[dns-operations] service showing (last) resolver's IP ?
Robert Edmonds
edmonds at mycre.ws
Mon Dec 11 17:26:13 UTC 2017
Eduardo at PT wrote:
> I was just trying this query at home and I got something strange.... Google
> resolvers always send me a different edns0-client-subnet... Is this normal?
It looks like Google's authoritative nameservers (ns[1-4].google.com)
don't send an EDNS Client Subnet option payload in the response for
o-o.myaddr.l.google.com./TXT, which causes the response to be cached
with global scope. Since they also set a 60 second TTL on that record,
that gives you a window of seeing cached answers from other users,
because your 8.8.8.8 instance has many cache backends.
E.g., compare the output of these two digs:
dig +norec @ns1.google.com +subnet=192.0.2.0/24 o-o.myaddr.l.google.com. -t TXT
dig +norec @ns1.google.com +subnet=192.0.2.0/24 google.com. -t TXT
Technically, Google's authoritative nameserver behavior here risks
problems with Google Public DNS's ECS detection algorithm:
https://developers.google.com/speed/public-dns/docs/ecs#guidelines
2. Authoritative name servers that _implement_ ECS must send ECS
responses to ECS queries for *all* zones served from an IP address
or NS hostname, even for zones that are not ECS-_enabled_.
• […] If an authoritative name server does not _always_ send ECS
responses to ECS queries (even for zones that are not
ECS-enabled), Google Public DNS may stop sending it ECS queries.
--
Robert Edmonds
More information about the dns-operations
mailing list