[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [public-dns-discuss] Re: For domains hosted at Akamai CDN, Google DoH's ECS option not taking effects



I've just tested against one of my own servers, and Google's definitely passing ECS through.

If Akamai don't use ECS though (confirmed below), your result is going to be based on the geolocation of the Google PoP that places the upstream request to their authoritatives, no matter what you pass in your DoH request. Google might or might not be supplying them with the ECS information in your request, but it's irrelevant if they're not using it (it's probably not being sent if Google has identified that they're not returning valid ECS responses though).

As your requests are seemingly going to the same DoH location, the upstream queries will likely also be originating from there ( I don't know but I assume Google isn't going to be farming queries out to recursors in another country to the one they were received in). I'd guess Japan is probably your nearest pop (in terms of network latency).

The other thing is, because Akamai aren't using ECS, the scope is /0 (i.e. the results are valid for all downstream subnets) so if you run your queries in close succession you may well get them from the recursors cache.

Just to confirm, they don't appear to use ECS:

$ ./edns_dump.py e25583.a.akamaiedge.net 46.32.254.0/24 n0a.akamaiedge.net 
Q e25583.a.akamaiedge.net. IN A
---- Response ----
id 37507
opcode QUERY
rcode NOERROR
flags QR AA RD
edns 0
payload 4096
;QUESTION
e25583.a.akamaiedge.net. IN A
;ANSWER
e25583.a.akamaiedge.net. 20 IN A 2.17.210.16
e25583.a.akamaiedge.net. 20 IN A 2.17.210.48
;AUTHORITY
;ADDITIONAL
[]



On Wed, Nov 21, 2018 at 7:18 AM George Ge <gezhaozhi AT gmail.com> wrote:
Hi, Ben. Could you please give any further clue on this?
That will help a lot.

I entered two different ECS subnet IPs which are from UK and USA, but the results seem all to be IPs from Japan (I am sending these curls from China).

[gezhaozhi@gezhaozhideMacBook-Pro:/Users/gezhaozhi]

$curl 'https://dns.google.com/resolve?name=api.anote-app.com&type=A&edns_client_subnet=158.43.240.3'

{"Status": 0,"TC": false,"RD": true,"RA": true,"AD": false,"CD": false,"Question":[ {"name": "api.anote-app.com.","type": 1}],"Answer":[ {"name": "api.anote-app.com.","type": 5,"TTL": 168,"data":"api.anote-app.com.edgekey.net."},{"name": "api.anote-app.com.edgekey.net.","type": 5,"TTL": 1436,"data": "e25583.a.akamaiedge.net."},{"name": "e25583.a.akamaiedge.net.","type": 1,"TTL":19,"data": "23.54.124.8"},{"name": "e25583.a.akamaiedge.net.","type": 1,"TTL": 19,"data": "23.212.54.123"}],"Additional":[],"edns_client_subnet": "158.43.240.3/0","Comment": "Response from 88.221.81.192."}

[gezhaozhi@gezhaozhideMacBook-Pro:/Users/gezhaozhi]

$curl 'https://dns.google.com/resolve?name=api.anote-app.com&type=A&edns_client_subnet=204.117.214.10'

{"Status": 0,"TC": false,"RD": true,"RA": true,"AD": false,"CD": false,"Question":[ {"name": "api.anote-app.com.","type": 1}],"Answer":[ {"name": "api.anote-app.com.","type": 5,"TTL": 25,"data":"api.anote-app.com.edgekey.net."},{"name": "api.anote-app.com.edgekey.net.","type": 5,"TTL": 1525,"data": "e25583.a.akamaiedge.net."},{"name": "e25583.a.akamaiedge.net.","type": 1,"TTL":19,"data": "23.212.54.123"},{"name": "e25583.a.akamaiedge.net.","type": 1,"TTL": 19,"data": "23.54.124.8"}],"Additional":[],"edns_client_subnet": "204.117.214.10/0","Comment": "Response from 23.61.250.103."}


在 2018年11月9日星期五 UTC+8下午5:53:57,Ben Tasker写道:
There's an error in your command.

You need to quote the URL as it contains ampersands - anything following those will not be included in your request, so in this case the ECS information you've specified in the query string isn't sent.

{"Status": 0,"TC": false,"RD": true,"RA": true,"AD": false,"CD": false,"Question":[ {"name": "api.anote-app.com.","type": 1}],"Answer":[ {"name": "api.anote-app.com.","type": 5,"TTL": 299,"data": "api.anote-app.com.edgekey.net."},{"name": "api.anote-app.com.edgekey.net.","type": 5,"TTL": 1799,"data": "e25583.a.akamaiedge.net."},{"name": "e25583.a.akamaiedge.net.","type": 1,"TTL": 19,"data": "2.17.210.16"},{"name": "e25583.a.akamaiedge.net.","type": 1,"TTL": 19,"data": "2.17.210.48"}],"Additional":[],"edns_client_subnet": "204.117.214.10/0","Comment": "Response from 2.22.11.92."}


On Fri, Nov 9, 2018 at 9:18 AM, George Ge <gezh... AT gmail.com> wrote:

Jietu20181109-171822.png



On Friday, November 9, 2018 at 5:17:19 PM UTC+8, George Ge wrote:


Hi. I am curious why Google DoH's ECS option is not effecting the result.
I am aware that Akamai CDN does not accept ECS options, but Google DoH's recursive resolvers should be geo-distributed so that it is not a problem that Akamai not taking in ECS.
Between Google DoH's recursive resolver and authoritative name servers (Akamai CDN in this case), is Google DoH solely replying on ECS to carry the clientIP?
Thanks.

--
You received this message because you are subscribed to the Google Groups "public-dns-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-discuss+unsubscribe AT googlegroups.com.
To post to this group, send email to public-dn... AT googlegroups.com.
Visit this group at https://groups.google.com/group/public-dns-discuss.
To view this discussion on the web visit https://groups.google.com/d/msgid/public-dns-discuss/88236da2-535f-4c27-bfed-fc987d3a402d%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--

--
You received this message because you are subscribed to the Google Groups "public-dns-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-discuss+unsubscribe AT googlegroups.com.
To post to this group, send email to public-dns-discuss AT googlegroups.com.
Visit this group at https://groups.google.com/group/public-dns-discuss.
To view this discussion on the web visit https://groups.google.com/d/msgid/public-dns-discuss/9217d324-d46d-4286-ba10-e21599282f64%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


--