whereas Quad9 gives me geolocated IPs.
-
Daniel Pernold please share examples and a https://nextdns.io/diag
-
Olivier Poitrey sure.
Server: <Quad9 ECS> Address: <Quad9 ECS>#53 Non-authoritative answer: Name: google.com Address: 172.217.23.110 Name: google.com Address: 2a00:1450:4014:80c::200eServer: <NextDNS> Address: <NextDNS>#53 Non-authoritative answer: Name: google.com Address: 142.250.186.142 Name: google.com Address: 2a00:1450:4014:80c::200ePING 172.217.23.238 (172.217.23.238) 56(84) bytes of data. 64 bytes from 172.217.23.238: icmp_seq=1 ttl=120 time=13.9 ms 64 bytes from 172.217.23.238: icmp_seq=2 ttl=120 time=13.9 ms 64 bytes from 172.217.23.238: icmp_seq=3 ttl=120 time=14.2 ms 64 bytes from 172.217.23.238: icmp_seq=4 ttl=120 time=13.8 ms 64 bytes from 172.217.23.238: icmp_seq=5 ttl=120 time=13.8 ms --- 172.217.23.238 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4006ms rtt min/avg/max/mdev = 13.758/13.907/14.167/0.138 msPING 142.250.186.142 (142.250.186.142) 56(84) bytes of data. 64 bytes from 142.250.186.142: icmp_seq=1 ttl=120 time=20.3 ms 64 bytes from 142.250.186.142: icmp_seq=2 ttl=120 time=20.6 ms 64 bytes from 142.250.186.142: icmp_seq=3 ttl=120 time=20.6 ms 64 bytes from 142.250.186.142: icmp_seq=4 ttl=120 time=20.7 ms 64 bytes from 142.250.186.142: icmp_seq=5 ttl=120 time=20.3 ms --- 142.250.186.142 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4007ms rtt min/avg/max/mdev = 20.252/20.484/20.657/0.158 ms -
Daniel Pernold I mean an example where we would resolve to a US IP. Your example give similar results between quad9 and NextDNS.
-
Olivier Poitrey Are those different IPv4 just a matter of Google?
-
Daniel Pernold not sure to get the question.
-
Olivier Poitrey never mind, these IPs are both Europe Google subnet. Not able to reproduce the problem. Maybe a past (already fixed?) misconfiguration.
-
-
Does ecs-test.nextdns.io (as listed in the article: How we made DNS both fast and private with ECS.) intentionally have an ipv6 ip address only?
-
Johan de Jong yes, that’s the only way to link it to a custom conf without requiring DoH, DoT or link-ip.
-
Johan de Jong o teste é em ecs-test.dns.nextdns.io estava fazendo seguindo o q vi aqui, mas tá errado da forma q mostrou, vai dar erro de certificado.
-
-
hello, what exactly does the setting "Enable Anonymized EDNS Client Subnet" do?
I mean, in case of such setting disabled, would nextdns send EDNS not anonymized, or would not send EDNS at all?
-
Danilo Mascheretti it would disable EDNS altogether. We don't have non-anonymized EDNS, it doesn't match our values.
-
