Different manifestations of ECS

64 views
Skip to first unread message

qiao...@126.com

unread,
Mar 14, 2022, 9:53:57 AMMar 14
to public-dns-discuss
Hello

I have some public DNS questions about ECS implementation. 
background:
www.a.shifen.com :For Chinese IP, you can directly parse IP. For non Chinese IP, CNAME to another domain name
xiaodu.a.shifen.com:For all regional IP, It`s IP can be directly resolved
Both domain names support different resolutions in different regions. The only difference is www.a.shifen.com for non Chinese IP is CNAME to another domain name. But when I parse through 8.8.8.8 recursion. Whether ECS is added or not, xiaodu a.shifen. com can be parsed correctly. But www.a.shifen.com will appear unexpected parsing.
for example:
1)
dig @8.8.8.8 xiaodu.a.shifen.com

; <<>> DiG 9.16.8 <<>> @8.8.8.8 xiaodu.a.shifen.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4481
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;xiaodu.a.shifen.com.                IN        A

;; ANSWER SECTION:
xiaodu.a.shifen.com.        291        IN        A        180.101.49.145
 
OR

dig @8.8.8.8 xiaodu.a.shifen.com +subnet=180.101.49.11/24

; <<>> DiG 9.16.8 <<>> @8.8.8.8 xiaodu.a.shifen.com +subnet=180.101.49.11/24
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39123
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
; CLIENT-SUBNET: 180.101.49.0/24/14
;; QUESTION SECTION:
;xiaodu.a.shifen.com.                IN        A

;; ANSWER SECTION:
xiaodu.a.shifen.com.        296        IN        A        180.101.49.145

;; Query time: 38 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Mar 14 15:18:30 CST 2022
;; MSG SIZE  rcvd: 75

dig @8.8.8.8 www.a.shifen.com +subnet=180.101.49.11/24

; <<>> DiG 9.16.8 <<>> @8.8.8.8 www.a.shifen.com +subnet=180.101.49.11/24
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15300
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
; CLIENT-SUBNET: 180.101.49.0/24/14
;; QUESTION SECTION:
;www.a.shifen.com.                IN        A

;; ANSWER SECTION:
www.a.shifen.com.        300        IN        A        180.101.49.11
www.a.shifen.com.        300        IN        A        180.101.49.12

;; Query time: 103 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Mar 14 15:19:00 CST 2022
;; MSG SIZE  rcvd: 88

Another different analysis(This is unexpected due to the direct proxy ECS option in the request.):
dig @8.8.8.8 www.a.shifen.com +subnet=180.101.49.11/24

; <<>> DiG 9.16.8 <<>> @8.8.8.8 www.a.shifen.com +subnet=180.101.49.11/24
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26758
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
; CLIENT-SUBNET: 180.101.49.0/24/0
;; QUESTION SECTION:
;www.a.shifen.com.                IN        A

;; ANSWER SECTION:
www.a.shifen.com.        163        IN        CNAME        www.wshifen.com.
www.wshifen.com.        51        IN        A        45.113.192.102
www.wshifen.com.        51        IN        A        45.113.192.101

The performance of 8.8.8.8 without ECS request will also appear in both cases:
dig @8.8.8.8 www.a.shifen.com

; <<>> DiG 9.16.8 <<>> @8.8.8.8 www.a.shifen.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52049
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.a.shifen.com.                IN        A

;; ANSWER SECTION:
www.a.shifen.com.        300        IN        A        180.101.49.11
www.a.shifen.com.        300        IN        A        180.101.49.12

;; Query time: 150 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Mar 14 15:39:04 CST 2022
;; MSG SIZE  rcvd: 77

Another
dig @8.8.8.8 www.a.shifen.com

; <<>> DiG 9.16.8 <<>> @8.8.8.8 www.a.shifen.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44119
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.a.shifen.com.                IN        A

;; ANSWER SECTION:
www.a.shifen.com.        255        IN        CNAME        www.wshifen.com.
www.wshifen.com.        239        IN        A        45.113.192.102
www.wshifen.com.        239        IN        A        45.113.192.101

All the above requests are made on the same device at the same time. Because my export IP is Chinese mainland, the response with CNAME is unanticipated. It should be noted here that  The authority of a.shifen.com is to support IPv4 and IPv6 ECs. wshifen. The authority of COM supports IPv4 ECs.
It seems strange that if my domain name does not have CNAME in any ACL match, but directly returns the resolved IP according to different request IP, then the response is expected. like the domain xiaodu.a.shifen.com.

Could you please explain the reason for this situation and how to realize it? If I want to support CNAME, how can I modify it?
Reply all
Reply to author
Forward
0 new messages