Additional information
DNS policies
What is the issue you’re encountering
I noticed the ECS Subnet used when ECS is enabled for my DNS location does not fully match my IP address /24 or /56, unlike with Google DNS. Based on Add locations | Cloudflare Zero Trust docs, I understood “Cloudflare enables EDNS in a privacy preserving way by not sending the user’s exact IP address but rather a /24 range which contains their IP address.” In reality, the IPv4 /24 range sent does not include my IP address, but the Google DNS one does. The same applies to IPv6 and /56.
What are the steps to reproduce the issue?
Get ECS prefixes sent by Cloudflare Gateway DNS Location
- IPv4
$ dig TXT -4 +tls @<redacted>.cloudflare-gateway.com whoami.ds.akahelp.net
...
;; ANSWER SECTION:
whoami.ds.akahelp.net. 20 IN TXT "ecs" "173.56.72.0/24/24"
whoami.ds.akahelp.net. 20 IN TXT "ip" "173.56.72.252"
whoami.ds.akahelp.net. 20 IN TXT "ns" "2400:cb00:452:1024::ac46:e529"
...
- IPv6
$ dig TXT -6 +tls @<redacted>.cloudflare-gateway.com whoami.ds.akahelp.net
...
;; ANSWER SECTION:
whoami.ds.akahelp.net. 20 IN TXT "ecs" "2600:4041::/56/56"
whoami.ds.akahelp.net. 20 IN TXT "ip" "2600:4041:0:b:30f9:c349:680e:c038"
whoami.ds.akahelp.net. 20 IN TXT "ns" "2400:cb00:388:1024::ac46:7197"
...
Get ECS prefixes sent by Google DNS
- IPv4
$ dig TXT -4 +https @dns.google whoami.ds.akahelp.net
...
;; ANSWER SECTION:
whoami.ds.akahelp.net. 20 IN TXT "ecs" "173.56.76.0/24/24"
whoami.ds.akahelp.net. 20 IN TXT "ip" "173.56.76.31"
whoami.ds.akahelp.net. 20 IN TXT "ns" "2607:f8b0:4004:c1d::12a"
...
- IPv6
$ dig TXT -6 +https @dns.google whoami.ds.akahelp.net
...
;; ANSWER SECTION:
whoami.ds.akahelp.net. 20 IN TXT "ecs" "2600:4041:5802:b300::/56/56"
whoami.ds.akahelp.net. 20 IN TXT "ip" "2600:4041:5802:b335:4de8:608a:647a:8273"
whoami.ds.akahelp.net. 20 IN TXT "ns" "2607:f8b0:4004:c06::101"
...