[dns-operations] service showing (last) resolver's IP ?

Robert Edmonds edmonds at mycre.ws
Mon Dec 11 17:26:13 UTC 2017

Eduardo at PT wrote:
> I was just trying this query at home and I got something strange.... Google
> resolvers always send me a different edns0-client-subnet... Is this normal?

It looks like Google's authoritative nameservers (ns[1-4].google.com)
don't send an EDNS Client Subnet option payload in the response for
o-o.myaddr.l.google.com./TXT, which causes the response to be cached
with global scope. Since they also set a 60 second TTL on that record,
that gives you a window of seeing cached answers from other users,
because your instance has many cache backends.

E.g., compare the output of these two digs:

    dig +norec @ns1.google.com +subnet= o-o.myaddr.l.google.com. -t TXT
    dig +norec @ns1.google.com +subnet= google.com. -t TXT

Technically, Google's authoritative nameserver behavior here risks
problems with Google Public DNS's ECS detection algorithm:


 2. Authoritative name servers that _implement_ ECS must send ECS
    responses to ECS queries for *all* zones served from an IP address
    or NS hostname, even for zones that are not ECS-_enabled_.

      • […] If an authoritative name server does not _always_ send ECS
      responses to ECS queries (even for zones that are not
      ECS-enabled), Google Public DNS may stop sending it ECS queries.

Robert Edmonds

More information about the dns-operations mailing list