Closed liang-hiwin closed 2 weeks ago
Thanks for the details. The "eDnsClientSubnet": "0.0.0.0/0"
in there means that the DNS server did not receive ECS in the response.
Wait for the next update which will add ECS option for DNS Client and also adds more details in the cache entries. That will make it clear to understand the issue.
See from this that the ecs I attached are sent correctly https://github.com/TechnitiumSoftware/DnsServer/issues/783#issuecomment-1986848183
But DnsServer, doesn't seem to send my attached ecs to the upstream
See from this that the ecs I attached are sent correctly #783 (comment)
I am not familiar with the command line too that you are using so not sure how its working with it.
But DnsServer, doesn't seem to send my attached ecs to the upstream
With the DNS server, its working the the tests with Google DNS from there so does not seem to be a bug. The next update will help with this though which should be available by next weekend.
See from this that the ecs I attached are sent correctly #783 (comment)
I am not familiar with the command line too that you are using so not sure how its working with it.
But DnsServer, doesn't seem to send my attached ecs to the upstream
With the DNS server, its working the the tests with Google DNS from there so does not seem to be a bug. The next update will help with this though which should be available by next weekend.
ok, Thank you for your answer and hard work.
Technitium DNS Server v12.1 is now available that adds the ECS options for DNS Client and also adds response meta data for cache entries. This should help in debugging the ECS issues that you have. Do update and let me know your feedback.
Great job, the parsing results are the same after the update.
How to use ASN database?
Great job, the parsing results are the same after the update.
I am not sure what is the reason for this. It does work though if you try with something like Google DNS. You can do the same tests using the dnsclient.net website (which is hosted outside your country) to see if that works from another location.
How to use ASN database?
If you are asking for the Geo apps then they have sample ASN database with them. Those apps will use it to find the client's network based on the ASN database and then use the correct scope prefix value in the ECS option in the response. There is no config required for it to work.
Great job, the parsing results are the same after the update.
I am not sure what is the reason for this. It does work though if you try with something like Google DNS. You can do the same tests using the dnsclient.net website (which is hosted outside your country) to see if that works from another location.
The results are different, the position deviation is very large.
Great job, the parsing results are the same after the update.
I am not sure what is the reason for this. It does work though if you try with something like Google DNS. You can do the same tests using the dnsclient.net website (which is hosted outside your country) to see if that works from another location.
The results are different, the position deviation is very large.
The response is generated by the upstream server so there is nothing that can be done from the client side in this case. Try using a different upstream provider and see if that works.
Great job, the parsing results are the same after the update.
I am not sure what is the reason for this. It does work though if you try with something like Google DNS. You can do the same tests using the dnsclient.net website (which is hosted outside your country) to see if that works from another location.
The results are different, the position deviation is very large.
The response is generated by the upstream server so there is nothing that can be done from the client side in this case. Try using a different upstream provider and see if that works.
I wrote cf gateway doh for testing. The test command is the same as here, but the results are different https://private-user-images.githubusercontent.com/17548936/311438358-de8da194-c9bf-4cd8-946d-30b1ad804311.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTA2ODY1NDEsIm5iZiI6MTcxMDY4NjI0MSwicGF0aCI6Ii8xNzU0ODkzNi8zMTE0MzgzNTgtZGU4ZGExOTQtYzliZi00Y2Q4LTk0NmQtMzBiMWFkODA0MzExLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDAzMTclMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwMzE3VDE0MzcyMVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTRhZjVhYTcwNmExNzExNjExMWY2ZTczY2VjNWViNmFhNDUzMmQ5MWJhMjhmNmU2M2M3ZTBlZTYzMTIxMzI1MDAmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.kRhjotwkEZuVVdZUYH_qnc08YhFBoNP0r8o7PfnCo3k
"Question": [
{
"Name": "www.taobao.com",
"Type": "A",
"Class": "IN"
}
],
"Answer": [
{
"Name": "www.taobao.com",
"Type": "CNAME",
"Class": "IN",
"TTL": "600 (10 mins)",
"RDLENGTH": "33 bytes",
"RDATA": {
"Domain": "www.taobao.com.danuoyi.tbcache.com"
},
"DnssecStatus": "Disabled"
},
{
"Name": "www.taobao.com.danuoyi.tbcache.com",
"Type": "A",
"Class": "IN",
"TTL": "60 (1 min)",
"RDLENGTH": "4 bytes",
"RDATA": {
"IPAddress": "218.77.200.194"
},
"DnssecStatus": "Disabled"
},
{
"Name": "www.taobao.com.danuoyi.tbcache.com",
"Type": "A",
"Class": "IN",
"TTL": "60 (1 min)",
"RDLENGTH": "4 bytes",
"RDATA": {
"IPAddress": "218.77.200.195"
},
"DnssecStatus": "Disabled"
}
],
"Authority": [],
"Additional": [
{
"Name": "",
"Type": "OPT",
"Class": "1232",
"TTL": "0 (0 sec)",
"RDLENGTH": "0 bytes",
"RDATA": {
"Options": []
},
"DnssecStatus": "Disabled"
}
]
}
Great job, the parsing results are the same after the update.
I am not sure what is the reason for this. It does work though if you try with something like Google DNS. You can do the same tests using the dnsclient.net website (which is hosted outside your country) to see if that works from another location.
The results are different, the position deviation is very large.
The response is generated by the upstream server so there is nothing that can be done from the client side in this case. Try using a different upstream provider and see if that works.
I wrote cf gateway doh for testing. The test command is the same as here, but the results are different https://private-user-images.githubusercontent.com/17548936/311438358-de8da194-c9bf-4cd8-946d-30b1ad804311.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTA2ODY1NDEsIm5iZiI6MTcxMDY4NjI0MSwicGF0aCI6Ii8xNzU0ODkzNi8zMTE0MzgzNTgtZGU4ZGExOTQtYzliZi00Y2Q4LTk0NmQtMzBiMWFkODA0MzExLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDAzMTclMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwMzE3VDE0MzcyMVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTRhZjVhYTcwNmExNzExNjExMWY2ZTczY2VjNWViNmFhNDUzMmQ5MWJhMjhmNmU2M2M3ZTBlZTYzMTIxMzI1MDAmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.kRhjotwkEZuVVdZUYH_qnc08YhFBoNP0r8o7PfnCo3k
The image is not loading here. Try to upload it again.
I am not sure what the test command you use is doing. The DNS Server is sending ECS option in the request but the response does not have ECS for your case for some reason.
"Question": [ { "Name": "www.taobao.com", "Type": "A", "Class": "IN" } ], "Answer": [ { "Name": "www.taobao.com", "Type": "CNAME", "Class": "IN", "TTL": "600 (10 mins)", "RDLENGTH": "33 bytes", "RDATA": { "Domain": "www.taobao.com.danuoyi.tbcache.com" }, "DnssecStatus": "Disabled" }, { "Name": "www.taobao.com.danuoyi.tbcache.com", "Type": "A", "Class": "IN", "TTL": "60 (1 min)", "RDLENGTH": "4 bytes", "RDATA": { "IPAddress": "218.77.200.194" }, "DnssecStatus": "Disabled" }, { "Name": "www.taobao.com.danuoyi.tbcache.com", "Type": "A", "Class": "IN", "TTL": "60 (1 min)", "RDLENGTH": "4 bytes", "RDATA": { "IPAddress": "218.77.200.195" }, "DnssecStatus": "Disabled" } ], "Authority": [], "Additional": [ { "Name": "", "Type": "OPT", "Class": "1232", "TTL": "0 (0 sec)", "RDLENGTH": "0 bytes", "RDATA": { "Options": [] }, "DnssecStatus": "Disabled" } ] }
The output is incomplete but the OPT record does not have any options so there is ECS option missing in response.
If you can share your DoH endpoint URL privately over email to support then I can test it again from my location and see what output it gives.
Sent to gmail.com
"Question": [ { "Name": "www.taobao.com", "Type": "A", "Class": "IN" } ], "Answer": [ { "Name": "www.taobao.com", "Type": "CNAME", "Class": "IN", "TTL": "600 (10 mins)", "RDLENGTH": "33 bytes", "RDATA": { "Domain": "www.taobao.com.danuoyi.tbcache.com" }, "DnssecStatus": "Disabled" }, { "Name": "www.taobao.com.danuoyi.tbcache.com", "Type": "A", "Class": "IN", "TTL": "60 (1 min)", "RDLENGTH": "4 bytes", "RDATA": { "IPAddress": "218.77.200.194" }, "DnssecStatus": "Disabled" }, { "Name": "www.taobao.com.danuoyi.tbcache.com", "Type": "A", "Class": "IN", "TTL": "60 (1 min)", "RDLENGTH": "4 bytes", "RDATA": { "IPAddress": "218.77.200.195" }, "DnssecStatus": "Disabled" } ], "Authority": [], "Additional": [ { "Name": "", "Type": "OPT", "Class": "1232", "TTL": "0 (0 sec)", "RDLENGTH": "0 bytes", "RDATA": { "Options": [] }, "DnssecStatus": "Disabled" } ] }
The output is incomplete but the OPT record does not have any options so there is ECS option missing in response.
If you can share your DoH endpoint URL privately over email to support then I can test it again from my location and see what output it gives.
Hello, I have to ask again, there is indeed a problem with ecs.
I set the value of Cache Minimum TTL to 10, and ecs is now normal. If this value is set too long, different subnet IPs will have the same result through dig test.
Hello, I have to ask again, there is indeed a problem with ecs.
I set the value of Cache Minimum TTL to 10, and ecs is now normal. If this value is set too long, different subnet IPs will have the same result through dig test.
The Cache Minimum TTL value does not have any interaction with ECS. It just sets the minimum value for the records in cache. Any difference you saw in your tests are just coincidences.
In the ceche cache, we see that the IP address of the cache subnet client is 0.0.0.0/0, so all ecs are messed up. I don’t know why the subnet IP 0.0.0.0/0 is cached in the cache. When 0.0.0.0/0 is cached, it means that the parsing answer is suitable for all client IPs. This is wrong.