[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [public-dns-discuss] Re: For domains hosted at Akamai CDN, Google DoH's ECS option not taking effects



Thanks again, Alex. I got it.

In case of others having the same question, here are my tests:
$ curl ifconfig.me
47.90.241.220

$ curl 'http://api.ipstack.com/47.90.241.220?access_key=161ffc4e992926dba74689f86bb6b50a'
{"ip":"47.90.241.220","type":"ipv4","continent_code":"NA","continent_name":"North America","country_code":"US","country_name":"United States","region_code":"CA","region_name":"California","city":"San Mateo","zip":"94402","latitude":37.5507,"longitude":-122.3276,"location":{"geoname_id":5392423,"capital":"Washington D.C.","languages":[{"code":"en","name":"English","native":"English"}],"country_flag":"http:\/\/assets.ipstack.com\/flags\/us.svg","country_flag_emoji":"\ud83c\uddfa\ud83c\uddf8","country_flag_emoji_unicode":"U+1F1FA U+1F1F8","calling_code":"1","is_eu":false}}

$ curl 'https://dns.google.com/resolve?name=api.anote-app.com&type=A'
{"Status": 0,"TC": false,"RD": true,"RA": true,"AD": false,"CD": false,"Question":[ {"name": "api.anote-app.com.","type": 1}],"Answer":[ {"name": "api.anote-app.com.","type": 5,"TTL": 277,"data": "api.anote-app.com.edgekey.net."},{"name": "api.anote-app.com.edgekey.net.","type": 5,"TTL": 686,"data": "e25583.a.akamaiedge.net."},{"name": "e25583.a.akamaiedge.net.","type": 1,"TTL": 19,"data": "104.112.235.104"},{"name": "e25583.a.akamaiedge.net.","type": 1,"TTL": 19,"data": "104.112.235.75"}],"Comment": "Response from 72.246.52.147."}


$ curl ifconfig.me
47.74.152.213

$ curl 'http://api.ipstack.com/47.74.152.213?access_key=161ffc4e992926dba74689f86bb6b50a'
{"ip":"47.74.152.213","type":"ipv4","continent_code":"AS","continent_name":"Asia","country_code":"SG","country_name":"Singapore","region_code":"01","region_name":"Central Singapore Community Development Council","city":"Singapore","zip":null,"latitude":1.2931,"longitude":103.8558,"location":{"geoname_id":1880252,"capital":"Singapore","languages":[{"code":"en","name":"English","native":"English"},{"code":"ms","name":"Malay","native":"Bahasa Melayu"},{"code":"ta","name":"Tamil","native":"\u0ba4\u0bae\u0bbf\u0bb4\u0bcd"},{"code":"zh","name":"Chinese","native":"\u4e2d\u6587"}],"country_flag":"http:\/\/assets.ipstack.com\/flags\/sg.svg","country_flag_emoji":"\ud83c\uddf8\ud83c\uddec","country_flag_emoji_unicode":"U+1F1F8 U+1F1EC","calling_code":"65","is_eu":false}}

$ curl 'https://dns.google.com/resolve?name=api.anote-app.com&type=A'
{"Status": 0,"TC": false,"RD": true,"RA": true,"AD": false,"CD": false,"Question":[ {"name": "api.anote-app.com.","type": 1}],"Answer":[ {"name": "api.anote-app.com.","type": 5,"TTL": 98,"data": "api.anote-app.com.edgekey.net."},{"name": "api.anote-app.com.edgekey.net.","type": 5,"TTL": 1229,"data": "e25583.a.akamaiedge.net."},{"name": "e25583.a.akamaiedge.net.","type": 1,"TTL": 19,"data": "104.120.139.219"},{"name": "e25583.a.akamaiedge.net.","type": 1,"TTL": 19,"data": "173.222.148.56"}],"Comment": "Response from 61.220.62.191."}


$ curl ifconfig.me
120.52.147.46

$ curl 'http://api.ipstack.com/120.52.147.46?access_key=161ffc4e992926dba74689f86bb6b50a'
{"ip":"120.52.147.46","type":"ipv4","continent_code":"AS","continent_name":"Asia","country_code":"CN","country_name":"China","region_code":null,"region_name":null,"city":null,"zip":null,"latitude":34.7725,"longitude":113.7266,"location":{"geoname_id":null,"capital":"Beijing","languages":[{"code":"zh","name":"Chinese","native":"\u4e2d\u6587"}],"country_flag":"http:\/\/assets.ipstack.com\/flags\/cn.svg","country_flag_emoji":"\ud83c\udde8\ud83c\uddf3","country_flag_emoji_unicode":"U+1F1E8 U+1F1F3","calling_code":"86","is_eu":false}}

$ curl 'https://dns.google.com/resolve?name=api.anote-app.com&type=A'
{"Status": 0,"TC": false,"RD": true,"RA": true,"AD": false,"CD": false,"Question":[ {"name": "api.anote-app.com.","type": 1}],"Answer":[ {"name": "api.anote-app.com.","type": 5,"TTL": 299,"data": "api.anote-app.com.edgekey.net."},{"name": "api.anote-app.com.edgekey.net.","type": 5,"TTL": 1799,"data": "e25583.a.akamaiedge.net."},{"name": "e25583.a.akamaiedge.net.","type": 1,"TTL": 19,"data": "23.42.156.201"},{"name": "e25583.a.akamaiedge.net.","type": 1,"TTL": 19,"data": "23.42.156.240"}],"Comment": "Response from 203.198.20.159."}

By the way, does Google DoH have that legal agreement on ECS with Akamai yet?

On Thursday, November 22, 2018 at 1:40:23 AM UTC+8, Alex Dupuy wrote:
Akamai will only honor ECS from sources that they have legal agreements with, they will ignore any ECS that you provide in your own dig queries, but they do not ignore ECS from parties with whom they have legal agreements about ECS.

https://tools.ietf.org/html/rfc7871#section-7.3.2 and particularly https://tools.ietf.org/html/rfc7871#section-7.5 have some relevant commentary here, as highlighted in my previous response to George in a different thread: https://groups.google.com/d/msg/public-dns-discuss/JpK7GblfDTA/1vNdjHMQCgAJ.

At the end of the day, diagnostic ECS queries for Akamai hosted domains will not generate the responses you are looking for, regardless of how you send them. If you really need to see that it is working "correctly" you would be best served by making queries without ECS from remote probes such as are operated by RIPE Atlas and others. You can route those queries through public resolvers and see the results you will actually get from those locations.




--
You received this message because you are subscribed to the Google Groups "public-dns-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-discuss+unsubscribe AT googlegroups.com.
To post to this group, send email to public-dns-discuss AT googlegroups.com.
Visit this group at https://groups.google.com/group/public-dns-discuss.
To view this discussion on the web visit https://groups.google.com/d/msgid/public-dns-discuss/e60b2f0e-e5f4-478a-bbe1-00395e195fd3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.