[prev in list] [next in list] [prev in thread] [next in thread]
List: dns-operations
Subject: Re: [dns-operations] service showing (last) resolver's IP ?
From: Robert Edmonds <edmonds () mycre ! ws>
Date: 2017-12-11 17:26:13
Message-ID: 20171211172613.y5lqmdxm4gd3zivt () mycre ! ws
[Download RAW message or body]
Eduardo@PT wrote:
> I was just trying this query at home and I got something strange.... Google
> resolvers always send me a different edns0-client-subnet... Is this normal?
It looks like Google's authoritative nameservers (ns[1-4].google.com)
don't send an EDNS Client Subnet option payload in the response for
o-o.myaddr.l.google.com./TXT, which causes the response to be cached
with global scope. Since they also set a 60 second TTL on that record,
that gives you a window of seeing cached answers from other users,
because your 8.8.8.8 instance has many cache backends.
E.g., compare the output of these two digs:
dig +norec @ns1.google.com +subnet=192.0.2.0/24 o-o.myaddr.l.google.com. -t TXT
dig +norec @ns1.google.com +subnet=192.0.2.0/24 google.com. -t TXT
Technically, Google's authoritative nameserver behavior here risks
problems with Google Public DNS's ECS detection algorithm:
https://developers.google.com/speed/public-dns/docs/ecs#guidelines
2. Authoritative name servers that _implement_ ECS must send ECS
responses to ECS queries for *all* zones served from an IP address
or NS hostname, even for zones that are not ECS-_enabled_.
• […] If an authoritative name server does not _always_ send ECS
responses to ECS queries (even for zones that are not
ECS-enabled), Google Public DNS may stop sending it ECS queries.
--
Robert Edmonds
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-operations mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic