1. What is DNS ECS?
In traditional DNS resolution, authoritative DNS servers typically see the IP address of the recursive resolver, not the actual client. This limits their ability to return optimized responses (e.g., closest CDN nodes) based on user location, potentially degrading performance.
ECS (EDNS Client Subnet) is an EDNS extension that allows recursive DNS servers to include the client’s subnet information in the DNS query. This helps authoritative servers return geographically optimized IP addresses, improving speed and service quality.
2. How ECS Works
- The client sends a DNS query to a recursive resolver;
- The resolver extracts the subnet from the client IP (e.g.,
1.2.3.0/24); - It appends an ECS option in the DNS query and forwards it to the authoritative server;
- The authoritative DNS server responds based on the ECS information;
- The optimized result is returned to the client.
This gives DNS geolocation-awareness, greatly benefiting CDN and distributed services.
3. How to Check if a DNS Server Supports ECS
Method 1: Using dig
dig +nocl TXT o-o.myaddr.l.google.com @<dns-server> +subnet=<client-ip>/32 +short
- If the response contains an
OPTrecord with subnet info, the server supports ECS. - If ECS is unsupported, the response will be standard with no ECS data.
Method 2: Programmatic Detection
You can write a script (see Go example below) to manually construct DNS queries with ECS and examine the server’s response.
Method 3: Refer to Official Docs or Compare Results
Compare results from different IPs or consult documentation from the DNS provider.
Using dig to Test ECS Support
🧪 Test Objectives
- Verify whether a DNS supports ECS
- Check if it leaks the client’s real IP
- Compare behavior for domestic vs. foreign IPs
- Assess privacy strategies
🔧 Testing Method
Use dig to query Google’s diagnostic domain:
dig +nocl TXT o-o.myaddr.l.google.com @<dns-server> +subnet=<client-ip>/32 +short
Parameter Breakdown
| Parameter | Description |
|---|---|
+nocl |
Suppress class information |
TXT o-o.myaddr.l.google.com |
Returns the client IP as seen by server |
@<dns-server> |
Target DNS server |
+subnet=<ip>/32 |
Simulate client subnet for ECS |
+short |
Simplified output |
Sample IPs
- Simulated Domestic IP:
222.29.12.23/32 - Simulated Foreign IP:
110.20.20.23/32
Compare results for domestic and foreign subnets, with and without ECS, and examine the edns0-client-subnet field.
📊 Public DNS ECS Support Summary
| DNS Provider | Address | ECS Support | ECS Behavior | Privacy Policy | Notes |
|---|---|---|---|---|---|
| Google DNS | 8.8.8.8 |
✅ Yes | Returns /24 subnet | Precise Geo | Balanced approach |
| OpenDNS | 208.67.222.222 |
✅ Yes | Uses IPv6 virtual net | Obfuscated ECS | Client IP ≠ ECS subnet |
| Cloudflare | 1.1.1.1 |
❌ No | No ECS support | IP rejection | Fully disabled ECS |
| Microsoft DNS | 4.2.2.2 |
❌ No | No ECS support | None | |
| dns.sb | 185.222.222.222 |
❌ No | No ECS support | - | |
| DNSPod (Tencent) | 119.29.29.29 |
⚠️ Partial | /32 for CN, subnet for INTL | Biased treatment | Frequent timeouts overseas |
| Ali DNS | 223.5.5.5 |
✅ Yes | Replaces with /25 subnet | High privacy | Fully functional ECS |
| 114 DNS | 114.114.114.114 |
❌ No | No ECS support | - | ECS unsupported |
| Baidu DNS | 180.76.76.76 |
❌ No | No ECS support | - |
🔍 Analysis
✅ Recommended: Ali DNS
- Fully supports ECS with masked subnets
- No difference between domestic/foreign treatment
- Supports DoH, DoT, DoQ, and H3
⚠️ Questionable: DNSPod (Tencent)
- Leaks full /32 IP for domestic users
- Subnet masking for foreign users only
- Poor stability for overseas queries
- Biased handling raises privacy concerns
❌ Non-ECS Providers
Cloudflare, 114DNS, and Baidu DNS offer no ECS support — sometimes for privacy reasons, sometimes due to lack of implementation.
📋 Conclusion
-
ECS support directly impacts privacy and location-based resolution accuracy
- A good ECS implementation should:
- Replace client IP with a masked subnet
- Reflect correct geographic region
- Treat domestic and foreign users equally
-
Ali DNS is currently the most reliable DNS provider in China with full ECS support and advanced protocol adoption.
- DNSPod is not recommended due to inconsistent ECS behavior and overseas instability.
🧭 dig Test Command Templates
# Test Google DNS (with domestic IP)
dig +nocl TXT o-o.myaddr.l.google.com @8.8.8.8 +subnet=222.29.12.23/32 +short
# Test Ali DNS (with foreign IP)
dig +nocl TXT o-o.myaddr.l.google.com @223.5.5.5 +subnet=110.20.20.23/32 +short
4. Go Example: Constructing DNS Query with ECS
Using the miekg/dns library in Go:
package main
import (
"fmt"
"log"
"net"
"github.com/miekg/dns"
)
func LookupWithECS(domain, clientIP string, dnsServer string) ([]string, error) {
m := new(dns.Msg)
m.SetQuestion(dns.Fqdn(domain), dns.TypeA)
o := new(dns.OPT)
o.Hdr.Name = "."
o.Hdr.Rrtype = dns.TypeOPT
ecsIP := net.ParseIP(clientIP).To4()
if ecsIP == nil {
return nil, fmt.Errorf("invalid IPv4 address: %s", clientIP)
}
ecs := &dns.EDNS0_SUBNET{
Code: dns.EDNS0SUBNET,
Family: 1,
SourceNetmask: 24,
SourceScope: 0,
Address: ecsIP,
}
o.Option = append(o.Option, ecs)
m.Extra = append(m.Extra, o)
c := new(dns.Client)
in, rtt, err := c.Exchange(m, dnsServer)
if err != nil {
return nil, fmt.Errorf("DNS query failed: %w", err)
}
fmt.Printf("DNS query RTT: %v\n", rtt)
var ips []string
for _, ans := range in.Answer {
if a, ok := ans.(*dns.A); ok {
ips = append(ips, a.A.String())
}
}
for _, extra := range in.Extra {
if opt, ok := extra.(*dns.OPT); ok {
for _, option := range opt.Option {
if ecsResp, ok := option.(*dns.EDNS0_SUBNET); ok {
fmt.Printf("Server ECS response: family=%d, netmask=%d, address=%s\n",
ecsResp.Family, ecsResp.SourceNetmask, ecsResp.Address)
}
}
}
}
return ips, nil
}
func main() {
domain := "www.baidu.com"
clientIP := "1.2.3.4"
dnsServer := "119.29.29.29:53"
ips, err := LookupWithECS(domain, clientIP, dnsServer)
if err != nil {
log.Fatalf("LookupWithECS failed: %v", err)
}
fmt.Printf("Resolved IPs: %v\n", ips)
}
5. ECS + HTTPDNS: A Powerful Combination
Traditional DNS is prone to hijacking and pollution, especially in ISP-controlled environments. HTTPDNS uses encrypted HTTPS to securely retrieve DNS records and can also carry client IPs, mimicking ECS functionality.
Combining HTTPDNS with ECS brings both security and precision — ideal for modern DNS optimization strategies.
6. Summary
- ECS enables DNS servers to be client-aware, boosting CDN efficiency and latency reduction.
- Top DNS providers (AliDNS, Google, Cloudflare) either support ECS or deliberately reject it for privacy reasons.
- Some Chinese DNS services (e.g., 114DNS) perform poorly with ECS and should be avoided in location-sensitive scenarios.
- Tools like
dig +subnetand Go code make ECS testing accessible. - ECS combined with HTTPDNS delivers robust, secure, and accurate DNS resolution.