You are not logged in.
- Topics: Active | Unanswered
#1 2021-07-24 14:18:33
- ferrum
- Member
- Registered: 2020-07-07
- Posts: 5
[SOLVED] DNSCrypt-Proxy and EDNS-client-subnet option.
Hello.
As we know, there is edns_client_subnet option available (since ver. 2.0.45 - if I remember correctly), that adds "EDNS-client-subnet information to outgoing queries". Default values are: ["0.0.0.0/0", "2001:db8::/32"]. I would like to ask about situation where only IPv4 protocol is in use.
I've read RFC/IETF about "EDNS Client Subnet" and now I feel stupid and lost. Generally, I think, that using "0.0.0.0/0" may not be a very good idea to prevent privacy "leakage" (user IP address etc.) or maybe I'm wrong and that's a clever solution?
So, what do you think about edns_client_subnet option? What IP address with subnet/prefix, should be used to achieve a better privacy? Is something like 198.51.100.0/24 a better choice, instead of the default address? However, "/24 prefix is only 256 IPs. This is very narrow and can be concerning for privacy".
Or maybe Users should use their own IP address, provided by ISP, but in such format - with smaller prefix (so there should be more IPs than 256): 11.22.0.0/22 (that's only an example!).
Thanks, best regards.
____________________________________
For more information, please check:
1/ RFC7871 - Client Subnet in DNS Queries (Security considerations)
2/ Cloudflare - possible solutions for the edns problem in 1.1.1.1
Last edited by ferrum (2021-07-26 10:42:16)
Offline
#2 2021-07-24 14:35:30
- progandy
- Member
- Registered: 2012-05-17
- Posts: 5,190
Re: [SOLVED] DNSCrypt-Proxy and EDNS-client-subnet option.
I'd suggest you either do not use it at all or choose a random ip / subnet that resolves to a location that is acceptably close to you, maybe some ip from your ISP or maybe from a different isp in your country.
0.0.0.0/0 does not provide any location information to improve routing. It might help with privacy in case your primary dns server respects ECS, but uses your real ip if it is absent.
To check what information google is receiving from your dns server you can do this:
dig TXT +short o-o.myaddr.l.google.comLast edited by progandy (2021-07-24 14:53:09)
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Offline
#3 2021-07-26 10:39:29
- ferrum
- Member
- Registered: 2020-07-07
- Posts: 5
Re: [SOLVED] DNSCrypt-Proxy and EDNS-client-subnet option.
Hi progandy.
Thank You for an answer. I also think, that the best option - if someone will decide to use 'edns_client_subnet' option - is to use e.g. ISP address. By the way - what do you think about prefix? It's better to use a value lower than '/24' (because of - from privacy point of view - 256 IPs only)?
Thanks, best regards.
Offline