1.1.1.1 prevents GeoIP based DNS lookups from working

Hi! I work as a Support Engineer for a company which provides web hosting: Netlify. Our customers are reporting issues with sites hosted on our service when they are using the DNS resolver 1.1.1.1. To cut to the chase, I’m hoping to contact Cloudflare support so we can troubleshoot this issue affecting people using both Netlify and 1.1.1.1.

At Netlify, we also provide a CDN with our service. When a query is made for a Netlify site, our DNS servers will response with the IP address for a CDN node which is geographically closest to the IP address making the request. This is done using the Geographic Routing feature provided by the DNS service we use which is NS1.(https://ns1.com/geographic-routing is the link to the description of Geographic Routing. I’m including it as a code block because my new forum user is only permitted to links per post.)

What normally happens in this. A user makes a DNS query for a site. If you are in Paris, we will return an IP address for a CDN node in Frankfurt. If you are in Melbourne, we will return an IP address for a CDN node in Syndey. The IP address returned is dependent on where the query comes from.

However, if a person uses 1.1.1.1 as their resolver, it always returns IP addresses in the U.S.A. The queries don’t send the person to their closest CDN node anymore. 1.1.1.1 breaks the geographic routing.

While this is less than ideal for people in the western U.S.A., it results in particularly terrible site performance for people on other continents. Being routed to New York instead Sydney when you are browsing from Australia results in slow pageloads (very high TTFB).

Here is an example of such a report from our own community site:

The topic above was a person in Spain being directed to a CDN node in North America instead of Europe. The resolver that was returning this IP address was 1.1.1.1.

This issue doesn’t occur when people use the DNS resolvers for their ISP or other “public use” resolvers like 8.8.8.8.

Would it be possible to create a support ticket so we can discuss why this is happening and what can be done to resolve this issue? I’m able to spin up EC2 instances or use VPN software to demonstrate the differences when 1.1.1.1 is used around the world compared to other resolvers.

It would seem ideal to take this conversation private so we can troubleshoot this. However, if you would prefer to troubleshoot here publicly, I’m happy to do this as well.

If there are any questions I can answer, please let me know.

Hi good day!!!
You might think that it is not reaching the closest server since Cloudflare did not send EDNS ECS support due to a privacy issue.
You should talk to them to see if there is another way to solve your problem.

Cheers!!!

Yes, it does appear to be a well documented limitation here:

Quoting:

EDNS Client Subnet

1.1.1.1 is a privacy centric resolver so it does not send any client IP information and does not send the EDNS Client Subnet Header to authoritative servers.

It is also discussed in other topics found this community site - for example, this one:

This appears to be a known limitation and one which won’t be changed anytime soon. Thank you for the advice, @german.garciadoego, as this mention of “EDNS support” pointed me directly to the root cause. That information is greatly appreciated!

Hi Luke, good morning !!!
Effectively!!! In general, when there are ip geolocation problems with cloudflare dns, you should point to EDNS ECS… edns support has been requested for a while, but for privacy reasons, Cloudflare has disabled it …
I don’t know if they will be working on how to solve this, but this topic comes from the beginning of 1.1.1.1 …
So for now and I don’t know if we will never … we will have a solution to these problems …

I’m glad I was able to help you.

Cheers!!!

Hi this definitely shouldn’t be happening. Clients would connect to our closest anycast location and your DNS service should map that anycast location accordingly. I’ll try to reach to NS1 to see if we can fix this.

Thank you for the follow-up and it is wonderful to learn there should be a solution for this. (I’d hoped there would be.)

If there are any questions I can answer or information I can provide for troubleshooting, please let me know. I’m happy to assist in any way which would be helpful.

Hello mvavrusa !!!

I appreciate your help to solve these problems !!!

Anything we can help with, we will be here.

Regards.

I’m using a similar solution as Luke, but with MaxMind’s GeoIP service. Our users using 1.1.1.1 also get sent to our North American servers regardless of where they are whereas the same user using Google’s 8.8.8.8 gets geosteered properly to their closest server.

Hi, any chance you can update the maxmind database version to the latest one and see if there’s still a problem?

Seems to be fixed, thanks