we are using AWS Route53’s Geolocation feature to direct users to our closest server.
When we run dig @184.108.40.206 mydomain.tld from a server in Singapore, we do not get the response configured in Route53 for Asia; instead we get the response configured for North America.
I understand that 220.127.116.11 does not support ECS. However, 18.104.22.168 is 0.7 ms away, thus also in Singapore, so I would still expect that Route53 sees the DNS request coming from Cloudflare as originating from Singapore.
This thread confirms that this is how it should work, and when it does not work, it is probably a wrong entry in some (AWS’s?) geo location database that misplaces Cloudflare’s IPs.
How can I debug whether this is the case? How can I get it fixed? If the problem is in Route53, how can I determine from which IP 22.214.171.124 will make the request to Route53, so that I can report it to AWS support?
Currently our users are sent around half the globe when they use 126.96.36.199, which leads to a bad experience.
If this [ECS] data isn’t passed with the request, Route 53 uses the source IP address of the DNS resolver to approximate the location of the client and responds to geolocation queries with the DNS record for the resolver’s location.
This means Route53 will use the location of the Cloudflare machine that talks to it.
My understanding is that you were saying that this can only be fixed if Cloudflare starts supporting ECS.
But I believe it would be sufficient if the IP from which Cloudflare talks to Route53 had correct geolocation DB entries (then, Cloudflare’s Singapore resolvers would show up as in Singapore to Route 53).
Your last post (“that address does not scream ‘Singapore’”) seems to agree with that, but your first post seemed to suggest something different – maybe I misunderstood you?
“Correct” as in? The upstream addresses do not necessarily need to correlate with the country where you sent the request from. a) Cloudflare wont have addresses “from” each single country where they have a datacentre. b) Even if they did, there is no guarantee you’d be routed to that datacentre.
There is nothing “correct” about country allocations when it comes to IP addresses, I am afraid. There is just a “less wrong”
Yes, that makes sense from a technical perspective.
I mean “correct” as in “what Cloudflare likely intends to happen”.
It appears to me that especially given that Cloudflare does not support ECS, it would probably want the resolver’s IP to count as “reasonably close” to the user – at least in the same country, so that issues as I am seeing do not happen and users of 188.8.131.52 do not have a bad time.
… Members who hold “allocated portable” IP ranges are free to create more specific inetnum and inet6num records that contain different “country” values to indicate the economy in which those IP addresses are used. Additionally, the “geoloc” attribute can be added to associate a latitude/longitude coordinate pair with the record.
If you find that a geolocation provider has incorrect location
details of your IP address range, you can contact them and request they
update the location of the range.
Would it not be in Cloudflare’s interest to make their resolver IP appear from the correct country then?
Sorry, I don’t quite follow – which part are you referring to? My point was that Cloudflare could choose to make their Singapore resolver server’s address like 184.108.40.206 show up as in Singapore in common geolocation DBs. Your posts make clear that this would not happen automatically, but I cannot infer from them why Cloudflare would not be interested in updating them explicitly.
220.127.116.11 is used as a multicast IP though, it makes sense that it has no defined location. 18.104.22.168 does not appear to be one. Also, 22.214.171.124 does not talk to upstream DNS resolvers, while resolver IPs like 126.96.36.199 do.
The accuracy of IP databases is one part of it, the other is simply what I mentioned earlier. These addresses are all part of a larger block and you cant “assign” countries to individual addresses.
On top of that, as I already mentioned, you wont even have a guarantee that you will be routed via Singapore. Even if Cloudflare assigned to each address the respective country (what about countries where they dont have a datacentre?) you’d still be “incorrectly” routed if you go via a different country.
So, again what I said in the beginning, either Cloudflare needs to support ECS or Amazon needs to switch to Anycast.