EDNS Client Subnet
Option in Extension Mechanisms for DNS From Wikipedia, the free encyclopedia
EDNS Client Subnet (ECS) is an option in the Extension Mechanisms for DNS that allows a recursive DNS resolver to specify the subnetwork for the host or client on whose behalf it is making a DNS query. This is generally intended to help speed up the delivery of data from content delivery networks (CDNs), by allowing better use of DNS-based load balancing to select a service address near the client when the client computer is not necessarily near the recursive resolver.[1][2]
 | This article may be too technical for most readers to understand. (February 2024) |
When an authoritative name server receives a DNS query, it takes advantage of ECS DNS extension to resolve the hostname to a CDN which is geolocationally near to the client IP's subnet, hence the client makes further requests to a nearby CDN, thereby reducing latency. The EDNS client subnet mechanism is specified in RFC 7871.
Privacy and security implications
Because ECS provides client network information to the upstream authoritative DNS server, the extension reveals some information about the client's location that the authoritative DNS server would not otherwise be able to deduce. The same client network information also becomes available to transit networks between the client's recursive and the domain's authoritative server.[3] Security researchers have suggested that ECS could be used to conduct internet surveillance.[3] ECS may also be exploited to perform selective DNS cache poisoning attacks intended to only re-route specific clients to a poisoned DNS record.[3]
Controversy over lack of support
The owner of self-serve web archiving tool Archive.today has expressed concern over Cloudflare 1.1.1.1 not passing the contents of this field on to the authoritative DNS server for Archive.today, and has in response configured the site's authoritative DNS servers to consider Cloudflare DNS requests invalid—effectively blocking 1.1.1.1 from resolving the website DNS records.[4]
The owner of the site believes 1.1.1.1 too often routes recursive DNS requests in a non-geographically-optimal way, causing poorer connectivity than if the feature was available at all times.[4]
Cloudflare CEO Matthew Prince cited privacy concerns as reason for 1.1.1.1 to not support ECS.[5]
References
Wikiwand - on
Seamless Wikipedia browsing. On steroids.