When 220.127.116.11 or other resolvers make upstream DNS requests they decide (or not) to include the client IP address network in the EDNS field to provide de authoritative DNS server with a hint about the client location.
This causes a privacy leak and Cloudflare’s 18.104.22.168 has decided to avoid sending this information upstream as it leaks the client’s IP. This brokes some DNS answers, i.e. https://webapps.stackexchange.com/questions/135222/why-does-1-1-1-1-not-resolve-archive-is/135223#135223
I propose the following solution:
- Client makes DNS request to 22.214.171.124
- The Cloudflare PoP in the anycast network that handles this DNS request includes its own IP in the EDNS field.
- The authoritative DNS server sees a subnet in the EDNS field that kinda matches the client’s location.
- The authoritative DNS server can use this location info to provide custom answers without seeing the user subnet.
This is an option, other would be just spoofing the EDNS field with a random IP subnet with the same GeoIP location of the client.
If the user makes a DNS request to 126.96.36.199 from Madrid (Spain), Cloudflare just needs a random subnet GeoIP located in Madrid to pass along. Not the user’s network but any that has the same geolocation.
This preservers the privacy while providing GeoIP location upstream.