Closed liang-hiwin closed 2 weeks ago
ShreyasZare
commented
3 months ago Thanks for the details. The "eDnsClientSubnet": "0.0.0.0/0" in there means that the DNS server did not receive ECS in the response.
Wait for the next update which will add ECS option for DNS Client and also adds more details in the cache entries. That will make it clear to understand the issue.
liang-hiwin
commented
3 months ago See from this that the ecs I attached are sent correctly https://github.com/TechnitiumSoftware/DnsServer/issues/783#issuecomment-1986848183
liang-hiwin
commented
3 months ago But DnsServer, doesn't seem to send my attached ecs to the upstream
ShreyasZare
commented
3 months ago See from this that the ecs I attached are sent correctly #783 (comment)
I am not familiar with the command line too that you are using so not sure how its working with it.
But DnsServer, doesn't seem to send my attached ecs to the upstream
With the DNS server, its working the the tests with Google DNS from there so does not seem to be a bug. The next update will help with this though which should be available by next weekend.
liang-hiwin
commented
3 months ago See from this that the ecs I attached are sent correctly #783 (comment)
I am not familiar with the command line too that you are using so not sure how its working with it.
But DnsServer, doesn't seem to send my attached ecs to the upstream
With the DNS server, its working the the tests with Google DNS from there so does not seem to be a bug. The next update will help with this though which should be available by next weekend.
ok, Thank you for your answer and hard work.
ShreyasZare
commented
3 months ago Technitium DNS Server v12.1 is now available that adds the ECS options for DNS Client and also adds response meta data for cache entries. This should help in debugging the ECS issues that you have. Do update and let me know your feedback.
liang-hiwin
commented
3 months ago Great job, the parsing results are the same after the update.
liang-hiwin
commented
3 months ago How to use ASN database?
ShreyasZare
commented
3 months ago Great job, the parsing results are the same after the update.
I am not sure what is the reason for this. It does work though if you try with something like Google DNS. You can do the same tests using the dnsclient.net website (which is hosted outside your country) to see if that works from another location.
ShreyasZare
commented
3 months ago How to use ASN database?
If you are asking for the Geo apps then they have sample ASN database with them. Those apps will use it to find the client's network based on the ASN database and then use the correct scope prefix value in the ECS option in the response. There is no config required for it to work.
liang-hiwin
commented
3 months ago Great job, the parsing results are the same after the update.
I am not sure what is the reason for this. It does work though if you try with something like Google DNS. You can do the same tests using the dnsclient.net website (which is hosted outside your country) to see if that works from another location.
The results are different, the position deviation is very large.
ShreyasZare
commented
3 months ago Great job, the parsing results are the same after the update.
I am not sure what is the reason for this. It does work though if you try with something like Google DNS. You can do the same tests using the dnsclient.net website (which is hosted outside your country) to see if that works from another location.
The results are different, the position deviation is very large.
The response is generated by the upstream server so there is nothing that can be done from the client side in this case. Try using a different upstream provider and see if that works.
liang-hiwin
commented
3 months ago Great job, the parsing results are the same after the update.
I am not sure what is the reason for this. It does work though if you try with something like Google DNS. You can do the same tests using the dnsclient.net website (which is hosted outside your country) to see if that works from another location.
The results are different, the position deviation is very large.
The response is generated by the upstream server so there is nothing that can be done from the client side in this case. Try using a different upstream provider and see if that works.
I wrote cf gateway doh for testing. The test command is the same as here, but the results are different https://private-user-images.githubusercontent.com/17548936/311438358-de8da194-c9bf-4cd8-946d-30b1ad804311.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTA2ODY1NDEsIm5iZiI6MTcxMDY4NjI0MSwicGF0aCI6Ii8xNzU0ODkzNi8zMTE0MzgzNTgtZGU4ZGExOTQtYzliZi00Y2Q4LTk0NmQtMzBiMWFkODA0MzExLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDAzMTclMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwMzE3VDE0MzcyMVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTRhZjVhYTcwNmExNzExNjExMWY2ZTczY2VjNWViNmFhNDUzMmQ5MWJhMjhmNmU2M2M3ZTBlZTYzMTIxMzI1MDAmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.kRhjotwkEZuVVdZUYH_qnc08YhFBoNP0r8o7PfnCo3k
liang-hiwin
commented
3 months ago 
"Question": [
{
"Name": "www.taobao.com",
"Type": "A",
"Class": "IN"
}
],
"Answer": [
{
"Name": "www.taobao.com",
"Type": "CNAME",
"Class": "IN",
"TTL": "600 (10 mins)",
"RDLENGTH": "33 bytes",
"RDATA": {
"Domain": "www.taobao.com.danuoyi.tbcache.com"
},
"DnssecStatus": "Disabled"
},
{
"Name": "www.taobao.com.danuoyi.tbcache.com",
"Type": "A",
"Class": "IN",
"TTL": "60 (1 min)",
"RDLENGTH": "4 bytes",
"RDATA": {
"IPAddress": "218.77.200.194"
},
"DnssecStatus": "Disabled"
},
{
"Name": "www.taobao.com.danuoyi.tbcache.com",
"Type": "A",
"Class": "IN",
"TTL": "60 (1 min)",
"RDLENGTH": "4 bytes",
"RDATA": {
"IPAddress": "218.77.200.195"
},
"DnssecStatus": "Disabled"
}
],
"Authority": [],
"Additional": [
{
"Name": "",
"Type": "OPT",
"Class": "1232",
"TTL": "0 (0 sec)",
"RDLENGTH": "0 bytes",
"RDATA": {
"Options": []
},
"DnssecStatus": "Disabled"
}
]
}Great job, the parsing results are the same after the update.
I am not sure what is the reason for this. It does work though if you try with something like Google DNS. You can do the same tests using the dnsclient.net website (which is hosted outside your country) to see if that works from another location.
The results are different, the position deviation is very large.
The response is generated by the upstream server so there is nothing that can be done from the client side in this case. Try using a different upstream provider and see if that works.
I wrote cf gateway doh for testing. The test command is the same as here, but the results are different https://private-user-images.githubusercontent.com/17548936/311438358-de8da194-c9bf-4cd8-946d-30b1ad804311.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTA2ODY1NDEsIm5iZiI6MTcxMDY4NjI0MSwicGF0aCI6Ii8xNzU0ODkzNi8zMTE0MzgzNTgtZGU4ZGExOTQtYzliZi00Y2Q4LTk0NmQtMzBiMWFkODA0MzExLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDAzMTclMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwMzE3VDE0MzcyMVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTRhZjVhYTcwNmExNzExNjExMWY2ZTczY2VjNWViNmFhNDUzMmQ5MWJhMjhmNmU2M2M3ZTBlZTYzMTIxMzI1MDAmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.kRhjotwkEZuVVdZUYH_qnc08YhFBoNP0r8o7PfnCo3k
The image is not loading here. Try to upload it again.
I am not sure what the test command you use is doing. The DNS Server is sending ECS option in the request but the response does not have ECS for your case for some reason.
ShreyasZare
commented
3 months ago "Question": [ { "Name": "www.taobao.com", "Type": "A", "Class": "IN" } ], "Answer": [ { "Name": "www.taobao.com", "Type": "CNAME", "Class": "IN", "TTL": "600 (10 mins)", "RDLENGTH": "33 bytes", "RDATA": { "Domain": "www.taobao.com.danuoyi.tbcache.com" }, "DnssecStatus": "Disabled" }, { "Name": "www.taobao.com.danuoyi.tbcache.com", "Type": "A", "Class": "IN", "TTL": "60 (1 min)", "RDLENGTH": "4 bytes", "RDATA": { "IPAddress": "218.77.200.194" }, "DnssecStatus": "Disabled" }, { "Name": "www.taobao.com.danuoyi.tbcache.com", "Type": "A", "Class": "IN", "TTL": "60 (1 min)", "RDLENGTH": "4 bytes", "RDATA": { "IPAddress": "218.77.200.195" }, "DnssecStatus": "Disabled" } ], "Authority": [], "Additional": [ { "Name": "", "Type": "OPT", "Class": "1232", "TTL": "0 (0 sec)", "RDLENGTH": "0 bytes", "RDATA": { "Options": [] }, "DnssecStatus": "Disabled" } ] }
The output is incomplete but the OPT record does not have any options so there is ECS option missing in response.
If you can share your DoH endpoint URL privately over email to support then I can test it again from my location and see what output it gives.
liang-hiwin
commented
3 months ago Sent to gmail.com
liang-hiwin
commented
1 month ago "Question": [ { "Name": "www.taobao.com", "Type": "A", "Class": "IN" } ], "Answer": [ { "Name": "www.taobao.com", "Type": "CNAME", "Class": "IN", "TTL": "600 (10 mins)", "RDLENGTH": "33 bytes", "RDATA": { "Domain": "www.taobao.com.danuoyi.tbcache.com" }, "DnssecStatus": "Disabled" }, { "Name": "www.taobao.com.danuoyi.tbcache.com", "Type": "A", "Class": "IN", "TTL": "60 (1 min)", "RDLENGTH": "4 bytes", "RDATA": { "IPAddress": "218.77.200.194" }, "DnssecStatus": "Disabled" }, { "Name": "www.taobao.com.danuoyi.tbcache.com", "Type": "A", "Class": "IN", "TTL": "60 (1 min)", "RDLENGTH": "4 bytes", "RDATA": { "IPAddress": "218.77.200.195" }, "DnssecStatus": "Disabled" } ], "Authority": [], "Additional": [ { "Name": "", "Type": "OPT", "Class": "1232", "TTL": "0 (0 sec)", "RDLENGTH": "0 bytes", "RDATA": { "Options": [] }, "DnssecStatus": "Disabled" } ] }The output is incomplete but the OPT record does not have any options so there is ECS option missing in response.
If you can share your DoH endpoint URL privately over email to support then I can test it again from my location and see what output it gives.
Hello, I have to ask again, there is indeed a problem with ecs.
I set the value of Cache Minimum TTL to 10, and ecs is now normal. If this value is set too long, different subnet IPs will have the same result through dig test.
ShreyasZare
commented
1 month ago Hello, I have to ask again, there is indeed a problem with ecs.
I set the value of Cache Minimum TTL to 10, and ecs is now normal. If this value is set too long, different subnet IPs will have the same result through dig test.
The Cache Minimum TTL value does not have any interaction with ECS. It just sets the minimum value for the records in cache. Any difference you saw in your tests are just coincidences.
In the ceche cache, we see that the IP address of the cache subnet client is 0.0.0.0/0, so all ecs are messed up. I don’t know why the subnet IP 0.0.0.0/0 is cached in the cache. When 0.0.0.0/0 is cached, it means that the parsing answer is suitable for all client IPs. This is wrong.