3

What is EDNS Client-Subnet (ECS)?

EDNS Client-Subnet (ECS) is an extension to the DNS protocol to include components of the end-user IP address data in requests that are sent to the authoritative DNS servers. This means that there is a privacy “leakage” for recursive resolvers that send ECS data, where components of the end user’s IP address are transmitted to the remote site. This is typically used to improve the performance of Content Distribution Networks (CDNs).

NextDNS has invented and implemented a technology to prevent privacy “leakage” while keeping the performance benefit of ECS. While we think it is a good tradeoff, you still have full control on whether any ECS information is transmitted at all. For more information on our smart ECS technology, read How we made DNS both fast and private with ECS.

13 replies

null
    • Gerry_Paradis
    • 2 yrs ago
    • Reported - view

    I have enabled this option in the settings..
    "Anonymized EDNS Client Subnet"

    However, when I do a DNS Query for youtube.com, I get a server that is farther than my current location using NextDNS. Here's some tests between NextDNS and Google's DNS attached as pictures here...

    I'm located in Ottawa, ON, Canada
     

    • Daniel_Pernold
    • 2 yrs ago
    • Reported - view

    That's also an issue for me and a reason not using NextDNS at the moment. My network noticeably slows down when switching to NextDNS since it resolves IPs somewhere in the US when using it in Europe, whereas Quad9 gives me geolocated IPs.

      • olivier
      • 2 yrs ago
      • Reported - view

      Daniel Pernold please share examples and a https://nextdns.io/diag

      • Daniel_Pernold
      • 2 yrs ago
      • Reported - view

      Olivier Poitrey sure. 

      Server:        <Quad9 ECS>
Address:    <Quad9 ECS>#53

Non-authoritative answer:
Name:    google.com
Address: 172.217.23.110
Name:    google.com
Address: 2a00:1450:4014:80c::200e
      Server:        <NextDNS>
Address:    <NextDNS>#53

Non-authoritative answer:
Name:    google.com
Address: 142.250.186.142
Name:    google.com
Address: 2a00:1450:4014:80c::200e
      PING 172.217.23.238 (172.217.23.238) 56(84) bytes of data.
64 bytes from 172.217.23.238: icmp_seq=1 ttl=120 time=13.9 ms
64 bytes from 172.217.23.238: icmp_seq=2 ttl=120 time=13.9 ms
64 bytes from 172.217.23.238: icmp_seq=3 ttl=120 time=14.2 ms
64 bytes from 172.217.23.238: icmp_seq=4 ttl=120 time=13.8 ms
64 bytes from 172.217.23.238: icmp_seq=5 ttl=120 time=13.8 ms

--- 172.217.23.238 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 13.758/13.907/14.167/0.138 ms

      PING 142.250.186.142 (142.250.186.142) 56(84) bytes of data.
64 bytes from 142.250.186.142: icmp_seq=1 ttl=120 time=20.3 ms
64 bytes from 142.250.186.142: icmp_seq=2 ttl=120 time=20.6 ms
64 bytes from 142.250.186.142: icmp_seq=3 ttl=120 time=20.6 ms
64 bytes from 142.250.186.142: icmp_seq=4 ttl=120 time=20.7 ms
64 bytes from 142.250.186.142: icmp_seq=5 ttl=120 time=20.3 ms

--- 142.250.186.142 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4007ms
rtt min/avg/max/mdev = 20.252/20.484/20.657/0.158 ms
      • olivier
      • 2 yrs ago
      • Reported - view

      Daniel Pernold I mean an example where we would resolve to a US IP. Your example give similar results between quad9 and NextDNS.

      • Daniel_Pernold
      • 2 yrs ago
      • Reported - view

      Olivier Poitrey Are those different IPv4 just a matter of Google?

      • olivier
      • 2 yrs ago
      • Reported - view

      Daniel Pernold not sure to get the question.

      • Daniel_Pernold
      • 2 yrs ago
      • Reported - view

      Olivier Poitrey never mind, these IPs are both Europe Google subnet. Not able to reproduce the problem. Maybe a past (already fixed?) misconfiguration.

    • Johan_de_Jong
    • 2 yrs ago
    • Reported - view

    Does ecs-test.nextdns.io (as listed in the article: How we made DNS both fast and private with ECS.) intentionally have an ipv6 ip address only?

      • olivier
      • 2 yrs ago
      • Reported - view

      Johan de Jong yes, that’s the only way to link it to a custom conf without requiring DoH, DoT or link-ip.

      • Tobias.1
      • 7 mths ago
      • Reported - view

      Johan de Jong o teste é em ecs-test.dns.nextdns.io estava fazendo seguindo o q vi aqui, mas tá errado da forma q mostrou, vai dar erro de certificado.

    • Dan.11
    • 2 yrs ago
    • Reported - view

    hello, what exactly does the setting "Enable Anonymized EDNS Client Subnet" do?

    I mean, in case of such setting disabled, would nextdns send EDNS not anonymized, or would not send EDNS at all?

      • olivier
      • 2 yrs ago
      • Reported - view

      Danilo Mascheretti it would disable EDNS altogether. We don't have non-anonymized EDNS, it doesn't match our values.

Login to reply

Content aside

Related Articles
How to download logs?
Affiliation Program
What is DNS?
What is DNS over TLS (DoT), DNS over Quic (DoQ) and DNS over HTTPS (DoH & DoH3)?
What is Linked IP
What happens after 300k queries?
What is a malware?
Does NextDNS collect and store personal data?
Does NextDNS share the DNS data that is generated?
What is phishing?
Will NextDNS filter content?
How is NextDNS different from traditional adblockers?
Why is mode 3 required on Firefox?
What is Anycast?
What is DNS Rebinding Protection?
Why is DNSSEC % of queries so low?
How to customize the upstream resolver?
What A and AAAA labels mean in the logs?
What is the advantage of using NextDNS over Pi-hole®?
What is Handshake?
What is EDNS Client-Subnet (ECS)?
Translations
Who is behind NextDNS?
Which setup type to use?
How to get help or report issues?