DNS is a complex beast,\nso it's little surprise when I learn something new.\nToday I learned a bit more about the internals of how DNS works\nat various privacy-centric providers.
\nIt all started a few weeks ago when someone I follow on Mastodon\n(I'm very sorry I can't remember who)\nmentioned Quad9 as a privacy-friendly DNS solution.\nI think the context was that they were looking for alternatives\nto the US "big tech" vendors, like Cloudflare and Google.\nI eventually remembered it and switched by DNS a few weeks ago from 1.1.1.1,\nCloudflare's similar service.
\nFast forward to the present.\nI was frustrated that some page loads were REALLY slow.\nI couldn't figure out a clear pattern, but two sites which I visit a LOT\nare stadiamaps.com and docs.stadiamaps.com,\nsince it's kinda my job ;)\nThis had been going on far at least a week or two,\nbut I thought it was just something funky with my ISP,\nor maybe they were throttling me (I'm sure I'm a top 1% bandwidth user).
\nI had enough of the slowness this morning and was about to type up a thread in our internal Zulip chat\nasking our network guy to look into it on Monday.\nSo like any decent engineer, I popped up a web inspector and captured a HAR file\nso they could "see what I saw."
\nAnd what did I see?\nAfter a few minutes looking over it for obvious problems,\nI noticed that our marketing site was loading from our edge server in...\nJohannesburg?!\nAnd our docs site was coming from a server in Texas!\n(We include some HTTP headers which assist in debugging this sort of thing.)
\nWell, that's not right...\nI popped up dig in my terminal and verified that, indeed, the A records were resolving to servers\nlocated on the other side of the world.\nAnd then it hit me.\nI had changed my DNS settings recently!\nThat must have something to do with it!
We use AWS Route53 for our geographically aware DNS resolution needs.\nIt's the best product I've seen in the industry,\nso I assumed it wasn't their fault.\nThen I remembered something I read in the Quad9 FAQ\nabout EDNS Client-Subnet (also known as EDNS0 and ECS).\nThat seems relevant...
\nThe quick version is that some DNS resolvers can use a truncated version of your IP address\nto improve the quality of the results (giving a server near you).\nAmazon has a great detailed writeup.
\nThe trouble is that this info could theoretically be used (with some more details) to identify you,\nso many privacy-focused DNS solutions (including Quad9) disable this by default
\nQuad9 operates an alternate server with EDNS Client-Subnet enabled.\nI tried that and it gave the results I expected.\nBut this is not where the story ends!
\nIt turns out, Cloudflare, which I had been using previously,\nalso gave the "expected" results.\nBut they state very clearly in their FAQ\nthat they do not use EDNS Client-Subnet.\nWhat gives?
\nAt this point I'm speculating,\nbut I think that their network setup is a bit different.\nCloudflare is famous for having an extensive edge network,\nand I have a server very close by.\nMy guess is that they make all upstream queries to authoritative servers\nAND cache any results in the same nearby datacenter.\nThis would easily explain why they can still give a geographically relevant result,\nwithout sending your subnet to the authoritative server.
\nQuad9 on the other hand either doesn't have as many servers nearby (for fast routing),\nor perhaps they are sharing cache results globally.
\nAs I said though, this is all just speculation.\nIf anyone has more knowledge of how Cloudflare and Quad9 operate,\nlet me know and I'll update this post!
\n", "summary": "", "date_published": "2025-05-03T00:00:00-00:00", "image": "", "authors": [ { "name": "Ian Wagner", "url": "https://fosstodon.org/@ianthetechie", "avatar": "media/avi.jpeg" } ], "tags": [ "dns", "networking" ], "language": "en" } ] }