<div dir="ltr">Hi everyone,<br><br>We've stumbled upon what seems like unexpected behavior with Route 53 returning answers based on IP geo location to our resolvers.<br><br>According to <a href="https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy-edns0.html">their documentation</a>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">When a browser or other viewer uses a DNS resolver that does not support edns-client-subnet, Route 53 uses the source IP address of the DNS resolver to approximate the location of the user and responds to geolocation queries with the DNS record for the resolver's location.<br clear="all"></blockquote><div><br>But that doesn't seem to be the case. On a resolver with the address 64.227.108.32, if we query at an awsdns authoritative from 64.227.108.32 without edns client subnet, we get one set of answers:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">> dig -b 64.227.108.32 @<a href="http://ns-1339.awsdns-39.org">ns-1339.awsdns-39.org</a> <a href="http://doitb-synthetic.atlassian.net">doitb-synthetic.atlassian.net</a> +short +nosubnet</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">104.192.142.20<br>104.192.142.19<br>104.192.142.18</blockquote><div><br>But if we send the resolver's own same IP in edns-client-subnet, we get a different set of answers:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">>  dig -b 64.227.108.32 @<a href="http://ns-1339.awsdns-39.org">ns-1339.awsdns-39.org</a> <a href="http://doitb-synthetic.atlassian.net">doitb-synthetic.atlassian.net</a> +short +subnet=<a href="http://67.227.108.32/32">67.227.108.32/32</a></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">104.192.138.13<br>104.192.138.12</blockquote><div><br>If it were using the resolver's source IP address to determine geolocation when no edns-client-subnet is sent, I would expect the same answers as when sending that address as the edns-client-subnet. What's going on here?<br><br>Our resolvers are co-located with our user's instances in the same datacenters, so we don't configure our resolvers to send edns-client-subnet since they're not geographically different (and in fact in the same IP blocks). This is the first time we've had a user contact us about this, so I'm not sure if something changed with Route 53 recently, if this is being caused by configuration specific to the <a href="http://atlassian.net">atlassian.net</a> zone, or if somehow we just haven't had users notice that they were being affected by this for years.<br><br>Any insights would be appreciated,<br><br>-Dan </div></div></div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><table width="100%" style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:15px;line-height:22px"><tbody><tr><td width="55px" valign="top" style="padding-right:12px"><br><img src="https://digitaloceanspace.nyc3.digitaloceanspaces.com/do-sig_files/do-email_signature.png" style="width:50px"></td><td><div style="color:rgb(34,34,34);font-weight:bold;margin-top:4px"><br>Dan McCombs</div><div style="color:rgb(34,34,34);margin-bottom:12px">Senior Engineer I - DNS</div><div><a href="mailto:dmccombs@digitalocean.com" style="color:rgba(51,51,51,0.75);font-size:14px" target="_blank">dmccombs@digitalocean.com</a></div></td></tr></tbody></table></div></div></div></div>