[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [public-dns-discuss] Re: For domains hosted at Akamai CDN, Google DoH's ECS option not taking effects



Thanks Alex

> Akamai will only honor ECS from sources that they have legal agreements with, they will ignore any ECS that you provide in your own dig queries, but they do not ignore ECS from parties with whom they have legal agreements about ECS.

That makes much more sense, seemed odd that Akamai would entirely ignore ECS - it's not like they're a small player in the space, or even technologically behind in general.

I know OpenDNS implement 12.2 - https://tools.ietf.org/html/rfc7871#section-12.2 on their RRs, should've occurred to me that Akamai (of all people) might've implemented a whitelist of their own to selectively support ECS (odd thing to do on an authoritative used for routing IMO, but I can see reasons for it).


On Thu, Nov 22, 2018 at 2:16 AM George Ge <gezhaozhi AT gmail.com> wrote:
Thanks, Ben. I felt the same way as you that Akamai is not accepting ECS.
Alex is giving a pretty solid explanation. Let's check that out. 

在 2018年11月21日星期三 UTC+8下午7:25:35,Ben Tasker写道:
I've just tested against one of my own servers, and Google's definitely passing ECS through.

If Akamai don't use ECS though (confirmed below), your result is going to be based on the geolocation of the Google PoP that places the upstream request to their authoritatives, no matter what you pass in your DoH request. Google might or might not be supplying them with the ECS information in your request, but it's irrelevant if they're not using it (it's probably not being sent if Google has identified that they're not returning valid ECS responses though).

As your requests are seemingly going to the same DoH location, the upstream queries will likely also be originating from there ( I don't know but I assume Google isn't going to be farming queries out to recursors in another country to the one they were received in). I'd guess Japan is probably your nearest pop (in terms of network latency).

The other thing is, because Akamai aren't using ECS, the scope is /0 (i.e. the results are valid for all downstream subnets) so if you run your queries in close succession you may well get them from the recursors cache.

Just to confirm, they don't appear to use ECS:

---- Response ----
id 37507
opcode QUERY
rcode NOERROR
flags QR AA RD
edns 0
payload 4096
;QUESTION
;ANSWER
e25583.a.akamaiedge.net. 20 IN A 2.17.210.16
e25583.a.akamaiedge.net. 20 IN A 2.17.210.48
;AUTHORITY
;ADDITIONAL
[]



On Wed, Nov 21, 2018 at 7:18 AM George Ge <gezh... AT gmail.com> wrote:
Hi, Ben. Could you please give any further clue on this?
That will help a lot.

I entered two different ECS subnet IPs which are from UK and USA, but the results seem all to be IPs from Japan (I am sending these curls from China).

[gezhaozhi@gezhaozhideMacBook-Pro:/Users/gezhaozhi]

$curl 'https://dns.google.com/resolve?name=api.anote-app.com&type=A&edns_client_subnet=158.43.240.3'

{"Status": 0,"TC": false,"RD": true,"RA": true,"AD": false,"CD": false,"Question":[ {"name": "api.anote-app.com.","type": 1}],"Answer":[ {"name": "api.anote-app.com.","type": 5,"TTL": 168,"data":"api.anote-app.com.edgekey.net."},{"name": "api.anote-app.com.edgekey.net.","type": 5,"TTL": 1436,"data": "e25583.a.akamaiedge.net."},{"name": "e25583.a.akamaiedge.net.","type": 1,"TTL":19,"data": "23.54.124.8"},{"name": "e25583.a.akamaiedge.net.","type": 1,"TTL": 19,"data": "23.212.54.123"}],"Additional":[],"edns_client_subnet": "158.43.240.3/0","Comment": "Response from 88.221.81.192."}

[gezhaozhi@gezhaozhideMacBook-Pro:/Users/gezhaozhi]

$curl 'https://dns.google.com/resolve?name=api.anote-app.com&type=A&edns_client_subnet=204.117.214.10'

{"Status": 0,"TC": false,"RD": true,"RA": true,"AD": false,"CD": false,"Question":[ {"name": "api.anote-app.com.","type": 1}],"Answer":[ {"name": "api.anote-app.com.","type": 5,"TTL": 25,"data":"api.anote-app.com.edgekey.net."},{"name": "api.anote-app.com.edgekey.net.","type": 5,"TTL": 1525,"data": "e25583.a.akamaiedge.net."},{"name": "e25583.a.akamaiedge.net.","type": 1,"TTL":19,"data": "23.212.54.123"},{"name": "e25583.a.akamaiedge.net.","type": 1,"TTL": 19,"data": "23.54.124.8"}],"Additional":[],"edns_client_subnet": "204.117.214.10/0","Comment": "Response from 23.61.250.103."}


在 2018年11月9日星期五 UTC+8下午5:53:57,Ben Tasker写道:
There's an error in your command.

You need to quote the URL as it contains ampersands - anything following those will not be included in your request, so in this case the ECS information you've specified in the query string isn't sent.

{"Status": 0,"TC": false,"RD": true,"RA": true,"AD": false,"CD": false,"Question":[ {"name": "api.anote-app.com.","type": 1}],"Answer":[ {"name": "api.anote-app.com.","type": 5,"TTL": 299,"data": "api.anote-app.com.edgekey.net."},{"name": "api.anote-app.com.edgekey.net.","type": 5,"TTL": 1799,"data": "e25583.a.akamaiedge.net."},{"name": "e25583.a.akamaiedge.net.","type": 1,"TTL": 19,"data": "2.17.210.16"},{"name": "e25583.a.akamaiedge.net.","type": 1,"TTL": 19,"data": "2.17.210.48"}],"Additional":[],"edns_client_subnet": "204.117.214.10/0","Comment": "Response from 2.22.11.92."}


On Fri, Nov 9, 2018 at 9:18 AM, George Ge <gezh... AT gmail.com> wrote:

Jietu20181109-171822.png



On Friday, November 9, 2018 at 5:17:19 PM UTC+8, George Ge wrote:


Hi. I am curious why Google DoH's ECS option is not effecting the result.
I am aware that Akamai CDN does not accept ECS options, but Google DoH's recursive resolvers should be geo-distributed so that it is not a problem that Akamai not taking in ECS.
Between Google DoH's recursive resolver and authoritative name servers (Akamai CDN in this case), is Google DoH solely replying on ECS to carry the clientIP?
Thanks.

--
You received this message because you are subscribed to the Google Groups "public-dns-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-discuss+unsubscribe AT googlegroups.com.
To post to this group, send email to public-dn... AT googlegroups.com.
Visit this group at https://groups.google.com/group/public-dns-discuss.
To view this discussion on the web visit https://groups.google.com/d/msgid/public-dns-discuss/88236da2-535f-4c27-bfed-fc987d3a402d%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--

--
You received this message because you are subscribed to the Google Groups "public-dns-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-discuss+unsubscribe AT googlegroups.com.
To post to this group, send email to public-dn... AT googlegroups.com.
Visit this group at https://groups.google.com/group/public-dns-discuss.
To view this discussion on the web visit https://groups.google.com/d/msgid/public-dns-discuss/9217d324-d46d-4286-ba10-e21599282f64%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


--

--
You received this message because you are subscribed to the Google Groups "public-dns-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-discuss+unsubscribe AT googlegroups.com.
To post to this group, send email to public-dns-discuss AT googlegroups.com.
Visit this group at https://groups.google.com/group/public-dns-discuss.
To view this discussion on the web visit https://groups.google.com/d/msgid/public-dns-discuss/965d5c50-0569-40ee-86a9-4f4772dfe06b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


--