This article is will explore the concept of EDNS Client Subnet (ECS) and discuss how ECS works with Cisco Umbrella.
What is ECS?
Traditional DNS is a request at a DNS server that responds back with a single A-record answer. This discussion will be simplified by discussing A records only. The same process applies to IPv6 and AAAA records. With the advent of widely distributed content delivery networks (CDNs) and recursive DNS services, geolocation is increasingly important for an optimal experience.
Traditional DNS geolocates the answer to a DNS question at the authoritative DNS server and provides an answer in return which best matches the source of the DNS query. To use a metaphorical example, take a phone book. Traditionally, the only phone book that was relevant was the local phone book, so you will always find the local store. A query of "call Jim's hardware store". Today, where a single web address has many locations worldwide, it is imperative for a good experience to connect to a nearby server. With recursive DNS servers and more distributed networks, the source IP of the DNS query is not necessarily result in the best source of geolocation data.
Figure 2: Example for a user in New Jersey seeking an answer from authoritative DNS
In our phone book metaphor, a business may have 50 locations across the globe, but as the reader, you know what the closest one is and call them. Jim's has been doing well, so our query for "call Jim's hardware store" might bring you to the New Jersey store or the Chicago store depending on who you ask. ECS performs the same service, but for a DNS lookup. EDNS Client Subnet (ECS) is a mechanism for the desired source IP address of a DNS query to be embedded within the EDNS information of a DNS packet. The authoritative DNS server supporting ECS will read this source information and answer with the A record of the best located server possible. For our phone book metaphor, ECS is equivalent to a note specifying which area's phone book to look into. This request would be "call Jim's hardware store in Belvidere, NJ" and an ideal answer can be provided. For more information, visit the home page for the ECS project here at afasterinternet.com.
ECS and Recursive DNS servers
Cisco Umbrella, like other recursive DNS services, are a challenge to DNS-based geolocation. Traditionally, users would request DNS from the ISP, which queries the DNS authority. This provides natively good geolocation for the ISP's network IP ranges.
Recursive DNS providers are located off of an ISP's network, and may be located anywhere. Cisco Umbrella operates many datacenters under anycast IP addresses, and DNS queries may hit one of a variety of resolver locations worldwide. Most frequently the closest location is queried; however, this is dependent on optimal routes with each ISP. Most importantly, when it comes to widely distributed web services such as CDNs, the nearest Umbrella resolver may not be close network-wise to the requester's location and may receive a poor CDN server in response. For example, a user in Costa Rica may hit Cisco Umbrella's Miami datacenter and be served content from a Miami CDN. For our phone book metaphor, this is the equivalent of calling the operator and asking for the number for Jim's hardware. Based on where the operator is located, you will receive the answer based on that region. Chicago returns Jim's of Wheaton and Miami may return Jim's of South Beach.
Figure 2: Example for a user in New Jersey seeking an answer from Cisco Umbrella
ECS is invaluable to CDNs for recursive DNS providers since the original source subnet may be passed on via ECS to the CDN's authoritative DNS infrastructure. A query via Umbrella to an ECS-enabled nameserver will include the Class C network of the requesting user (/24 CIDR block) to the authoritative DNS query, and return and cache (according to TTL) the relevant answer. For our phonebook metaphor, this is calling the operator and requesting Jim's hardware near San José, Costa Rica. The operator in Miami would reply with the number for Jim's of San Pedro.
In conclusion, ECS enables a user, anywhere in the world, to query a nameserver anywhere in the world and receive a custom answer based on their source location even if using a far away recursive DNS server (supporting ECS). The end result is the fastest CDN server possible from anywhere in the world through any supported DNS service.
ECS and Cisco Umbrella
Cisco Umbrella supports ECS for authoritative DNS resolvers based on an opt-in basis for nameserver owners. Many CDNs enjoy fast, accurate geolocation for Umbrella users, while some CDNs and services do not yet support ECS.
Know a service that does not yet utilize ECS? Contact the CDN network and ask about implementing ECS. ECS is required to be supported by the authoritiatve nameservers before Umbrella can send it ECS data.
Site owners, if you utilize ECS today, contact us at email@example.com to validate your implementation and start receiving ECS data from Cisco Umbrella today! IPv6 and IPv4 ECS data is supported. Include a list of nameservers (by name) to validate and a domain to validate against.
Using ECS in dig
Did you know that dig natively supports ECS in DNS queries beginning in version 9.10? Append "+client=<subnet>" to your dig against the authoritative nameserver directly. Note, this data will be dropped if querying Umbrella directly, and will be replaced with your source /24. See our article here for details https://support.opendns.com/hc/en-us/articles/227987687.
dig +client=126.96.36.199/24 <domain> @<nameserver>
Look for this subsection in the response to confirm that a nameserver makes use of ECS data:
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
; CLIENT-SUBNET: 188.8.131.52/24/32
Authoritative Nameserver Owners
Are you using ECS on your nameserver and looking to unlock its potential for Cisco Umbrella users worldwide? Let us know at firstname.lastname@example.org so that we may start sending ECS data to your nameservers! Include with your request a list of your nameserver domains and a sample domain that is ECS enabled that we may use to validate your configuration. Let's build a faster Internet together.