[Feature request] Geolocation/Client Subnet support for Cloudfront domains

I’ve noticed that since launch Cloudflare will often return records for distant Cloudfront edges, even when querying a local 1.1.1.1 edge.

This is a painful interaction for a CDN product that is supposed to reduce global latency.

I believe that it is a Cloudflare issue because other recursive resolvers, and the identity.cloudfront.net resolver do not seem to ever suffer from this degradation:

2018/08/27 21:43:52 [resolver=1.1.1.1:53,msgId=61668,host=13.33.28.138,rtt=220.251322ms]
2018/08/27 21:43:53 [resolver=8.8.8.8:53,msgId=8640,host=54.230.245.245,rtt=55.775511ms]
2018/08/27 21:43:53 [resolver=identity.cloudfront.net:53,msgId=33957,host=54.230.245.213,rtt=47.597676ms]

(RTT measured by TCP open to one of the A RRs, this example was from “MEL” Cloudflare resolver).

I’m currently running a longer-term test to figure out how often this happens, but it’s often enough to be annoying. It seems to affect all Cloudfront domains (e.g. all of the Atlassian sites).

Cloudfront uses DNS rather than Anycast to select the closest edge. It’s not clear to me exactly how this is interacting with Cloudflare, but they definitely support EDNS and this shouldn’t be happening.

The issue there may be that Cloudflare’s 1.1.1.1 doesn’t support EDNS. With some vendors they have worked to provide a better experience, maybe Cloudfront is not there or is coming.

Oh, yikes. I swear I had read that Cloudflare was sending an anonymized client subnet. Must have been another resolver.

Very convenient then that if there is no EDNS, that most of the time it actually does resolve to a local edge.

I would assume that they use the edge’s IP to locate themselves to the EDNS DNS instead of yours for those with whom they worked.

Yes, that’s what I thought was happening initially! But going by the literal interpretation of the page you linked, no Client Subnet data is sent at all.

I think they are not sending any EDNS IP. Because all Cloudflare’s IPs are geolocated to the US, but they have probably given a list of IP <-> PoP relations to Akamai, Google and the likes. That is not something that is public, but I would assume neither Google nor Akamai would launch a DDoS towards Cloudflare so they feel safe doing that.

Looks like you’re spot on.

From the 8.8.8.8 resolver (74.125.41.9 locally) I can see that an OPT record with EDNS Client Subnet is sent.

From 1.1.1.1 (162.158.1.47 locally) an OPT record is sent but without any extensions.

I guess this is really a feature request, then.

This also seems to affect CNAME flattening in authoritative DNS product as well, which is a bummer. Changing to another DNS host might be on the horizon for me, can’t afford the $200/mo/domain it would take to use be able to use Cloudflare’s CDN in Australia .

What kind of back end are you running?

I’ll try to reach out. Even without ECS, they should be able to geolocate you approximately using the Cloudflare’s PoP location. If they absolutely do need ECS, we’ll try to work something out.

FWIW, this appears to happen with Office365 as well.

From an Australian ISP:

dig @1.1.1.1 outlook.office365.com
outlook.office365.com. 259 IN CNAME outlook.ha.office365.com.
outlook.ha.office365.com. 27 IN CNAME outlook.ms-acdc.office.com.
outlook.ms-acdc.office.com. 494 IN CNAME syd-efz.ms-acdc.office.com.
syd-efz.ms-acdc.office.com. 44 IN CNAME outlook.office365.com.g.office365.com.
outlook.office365.com.g.office365.com. 31 IN CNAME outlook-ca-namcentral3.office365.com.
outlook-ca-namcentral3.office365.com. 31 IN CNAME outlook-namcentral3.office365.com.
outlook-namcentral3.office365.com. 31 IN A 40.97.134.34
outlook-namcentral3.office365.com. 31 IN A 40.97.138.210
outlook-namcentral3.office365.com. 31 IN A 40.97.151.18
outlook-namcentral3.office365.com. 31 IN A 40.97.192.226
outlook-namcentral3.office365.com. 31 IN A 40.97.193.178
outlook-namcentral3.office365.com. 31 IN A 40.97.194.98
outlook-namcentral3.office365.com. 31 IN A 40.97.24.50
outlook-namcentral3.office365.com. 31 IN A 40.97.41.82
outlook-namcentral3.office365.com. 31 IN A 40.97.85.2
outlook-namcentral3.office365.com. 31 IN A 40.97.125.146
outlook-namcentral3.office365.com. 31 IN A 40.97.130.18

Typically i would expect my result to be along the lines of:

outlook.office365.com. 104 IN CNAME outlook.ha.office365.com.
outlook.ha.office365.com. 55 IN CNAME outlook.ms-acdc.office.com.
outlook.ms-acdc.office.com. 339 IN CNAME syd-efz.ms-acdc.office.com.
syd-efz.ms-acdc.office.com. 11 IN CNAME outlook.office365.com.g.office365.com.
outlook.office365.com.g.office365.com. 177 IN CNAME outlook-au.office365.com.
outlook-au.office365.com. 294 IN A 40.100.151.242
outlook-au.office365.com. 294 IN A 40.100.144.146
outlook-au.office365.com. 294 IN A 40.100.144.226
outlook-au.office365.com. 294 IN A 40.100.145.162
outlook-au.office365.com. 294 IN A 40.100.146.194
outlook-au.office365.com. 294 IN A 40.100.148.18
outlook-au.office365.com. 294 IN A 40.100.148.194
outlook-au.office365.com. 294 IN A 40.100.149.178
outlook-au.office365.com. 294 IN A 40.100.151.2

The difference is ~ 200ms of latency, which really shows in desktop applications (like outlook).

Its worth nothing this appears to be random. At times I do get AUS results, while other times i get USA/Canada. I get that ECS isn’t exposed for privacy reasons, but perhaps a “bypass” capability in cloudflared (which is what im using for DNS over HTTPS) may be ideal until geo-location data can be updated accordingly?

Hi Seamus,

I know it is incredibly frustrating to see ~200ms latency. We are working on a plan to remediate this. We will share an update with the community very soon on how we are going to solve this.

Thanks for your patience!

️:v:️

Irtefa

Almost a year has passed and the problems are still there … more than 6 months ago they indicated that it was under consideration to enable EDNS … We continue in the sweet wait using GOOGLE DNS, with which if things work correctly …
Are you going to take a lot more time to consider it ???

Greetings.

A month, not a year…

I said “ALMOST” a year … and it was not a month … If you verify the link that I put, you will see that these problems come from the beginning of the year, when cscharff had already commented that they were “considering” …

Basically this is what happens …
https://www.sajalkayan.com/post/cloudflare-1dot1dot1dot1.html

I hope they reconcideren and enable EDNS support to optimize the cdn connections …

Greetings.

Didn’t look at the link, but it’s still less than 6 months. Plus I doubt they will ever enable EDNS, if you want it/need it use something else.

The issue that happens is known to everyone, but that is what happens with a bit more privacy for the user.

They have optimized some CDNs, Google’s, Akamai’s and Amazon’s are fine here.

With respect to Google, they had mentioned that it was solved … however, most of the time certain connections, in my case, are directed to Peru … rarely within Argentina (EZE).
So I do not see that it is very solved that we say …

Hello good day!!! Was there any resolution to these drawbacks ???
Can you give an update to this topic please ???

Thanks and regards!!!

Is there someone that can response if there will be esdn support because this has a serious issue in decreasing performance so is this in the roadmap

It seems abandoned this forum … No support here so I can give an answer ???

Thank you very much already!!!

Gonna reply to both @german.garciadoego and @genuine3000:

I don’t think this will ever be in the roadmap. Of course I am not on the team, but the premise of 1.1.1.1 is privacy and EDNS Client Subnet is the opposite of that. If that’s what you need fine, otherwise there are fine alternatives depending on your location.