<div dir="ltr">Oops, thanks Crist. Yes, that was a typo in my example and this inconsistency does happen even when it's correct. 😄<br><br>I retested for good measure:<br><br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">> dig -b 64.227.108.32 @<a href="http://ns-1339.awsdns-39.org">ns-1339.awsdns-39.org</a> <a href="http://doitb-synthetic.atlassian.net">doitb-synthetic.atlassian.net</a> +short +nosubnet</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">104.192.142.19<br>104.192.142.20<br>104.192.142.18</blockquote><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">> dig -b 64.227.108.32 @<a href="http://ns-1339.awsdns-39.org">ns-1339.awsdns-39.org</a> <a href="http://doitb-synthetic.atlassian.net">doitb-synthetic.atlassian.net</a> +short +subnet=<a href="http://64.227.108.32/32">64.227.108.32/32</a></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">104.192.138.12<br>104.192.138.13</blockquote><div><br>Thanks,<br><br>-Dan </div><table width="100%" style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:15px;line-height:22px"><tbody><tr><td width="55px" valign="top" style="padding-right:12px"><br><img src="https://digitaloceanspace.nyc3.digitaloceanspaces.com/do-sig_files/do-email_signature.png" style="width:50px"></td><td><div style="color:rgb(34,34,34);font-weight:bold;margin-top:4px"><br>Dan McCombs</div><div style="color:rgb(34,34,34);margin-bottom:12px">Senior Engineer I - DNS</div><div><a href="mailto:dmccombs@digitalocean.com" style="color:rgba(51,51,51,0.75);font-size:14px" target="_blank">dmccombs@digitalocean.com</a></div></td></tr></tbody></table></div></div></div><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Jun 9, 2023 at 11:57 PM Crist Clark <<a href="mailto:yheffen@gmail.com">yheffen@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto">Well, in your example below, looks like a typo. You have the first octet in the subnet option set to 67, when it’s 64 for the server.</div><div dir="auto"><br></div><div dir="auto">Is that just a typo in the example below? Do you still see inconsistencies when it’s correct?</div><div dir="auto"><br></div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Jun 9, 2023 at 2:25 PM Dan McCombs via dns-operations <<a href="mailto:dns-operations@dns-oarc.net" target="_blank">dns-operations@dns-oarc.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br><br><br>---------- Forwarded message ----------<br>From: Dan McCombs <<a href="mailto:dmccombs@digitalocean.com" target="_blank">dmccombs@digitalocean.com</a>><br>To: <a href="mailto:dns-operations@lists.dns-oarc.net" target="_blank">dns-operations@lists.dns-oarc.net</a><br>Cc: <br>Bcc: <br>Date: Fri, 9 Jun 2023 16:58:51 -0400<br>Subject: Route 53 Unexpected geo location behavior<br><div dir="ltr">Hi everyone,<br><br>We've stumbled upon what seems like unexpected behavior with Route 53 returning answers based on IP geo location to our resolvers.<br><br>According to <a href="https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy-edns0.html" target="_blank">their documentation</a>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">When a browser or other viewer uses a DNS resolver that does not support edns-client-subnet, Route 53 uses the source IP address of the DNS resolver to approximate the location of the user and responds to geolocation queries with the DNS record for the resolver's location.<br clear="all"></blockquote><div><br>But that doesn't seem to be the case. On a resolver with the address 64.227.108.32, if we query at an awsdns authoritative from 64.227.108.32 without edns client subnet, we get one set of answers:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">> dig -b 64.227.108.32 @<a href="http://ns-1339.awsdns-39.org" target="_blank">ns-1339.awsdns-39.org</a> <a href="http://doitb-synthetic.atlassian.net" target="_blank">doitb-synthetic.atlassian.net</a> +short +nosubnet</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">104.192.142.20<br>104.192.142.19<br>104.192.142.18</blockquote><div><br>But if we send the resolver's own same IP in edns-client-subnet, we get a different set of answers:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">>  dig -b 64.227.108.32 @<a href="http://ns-1339.awsdns-39.org" target="_blank">ns-1339.awsdns-39.org</a> <a href="http://doitb-synthetic.atlassian.net" target="_blank">doitb-synthetic.atlassian.net</a> +short +subnet=<a href="http://67.227.108.32/32" target="_blank">67.227.108.32/32</a></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">104.192.138.13<br>104.192.138.12</blockquote><div><br>If it were using the resolver's source IP address to determine geolocation when no edns-client-subnet is sent, I would expect the same answers as when sending that address as the edns-client-subnet. What's going on here?<br><br>Our resolvers are co-located with our user's instances in the same datacenters, so we don't configure our resolvers to send edns-client-subnet since they're not geographically different (and in fact in the same IP blocks). This is the first time we've had a user contact us about this, so I'm not sure if something changed with Route 53 recently, if this is being caused by configuration specific to the <a href="http://atlassian.net" target="_blank">atlassian.net</a> zone, or if somehow we just haven't had users notice that they were being affected by this for years.<br><br>Any insights would be appreciated,<br><br>-Dan </div></div></div><div><div dir="ltr" class="gmail_signature"><div dir="ltr"><table width="100%" style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:15px;line-height:22px"><tbody style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif"><tr style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif"><td width="55px" valign="top" style="padding-right:12px;font-family:"Helvetica Neue",Helvetica,Arial,sans-serif"><br><img src="https://digitaloceanspace.nyc3.digitaloceanspaces.com/do-sig_files/do-email_signature.png" style="width: 50px; font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;"></td><td style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif"><div style="font-weight:bold;margin-top:4px;font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;color:rgb(34,34,34)"><br>Dan McCombs</div><div style="margin-bottom:12px;font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;color:rgb(34,34,34)">Senior Engineer I - DNS</div><div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif"><a href="mailto:dmccombs@digitalocean.com" style="font-size:14px;font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;color:rgba(51,51,51,0.75)" target="_blank">dmccombs@digitalocean.com</a></div></td></tr></tbody></table></div></div></div></div>
<br><br><br>---------- Forwarded message ----------<br>From: Dan McCombs via dns-operations <<a href="mailto:dns-operations@dns-oarc.net" target="_blank">dns-operations@dns-oarc.net</a>><br>To: <a href="mailto:dns-operations@lists.dns-oarc.net" target="_blank">dns-operations@lists.dns-oarc.net</a><br>Cc: <br>Bcc: <br>Date: Fri, 9 Jun 2023 16:58:51 -0400<br>Subject: [dns-operations] Route 53 Unexpected geo location behavior<br>_______________________________________________<br>
dns-operations mailing list<br>
<a href="mailto:dns-operations@lists.dns-oarc.net" target="_blank">dns-operations@lists.dns-oarc.net</a><br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
</blockquote></div></div>
</blockquote></div>