Question about: EDNS

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Sonyrolfy

Regular Contributor
After some testing with the new Beta 384.11 Beta 2, which work great! There is some discussion about EDNS and it seems that it’s disabled by default on the router, in my case the 86U. After some reading on the web (see below) I was wondering if EDNS could be a benefit in terms of privacy? (Without using DoT) or does EDNS give trouble, depending on configurations in the router or else?

By the looks of it, it will give extra privacy, but then again I’m not familiar with it, so I can be mistaken.

Thanks for the heads-up!


What’s EDNS all about?

Fixing DNS requires some way of preserving the original location of the user across multiple middle boxes. The original design of DNS restricts the total packet size to 512 bytes, which effectively does not leave any room for a “location extension”, or any other extension like DNSSEC. This is what EDNS (Extended DNS) will solve in a backward-compatible way: if both DNS servers support EDNS, they can exchange packets larger than 512 bytes, and if not — they fall back to the traditional DNS.

What’s EDNS Client Subnet?

In 2011 Google wrote an IETF draft to send Client IP information using the EDNS0 extension and this is usually called ‘edns-client-subnet’. As a DNS client, it means that a truncated version of your IP address will be added into the DNS request. The DNS server will use this truncated IP address to make a more informed decision in how it responds so that you can be connected to the most optimal server. This standard is promoted by the Faster Internet initiative and already adopted by some leading vendors.

Because it is designed to keep privacy, the sender has the freedom to limit the client IP information. Instead of sending a full IP address, the DNS server is able to send partial information such as /24 only. For instance, if your IP address is 66.214.81.22, the DNS server will only expose the first three octets, so 66–214–81. Armed with the real IP address of the querying device, the DNS server can now come up with a much more accurate response.

With this more intelligent routing, customers have a better Internet experience with lower latency and faster speeds. Best of all, this integration is being done using an open standard that is available for any company to integrate into their own platform.
 

Grisu

Part of the Furniture
IMO only reason to get even more infos about your privacy!
Do you really think they need last octet to know exactly (most times) who is connecting to their server (they have enough other infos about you to know)? With first 3 octets and additional infos they're almost done ...
 

Butterfly Bones

Very Senior Member
After some testing with the new Beta 384.11 Beta 2, which work great! There is some discussion about EDNS and it seems that it’s disabled by default on the router, in my case the 86U. After some reading on the web (see below) I was wondering if EDNS could be a benefit in terms of privacy? (Without using DoT) or does EDNS give trouble, depending on configurations in the router or else?

By the looks of it, it will give extra privacy, but then again I’m not familiar with it, so I can be mistaken.

Thanks for the heads-up!


What’s EDNS all about?

Fixing DNS requires some way of preserving the original location of the user across multiple middle boxes. The original design of DNS restricts the total packet size to 512 bytes, which effectively does not leave any room for a “location extension”, or any other extension like DNSSEC. This is what EDNS (Extended DNS) will solve in a backward-compatible way: if both DNS servers support EDNS, they can exchange packets larger than 512 bytes, and if not — they fall back to the traditional DNS.

What’s EDNS Client Subnet?

In 2011 Google wrote an IETF draft to send Client IP information using the EDNS0 extension and this is usually called ‘edns-client-subnet’. As a DNS client, it means that a truncated version of your IP address will be added into the DNS request. The DNS server will use this truncated IP address to make a more informed decision in how it responds so that you can be connected to the most optimal server. This standard is promoted by the Faster Internet initiative and already adopted by some leading vendors.

Because it is designed to keep privacy, the sender has the freedom to limit the client IP information. Instead of sending a full IP address, the DNS server is able to send partial information such as /24 only. For instance, if your IP address is 66.214.81.22, the DNS server will only expose the first three octets, so 66–214–81. Armed with the real IP address of the querying device, the DNS server can now come up with a much more accurate response.

With this more intelligent routing, customers have a better Internet experience with lower latency and faster speeds. Best of all, this integration is being done using an open standard that is available for any company to integrate into their own platform.
I researched this as well.
https://www.snbforums.com/threads/b...ta-is-now-available.56325/page-32#post-487014

Note RMerlin's reply to my post.
https://www.snbforums.com/threads/b...ta-is-now-available.56325/page-32#post-487021

One reason is that people wanting to use DoT/DoH usually do so for privacy reasons. Using the EDNS Client Subnet extension pretty much violate this, by sending your IP's subnet (typically as a /24, but some ISP resolvers might change that scope) to the resolving DNS.

As someone pointed out, the stubby implementation is also done to disable sending such info by default, so just switching resolver might not be enough. You would have to either disable it in stubby through a postconf, or stop using DNS Privacy.
 

Sonyrolfy

Regular Contributor
First. Thanks for the explanations above!

I get it; if the first 3 octets will be visible and they will guess / know who I am with additional info they gather. Oke makes sense. No privacy there.

Second thought with a VPN-Netflix Scenario or maybe online gaming.

Let’s say my VPN provider will use EDNS. Lower latency is great when connecting to Netflix over vpn, Netflix will see the first 3 octets of my exit IP so they can’t block the IP connection right? Because they don’t know the last octet. They can guess and with some DPI they will leave other viewers without vpn in the dark when they guess wrong and block it. Or do I miss something?

Maybe there are other scenarios were EDNS could be handy when using a vpn ?

Just wondering.

I Like you quote Butterfly Bones :)
Thanks guys..
 

RMerlin

Asuswrt-Merlin dev
I get it; if the first 3 octets will be visible and they will guess / know who I am with additional info they gather. Oke makes sense.
That's not the goal behind EDNS Client Subnet. The goal is for improved CDN performance. Let's take an hypothetical scenario - say you want to resolve update.microsoft.com. If you send the Client Subnet with the request, then the microsoft.com server will be able to tell in which region you are located, and give you the IP address that's the closest to you, for the best download performance.

Without that, you might be pointed at a "global" update server located anywhere in the world, which would result in slower downloads.

You can see something similar with www.google.com - resolving that name will give a different IP in some regions. For instance, I get a different IP depending on if I resolve it from my home PC, or from my server located in a different country.
 

Sonyrolfy

Regular Contributor
I get it, I think) so EDNS is all about performance, lower latency, with viewer hops, faster webpages.. EDNS won’t give more privacy or anonymity when EDNS is leaving the last octet out of the IP address as I was thinking. I will later read into it to get a deeper understanding. Appreciated!
 

Zonkd

Very Senior Member
Interestingly Salesforce thinks EDNS doesn't really compromise privacy and gives the user choice to opt out:
"Because it is designed to keep privacy, the sender has the freedom to limit the client IP information. Instead of sending a full IP address, the DNS server is able to send partial information such as /24 only. For instance, if your IP address is 66.214.81.22, the DNS server will only expose the first three octets, so 66–214–81." - Source SalesForce

I think they make a convincing argument for EDNS.
"DNS servers use the IP address of the incoming query to identify the user location. When a DNS server does not know the answer for a query, it acts as a “Recursive Resolver” and throws the query upstream. By design, every hop in the DNS chain terminates the connection and initiates a new one toward the next hop. Since most queries come from intermediate Recursive Resolvers, the source address is that of the Recursive Resolver rather than of the query originator. Traditionally, Recursive Resolvers are reasonably close to the source of queries. For these resolvers, using their own IP address is sufficient for authority servers that tailor responses based upon the location of the queries. However, many ISPs and other organizations use a Centralized Resolver infrastructure that can be distant from the clients the resolvers serve. In these cases, the Authoritative Nameserver may get the wrong idea about the user location, which in turn may lead to a poor server selection." - Source SalesForce

So basically they're saying since you already tell the recursive DNS server your location, so you might as well let them forward that info to upstream authoritative servers if necessary. Obviously it'd be unhelpful for VPN users because 1. you want to conceal your actual location, and 2. the best dns response will point to a server closest to your VPN exit server (whatever country that may be), not to the server closest to your actual location.
 
Last edited:

ColinTaylor

Part of the Furniture
@Zonkd You've repeated exactly the same text that was in post #1, and the subsequent explanation (post #5).:confused:
 

Zonkd

Very Senior Member
@ColinTaylor - hid repeated text to improve readability --- just wanted to add my voice against @Grisu 's assertion EDNS serves only to hurt privacy. Good policy to incl my own sources in my own post because lets me substantiate my views with <strong> emphasis for the text I'm focused on when making my sense of the subject matter. By speaking on it in my own words I'll be corrected if I misread/misunderstood anything. Far better I look a fool here than elsewhere and eventually passing on bad info/advice to others. Plus I'm keen to hear more conversation about EDNS.
 

ColinTaylor

Part of the Furniture
@ColinTaylor - hid repeated text to improve readability --- just wanted to add my voice against @Grisu 's assertion EDNS serves only to hurt privacy. Good policy to incl my own sources in my own post because lets me substantiate my views with <strong> emphasis for the text I'm focused on when making my sense of the subject matter. By speaking on it in my own words I'll be corrected if I misread/misunderstood anything. Far better I look a fool here than elsewhere and eventually passing on bad info/advice to others. Plus I'm keen to hear more conversation about EDNS.
Fair enough. It's just that the way it read sounded like you were citing a second source/opinion rather than restating the quote from the original post.

As for more conversation about EDNS, I'm not sure what else can be said. It is what it is.
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top