For domains hosted at Akamai CDN, Google DoH's ECS option not taking effects

133 views
Skip to first unread message

George Ge

unread,
Nov 9, 2018, 4:17:19 AM11/9/18
to public-dns-discuss


Hi. I am curious why Google DoH's ECS option is not effecting the result.
I am aware that Akamai CDN does not accept ECS options, but Google DoH's recursive resolvers should be geo-distributed so that it is not a problem that Akamai not taking in ECS.
Between Google DoH's recursive resolver and authoritative name servers (Akamai CDN in this case), is Google DoH solely replying on ECS to carry the clientIP?
Thanks.

Message has been deleted

Ben Tasker

unread,
Nov 9, 2018, 4:53:57 AM11/9/18
to George Ge, public-dns-discuss
There's an error in your command.

You need to quote the URL as it contains ampersands - anything following those will not be included in your request, so in this case the ECS information you've specified in the query string isn't sent.

{"Status": 0,"TC": false,"RD": true,"RA": true,"AD": false,"CD": false,"Question":[ {"name": "api.anote-app.com.","type": 1}],"Answer":[ {"name": "api.anote-app.com.","type": 5,"TTL": 299,"data": "api.anote-app.com.edgekey.net."},{"name": "api.anote-app.com.edgekey.net.","type": 5,"TTL": 1799,"data": "e25583.a.akamaiedge.net."},{"name": "e25583.a.akamaiedge.net.","type": 1,"TTL": 19,"data": "2.17.210.16"},{"name": "e25583.a.akamaiedge.net.","type": 1,"TTL": 19,"data": "2.17.210.48"}],"Additional":[],"edns_client_subnet": "204.117.214.10/0","Comment": "Response from 2.22.11.92."}


On Fri, Nov 9, 2018 at 9:18 AM, George Ge <gezh...@gmail.com> wrote:

Jietu20181109-171822.png

--
You received this message because you are subscribed to the Google Groups "public-dns-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-discuss+unsub...@googlegroups.com.
To post to this group, send email to public-dns-discuss@googlegroups.com.
Visit this group at https://groups.google.com/group/public-dns-discuss.
 To view this discussion on the web visit https://groups.google.com/d/msgid/public-dns-discuss/88236da2-535f-4c27-bfed-fc987d3a402d%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--
Message has been deleted

George Ge

unread,
Nov 9, 2018, 6:03:16 AM11/9/18
to public-dns-discuss
Sorry for the low-level mistake.
I've tested it before on the web UI and later I forget to add the quotes in the curl command.
The problem still exists.

[gezhaozhi@gezhaozhideMacBook-Pro:/Users/gezhaozhi]


$curl 'https://dns.google.com/resolve?name=api.anote-app.com&type=A&edns_client_subnet=158.43.240.3'


{"Status": 0,"TC": false,"RD": true,"RA": true,"AD": false,"CD": false,"Question":[ {"name": "api.anote-app.com.","type": 1}],"Answer":[ {"name": "api.anote-app.com.","type": 5,"TTL": 168,"data": "api.anote-app.com.edgekey.net."},{"name": "api.anote-app.com.edgekey.net.","type": 5,"TTL": 1436,"data": "e25583.a.akamaiedge.net."},{"name": "e25583.a.akamaiedge.net.","type": 1,"TTL": 19,"data": "23.54.124.8"},{"name": "e25583.a.akamaiedge.net.","type": 1,"TTL": 19,"data": "23.212.54.123"}],"Additional":[],"edns_client_subnet": "158.43.240.3/0","Comment": "Response from 88.221.81.192."}



[gezhaozhi@gezhaozhideMacBook-Pro:/Users/gezhaozhi]


$curl 'https://dns.google.com/resolve?name=api.anote-app.com&type=A&edns_client_subnet=204.117.214.10'


{"Status": 0,"TC": false,"RD": true,"RA": true,"AD": false,"CD": false,"Question":[ {"name": "api.anote-app.com.","type": 1}],"Answer":[ {"name": "api.anote-app.com.","type": 5,"TTL": 25,"data": "api.anote-app.com.edgekey.net."},{"name": "api.anote-app.com.edgekey.net.","type": 5,"TTL": 1525,"data": "e25583.a.akamaiedge.net."},{"name": "e25583.a.akamaiedge.net.","type": 1,"TTL": 19,"data": "23.212.54.123"},{"name": "e25583.a.akamaiedge.net.","type": 1,"TTL": 19,"data": "23.54.124.8"}],"Additional":[],"edns_client_subnet": "204.117.214.10/0","Comment": "Response from 23.61.250.103."}



在 2018年11月9日星期五 UTC+8下午5:53:57,Ben Tasker写道:
There's an error in your command.

You need to quote the URL as it contains ampersands - anything following those will not be included in your request, so in this case the ECS information you've specified in the query string isn't sent.

{"Status": 0,"TC": false,"RD": true,"RA": true,"AD": false,"CD": false,"Question":[ {"name": "api.anote-app.com.","type": 1}],"Answer":[ {"name": "api.anote-app.com.","type": 5,"TTL": 299,"data": "api.anote-app.com.edgekey.net."},{"name": "api.anote-app.com.edgekey.net.","type": 5,"TTL": 1799,"data": "e25583.a.akamaiedge.net."},{"name": "e25583.a.akamaiedge.net.","type": 1,"TTL": 19,"data": "2.17.210.16"},{"name": "e25583.a.akamaiedge.net.","type": 1,"TTL": 19,"data": "2.17.210.48"}],"Additional":[],"edns_client_subnet": "204.117.214.10/0","Comment": "Response from 2.22.11.92."}

On Fri, Nov 9, 2018 at 9:18 AM, George Ge <gezh...@gmail.com> wrote:

Jietu20181109-171822.png



On Friday, November 9, 2018 at 5:17:19 PM UTC+8, George Ge wrote:


Hi. I am curious why Google DoH's ECS option is not effecting the result.
I am aware that Akamai CDN does not accept ECS options, but Google DoH's recursive resolvers should be geo-distributed so that it is not a problem that Akamai not taking in ECS.
Between Google DoH's recursive resolver and authoritative name servers (Akamai CDN in this case), is Google DoH solely replying on ECS to carry the clientIP?
Thanks.

--
You received this message because you are subscribed to the Google Groups "public-dns-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-discuss+unsub...@googlegroups.com.
To post to this group, send email to public-dn...@googlegroups.com.

George Ge

unread,
Nov 21, 2018, 2:18:42 AM11/21/18
to public-dns-discuss
Hi, Ben. Could you please give any further clue on this?
That will help a lot.

I entered two different ECS subnet IPs which are from UK and USA, but the results seem all to be IPs from Japan (I am sending these curls from China).

{"Status": 0,"TC": false,"RD": true,"RA": true,"AD": false,"CD": false,"Question":[ {"name": "api.anote-app.com.","type": 1}],"Answer":[ {"name": "api.anote-app.com.","type": 5,"TTL": 168,"data":"api.anote-app.com.edgekey.net."},{"name": "api.anote-app.com.edgekey.net.","type": 5,"TTL": 1436,"data": "e25583.a.akamaiedge.net."},{"name": "e25583.a.akamaiedge.net.","type": 1,"TTL":19,"data": "23.54.124.8"},{"name": "e25583.a.akamaiedge.net.","type": 1,"TTL": 19,"data": "23.212.54.123"}],"Additional":[],"edns_client_subnet": "158.43.240.3/0","Comment": "Response from 88.221.81.192."}

[gezhaozhi@gezhaozhideMacBook-Pro:/Users/gezhaozhi]

$curl 'https://dns.google.com/resolve?name=api.anote-app.com&type=A&edns_client_subnet=204.117.214.10'

{"Status": 0,"TC": false,"RD": true,"RA": true,"AD": false,"CD": false,"Question":[ {"name": "api.anote-app.com.","type": 1}],"Answer":[ {"name": "api.anote-app.com.","type": 5,"TTL": 25,"data":"api.anote-app.com.edgekey.net."},{"name": "api.anote-app.com.edgekey.net.","type": 5,"TTL": 1525,"data": "e25583.a.akamaiedge.net."},{"name": "e25583.a.akamaiedge.net.","type": 1,"TTL":19,"data": "23.212.54.123"},{"name": "e25583.a.akamaiedge.net.","type": 1,"TTL": 19,"data": "23.54.124.8"}],"Additional":[],"edns_client_subnet": "204.117.214.10/0","Comment": "Response from 23.61.250.103."}


在 2018年11月9日星期五 UTC+8下午5:53:57,Ben Tasker写道:
There's an error in your command.

You need to quote the URL as it contains ampersands - anything following those will not be included in your request, so in this case the ECS information you've specified in the query string isn't sent.

{"Status": 0,"TC": false,"RD": true,"RA": true,"AD": false,"CD": false,"Question":[ {"name": "api.anote-app.com.","type": 1}],"Answer":[ {"name": "api.anote-app.com.","type": 5,"TTL": 299,"data": "api.anote-app.com.edgekey.net."},{"name": "api.anote-app.com.edgekey.net.","type": 5,"TTL": 1799,"data": "e25583.a.akamaiedge.net."},{"name": "e25583.a.akamaiedge.net.","type": 1,"TTL": 19,"data": "2.17.210.16"},{"name": "e25583.a.akamaiedge.net.","type": 1,"TTL": 19,"data": "2.17.210.48"}],"Additional":[],"edns_client_subnet": "204.117.214.10/0","Comment": "Response from 2.22.11.92."}

On Fri, Nov 9, 2018 at 9:18 AM, George Ge <gezh...@gmail.com> wrote:

Jietu20181109-171822.png



On Friday, November 9, 2018 at 5:17:19 PM UTC+8, George Ge wrote:


Hi. I am curious why Google DoH's ECS option is not effecting the result.
I am aware that Akamai CDN does not accept ECS options, but Google DoH's recursive resolvers should be geo-distributed so that it is not a problem that Akamai not taking in ECS.
Between Google DoH's recursive resolver and authoritative name servers (Akamai CDN in this case), is Google DoH solely replying on ECS to carry the clientIP?
Thanks.

--
You received this message because you are subscribed to the Google Groups "public-dns-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-discuss+unsub...@googlegroups.com.
To post to this group, send email to public-dn...@googlegroups.com.

Ben Tasker

unread,
Nov 21, 2018, 6:25:35 AM11/21/18
to George Ge, public-dn...@googlegroups.com
I've just tested against one of my own servers, and Google's definitely passing ECS through.

If Akamai don't use ECS though (confirmed below), your result is going to be based on the geolocation of the Google PoP that places the upstream request to their authoritatives, no matter what you pass in your DoH request. Google might or might not be supplying them with the ECS information in your request, but it's irrelevant if they're not using it (it's probably not being sent if Google has identified that they're not returning valid ECS responses though).

As your requests are seemingly going to the same DoH location, the upstream queries will likely also be originating from there ( I don't know but I assume Google isn't going to be farming queries out to recursors in another country to the one they were received in). I'd guess Japan is probably your nearest pop (in terms of network latency).

The other thing is, because Akamai aren't using ECS, the scope is /0 (i.e. the results are valid for all downstream subnets) so if you run your queries in close succession you may well get them from the recursors cache.

Just to confirm, they don't appear to use ECS:

---- Response ----
id 37507
opcode QUERY
rcode NOERROR
flags QR AA RD
edns 0
payload 4096
;QUESTION
;ANSWER
e25583.a.akamaiedge.net. 20 IN A 2.17.210.16
e25583.a.akamaiedge.net. 20 IN A 2.17.210.48
;AUTHORITY
;ADDITIONAL
[]



To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-disc...@googlegroups.com.

To post to this group, send email to public-dn...@googlegroups.com.
Visit this group at https://groups.google.com/group/public-dns-discuss.

--
You received this message because you are subscribed to the Google Groups "public-dns-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-disc...@googlegroups.com.

To post to this group, send email to public-dn...@googlegroups.com.
Visit this group at https://groups.google.com/group/public-dns-discuss.
To view this discussion on the web visit https://groups.google.com/d/msgid/public-dns-discuss/9217d324-d46d-4286-ba10-e21599282f64%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Alex Dupuy

unread,
Nov 21, 2018, 12:40:23 PM11/21/18
to public-dns-discuss
Akamai will only honor ECS from sources that they have legal agreements with, they will ignore any ECS that you provide in your own dig queries, but they do not ignore ECS from parties with whom they have legal agreements about ECS.

https://tools.ietf.org/html/rfc7871#section-7.3.2 and particularly https://tools.ietf.org/html/rfc7871#section-7.5 have some relevant commentary here, as highlighted in my previous response to George in a different thread: https://groups.google.com/d/msg/public-dns-discuss/JpK7GblfDTA/1vNdjHMQCgAJ.

At the end of the day, diagnostic ECS queries for Akamai hosted domains will not generate the responses you are looking for, regardless of how you send them. If you really need to see that it is working "correctly" you would be best served by making queries without ECS from remote probes such as are operated by RIPE Atlas and others. You can route those queries through public resolvers and see the results you will actually get from those locations.




George Ge

unread,
Nov 21, 2018, 9:16:33 PM11/21/18
to public-dns-discuss
Thanks, Ben. I felt the same way as you that Akamai is not accepting ECS.
Alex is giving a pretty solid explanation. Let's check that out. 

在 2018年11月21日星期三 UTC+8下午7:25:35,Ben Tasker写道:
To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-discuss+unsub...@googlegroups.com.

To post to this group, send email to public-dn...@googlegroups.com.
Visit this group at https://groups.google.com/group/public-dns-discuss.

--
You received this message because you are subscribed to the Google Groups "public-dns-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-discuss+unsub...@googlegroups.com.

George Ge

unread,
Nov 21, 2018, 10:32:59 PM11/21/18
to public-dns-discuss
Thanks again, Alex. I got it.

In case of others having the same question, here are my tests:
47.90.241.220

{"ip":"47.90.241.220","type":"ipv4","continent_code":"NA","continent_name":"North America","country_code":"US","country_name":"United States","region_code":"CA","region_name":"California","city":"San Mateo","zip":"94402","latitude":37.5507,"longitude":-122.3276,"location":{"geoname_id":5392423,"capital":"Washington D.C.","languages":[{"code":"en","name":"English","native":"English"}],"country_flag":"http:\/\/assets.ipstack.com\/flags\/us.svg","country_flag_emoji":"\ud83c\uddfa\ud83c\uddf8","country_flag_emoji_unicode":"U+1F1FA U+1F1F8","calling_code":"1","is_eu":false}}

{"Status": 0,"TC": false,"RD": true,"RA": true,"AD": false,"CD": false,"Question":[ {"name": "api.anote-app.com.","type": 1}],"Answer":[ {"name": "api.anote-app.com.","type": 5,"TTL": 277,"data": "api.anote-app.com.edgekey.net."},{"name": "api.anote-app.com.edgekey.net.","type": 5,"TTL": 686,"data": "e25583.a.akamaiedge.net."},{"name": "e25583.a.akamaiedge.net.","type": 1,"TTL": 19,"data": "104.112.235.104"},{"name": "e25583.a.akamaiedge.net.","type": 1,"TTL": 19,"data": "104.112.235.75"}],"Comment": "Response from 72.246.52.147."}


47.74.152.213

{"ip":"47.74.152.213","type":"ipv4","continent_code":"AS","continent_name":"Asia","country_code":"SG","country_name":"Singapore","region_code":"01","region_name":"Central Singapore Community Development Council","city":"Singapore","zip":null,"latitude":1.2931,"longitude":103.8558,"location":{"geoname_id":1880252,"capital":"Singapore","languages":[{"code":"en","name":"English","native":"English"},{"code":"ms","name":"Malay","native":"Bahasa Melayu"},{"code":"ta","name":"Tamil","native":"\u0ba4\u0bae\u0bbf\u0bb4\u0bcd"},{"code":"zh","name":"Chinese","native":"\u4e2d\u6587"}],"country_flag":"http:\/\/assets.ipstack.com\/flags\/sg.svg","country_flag_emoji":"\ud83c\uddf8\ud83c\uddec","country_flag_emoji_unicode":"U+1F1F8 U+1F1EC","calling_code":"65","is_eu":false}}

{"Status": 0,"TC": false,"RD": true,"RA": true,"AD": false,"CD": false,"Question":[ {"name": "api.anote-app.com.","type": 1}],"Answer":[ {"name": "api.anote-app.com.","type": 5,"TTL": 98,"data": "api.anote-app.com.edgekey.net."},{"name": "api.anote-app.com.edgekey.net.","type": 5,"TTL": 1229,"data": "e25583.a.akamaiedge.net."},{"name": "e25583.a.akamaiedge.net.","type": 1,"TTL": 19,"data": "104.120.139.219"},{"name": "e25583.a.akamaiedge.net.","type": 1,"TTL": 19,"data": "173.222.148.56"}],"Comment": "Response from 61.220.62.191."}


120.52.147.46

{"ip":"120.52.147.46","type":"ipv4","continent_code":"AS","continent_name":"Asia","country_code":"CN","country_name":"China","region_code":null,"region_name":null,"city":null,"zip":null,"latitude":34.7725,"longitude":113.7266,"location":{"geoname_id":null,"capital":"Beijing","languages":[{"code":"zh","name":"Chinese","native":"\u4e2d\u6587"}],"country_flag":"http:\/\/assets.ipstack.com\/flags\/cn.svg","country_flag_emoji":"\ud83c\udde8\ud83c\uddf3","country_flag_emoji_unicode":"U+1F1E8 U+1F1F3","calling_code":"86","is_eu":false}}

{"Status": 0,"TC": false,"RD": true,"RA": true,"AD": false,"CD": false,"Question":[ {"name": "api.anote-app.com.","type": 1}],"Answer":[ {"name": "api.anote-app.com.","type": 5,"TTL": 299,"data": "api.anote-app.com.edgekey.net."},{"name": "api.anote-app.com.edgekey.net.","type": 5,"TTL": 1799,"data": "e25583.a.akamaiedge.net."},{"name": "e25583.a.akamaiedge.net.","type": 1,"TTL": 19,"data": "23.42.156.201"},{"name": "e25583.a.akamaiedge.net.","type": 1,"TTL": 19,"data": "23.42.156.240"}],"Comment": "Response from 203.198.20.159."}

By the way, does Google DoH have that legal agreement on ECS with Akamai yet?

Ben Tasker

unread,
Nov 22, 2018, 3:43:44 AM11/22/18
to George Ge, public-dn...@googlegroups.com
Thanks Alex

> Akamai will only honor ECS from sources that they have legal agreements with, they will ignore any ECS that you provide in your own dig queries, but they do not ignore ECS from parties with whom they have legal agreements about ECS.

That makes much more sense, seemed odd that Akamai would entirely ignore ECS - it's not like they're a small player in the space, or even technologically behind in general.

I know OpenDNS implement 12.2 - https://tools.ietf.org/html/rfc7871#section-12.2 on their RRs, should've occurred to me that Akamai (of all people) might've implemented a whitelist of their own to selectively support ECS (odd thing to do on an authoritative used for routing IMO, but I can see reasons for it).


To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-disc...@googlegroups.com.

To post to this group, send email to public-dn...@googlegroups.com.
Visit this group at https://groups.google.com/group/public-dns-discuss.

--
You received this message because you are subscribed to the Google Groups "public-dns-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-disc...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "public-dns-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-disc...@googlegroups.com.

To post to this group, send email to public-dn...@googlegroups.com.
Visit this group at https://groups.google.com/group/public-dns-discuss.
To view this discussion on the web visit https://groups.google.com/d/msgid/public-dns-discuss/965d5c50-0569-40ee-86a9-4f4772dfe06b%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages