[dns-operations] EDNS Client Subnet (ECS) in queries sent to Google Public DNS

Ralph Dolmans ralph at nlnetlabs.nl
Mon Jan 20 16:00:07 UTC 2020



On 17-01-2020 19:10, Alexander Dupuy via dns-operations wrote:
> If any reader of this list is sending DNS requests with the EDNS Client
> Subnet (ECS) option to 8.8.8.8, please read this post on our
> announcement list
> <https://groups.google.com/g/public-dns-announce/c/h4XLjnWvAp8> that
> discusses changes Google is planning in how we handle requests with ECS.
> It is also relevant for developers of software that sends ECS to
> recursive resolvers.

Thanks for the heads-up and thanks for not accepting queries with larger
prefixes than what will be used.

For reference; Unbound will query again without ECS when receiving a
REFUSED. Unbound will not send out (incl. in the ECS forward scenario)
more bits of the address than the configured maximum, which by default
is /24 and /56.

If I understand the announcement correctly, you will continue to return
/0 scope answers for clear-text queries containing non routable ECS
source addresses. Is there a reason these will only be REFUSED when
using DoT/DoH? I think you never want to return a /0 scope in this case,
as that makes it possible for an user to trigger an answer that will be
cached and used for all addresses, assuming the forwarder will also
forward non-routable ECS source addresses.



More information about the dns-operations mailing list