How can I determine if my public DNS resolver supports the EDNS Client Subnet (ECS) extension?

Last updated: 2020-06-17

I'm using geoproximity, geolocation, and latency-based routing policies in Amazon Route 53. I need to find the IP address of my public DNS resolver and determine if it supports the EDNS Client Subnet (ECS) extension. How can I do this?

Resolution

Use specific DNS record sets to find the public IP address of the DNS resolver, and then determine support for the EDNS Client Subnet extension

Query the following DNS record sets to get output that includes your DNS resolver's IP address. The output also provides details on the EDNS Client Subnet extension, if your resolver supports it.

Note: If you're using Windows, you can use nslookup to run these commands.

1.    Use the "edns-client-sub.net" TXT record set:

$ dig edns-client-sub.net TXT +short
$ dig edns-client-sub.net TXT +short @Resolver_IP

If the EDNS Client Subnet extension isn't supported, the output looks like:

"{'ecs':'False','ts':'1516207420.29','recursive':{'cc':'US','srcip':'34.241.148.86','sport':'19407'}}"

In this example, 34.241.148.86 is the IP address of the resolver that's making the DNS query to the authoritative name server. "'ecs':'False'" indicates that the DNS resolver doesn't support the EDNS Client Subnet extension.

If the EDNS Client Subnet extension is supported, the output looks like:

"{'ecs_payload':{'family':'1','optcode':'0x08','cc':'IN','ip':'27.34.254.0','mask':'24','scope':'0'},'ecs':'True','ts':'1589300452.18','recursive':{'cc':'US','srcip':'172.253.244.1','sport':'50821'}}"

In this example, 172.253.244.1 is the IP address of the resolver that's making the DNS query to the authoritative name server. 'ip':'27.34.254.0' and 'mask':'24' indicate the client network information. "'ecs':'True'" indicates that the DNS resolver supports the EDNS Client Subnet extension.

2.    Use the "o-o.myaddr.l.google.com" TXT record set:

$ dig +nocl TXT o-o.myaddr.l.google.com +short
$ dig +nocl TXT o-o.myaddr.l.google.com @Resolver-IP +short

If the EDNS Client Subnet extension isn't supported, then the output looks like:

"203.201.60.5"

In this example, the output indicates that the resolver with the IP address 203.201.60.5 doesn't support the EDNS Client Subnet extension.

If the EDNS Client Subnet extension is supported, then the output looks like:

"172.253.220.1"
"edns0-client-subnet 27.34.254.0/24"

In this example, the output indicates that the resolver with the IP address 172.253.220.1 supports the EDNS Client Subnet extension. The client subnet 27.34.254.0/24 information is sent to the authoritative name server.

If you're using DIG 9.9.3 or later, you can also pass the client subnet using dig:

$ dig +nocl TXT o-o.myaddr.l.google.com @8.8.8.8 +subnet=35.163.158.0/24 +short
"74.125.18.67"
"edns0-client-subnet 35.163.158.0/24"

In this example, the first line indicates the DNS resolver's IP address. The second line provides the "edns0-client-subnet", a value that's is passed to the authoritative name server.

3.    Use the "resolver-identity.cloudfront.net" record set.
Note: This returns only the public IP address of the DNS resolver.

$ dig resolver-identity.cloudfront.net +short
203.201.60.5

In this example, 203.201.60.5 is the IP address of the recursive resolver.

4.    Use the "rs.dns-oarc.net" TXT record set.
Note: This returns only the public IP address of the DNS resolver.

$ dig +short rs.dns-oarc.net txt @8.8.8.8
rst.x4050.rs.dns-oarc.net.
rst.x4058.x4050.rs.dns-oarc.net.
rst.x4064.x4058.x4050.rs.dns-oarc.net.
"172.217.34.197 DNS reply size limit is at least 4064"
"172.217.34.197 sent EDNS buffer size 4096"

In this example, 172.217.34.197 is the public IP address of the Anycast resolver (8.8.8.8).

Note: For Anycast DNS services such as 8.8.8.8, the resolver IP addresses change. In this case, use "for loop" to get a list of public IP addresses used by the recursive resolver in the respective location.

for i in {1..10}; do dig +short resolver-identity.cloudfront.net @8.8.8.8; sleep 11; done; 
172.217.38.5
172.217.34.195
172.253.244.3
172.217.34.69

In this example, the Anycast DNS service 8.8.8.8 used different public IP addresses to connect to the authoritative name server.

Analyze Route 53 DNS query logs to determine support for the EDNS Client Subnet extension

Use DNS query logging to find the DNS resolver IP address and get EDNS Client Subnet information that's passed in the DNS queries to the Route 53 name servers.

If the EDNS Client Subnet extension is supported, the output looks like:

1.0 2020-05-10T10:39:49Z Z07163611M5WTAAAAA5F8 testwebsite.com A NOERROR UDP IAD79-C1 172.253.214.14 35.173.125.0/24

In this example, the client machine's network (35.173.125.0/24) is included in the output. The network is included because the resolver that's forwarding DNS queries to Route 53 supports the EDNS Client Subnet extension. The query was sent from the 172.253.214.14 resolver IP address.

If the EDNS Client Subnet extension isn't supported, the output looks like:

1.0 2020-05-10T10:39:34Z Z07163611M5WTAAAAA5F8 testwebsite.com A NOERROR UDP IAD79-C1 35.170.83.67 -

The resolver IP address 35.170.83.67 is included in the output. However, client subnet information isn't passed, as indicated by the "-" in the tenth field.