What is DNS ECS?
In traditional DNS resolution, authoritative DNS servers typically see only the IP address of the recursive resolver—not the real IP of the end-user. As a result, they can’t return CDN nodes optimized for the user’s actual location, causing slower access and degraded user experience.
ECS (EDNS Client Subnet) is a DNS protocol extension (defined in RFC 7871) that allows recursive resolvers to include a portion of the client’s IP subnet in DNS queries. Authoritative servers can then return responses tailored to the user’s region.
How ECS Works
- A client sends a DNS query to the recursive resolver.
- The resolver extracts the subnet (e.g.,
1.2.3.0/24) from the client IP. - The resolver includes an ECS option in the DNS request to the authoritative server.
- The authoritative server uses the subnet to return a geographically optimized IP address.
- The response is sent back to the client with improved relevance and performance.
This process enables DNS-based geographic targeting without requiring any change on the client side.
ECS Support Landscape
While ECS is powerful, not all DNS providers support it—or they support it to different degrees.
✅ Public DNS Servers with Good ECS Support
| Region | Provider | DNS IP | ECS Support | Notes |
|---|---|---|---|---|
| CN | AliDNS | 223.5.5.5 |
✅ Good | Fully supports ECS, widely used |
| CN | Tencent DNSPod | 119.29.29.29 |
✅ Good | Fast and stable |
| CN | AliDNS (Backup) | 223.6.6.6 |
✅ Good | Same as above |
| CN | Baidu Public DNS | 180.76.76.76 |
✅ Partial | Inconsistent ECS support |
| Global | Google DNS | 8.8.8.8 |
✅ Excellent | Mature and widely adopted |
| Global | Google DNS | 8.8.4.4 |
✅ Excellent | Same as above |
| Global | Cloudflare | 1.1.1.1 |
✅ Excellent | Fast and privacy-focused |
| Global | Cloudflare | 1.0.0.1 |
✅ Excellent | Same as above |
| Global | Quad9 | 9.9.9.9 |
✅ Good | Security & privacy enhanced DNS |
⚠️ Limited ECS Support
| Provider | DNS IP | ECS Support | Issue |
|---|---|---|---|
| 114 DNS (CN) | 114.114.114.114 |
⚠️ Limited | Often discards ECS info; poor geo optimization |
Tip: For ECS-based optimization (e.g., CDN routing), avoid using DNS servers with limited or no ECS support.
How to Test ECS Support
Option 1: Use dig with ECS
dig +subnet=1.2.3.0/24 www.example.com @dns-server-ip
If the response includes an OPT record with ECS subnet info, the DNS server supports ECS. Otherwise, it may ignore the ECS extension.
Option 2: Programmatic Test in Go
Use a Go program to craft a DNS request with ECS and inspect the returned data. (See example below.)
Option 3: Compare DNS Results Across Regions
Check whether the same domain returns different IPs from different regions when ECS is used.
ECS DNS Lookup in Go
Below is a simple Go program using miekg/dns to issue an ECS-enabled DNS query:
package main
import (
"fmt"
"log"
"net"
"github.com/miekg/dns"
)
func LookupWithECS(domain, clientIP string, dnsServer string) ([]string, error) {
m := new(dns.Msg)
m.SetQuestion(dns.Fqdn(domain), dns.TypeA)
o := new(dns.OPT)
o.Hdr.Name = "."
o.Hdr.Rrtype = dns.TypeOPT
ecsIP := net.ParseIP(clientIP).To4()
if ecsIP == nil {
return nil, fmt.Errorf("invalid IPv4 address: %s", clientIP)
}
ecs := &dns.EDNS0_SUBNET{
Code: dns.EDNS0SUBNET,
Family: 1,
SourceNetmask: 24,
SourceScope: 0,
Address: ecsIP,
}
o.Option = append(o.Option, ecs)
m.Extra = append(m.Extra, o)
c := new(dns.Client)
in, rtt, err := c.Exchange(m, dnsServer)
if err != nil {
return nil, fmt.Errorf("DNS query failed: %w", err)
}
fmt.Printf("DNS query RTT: %v\n", rtt)
var ips []string
for _, ans := range in.Answer {
if a, ok := ans.(*dns.A); ok {
ips = append(ips, a.A.String())
}
}
for _, extra := range in.Extra {
if opt, ok := extra.(*dns.OPT); ok {
for _, option := range opt.Option {
if ecsResp, ok := option.(*dns.EDNS0_SUBNET); ok {
fmt.Printf("ECS response: family=%d, netmask=%d, address=%s\n",
ecsResp.Family, ecsResp.SourceNetmask, ecsResp.Address)
}
}
}
}
return ips, nil
}
func main() {
domain := "www.baidu.com"
clientIP := "1.2.3.4"
dnsServer := "119.29.29.29:53"
ips, err := LookupWithECS(domain, clientIP, dnsServer)
if err != nil {
log.Fatalf("LookupWithECS failed: %v", err)
}
fmt.Printf("Resolved IPs: %v\n", ips)
}
ECS + HTTPDNS: A Modern Combination
Traditional DNS over UDP is vulnerable to hijacking and spoofing. HTTPDNS addresses this by resolving domains over HTTPS (DoH), which:
- Protects against DNS pollution
- Ensures accurate IP targeting
- Supports native client IP identification
By combining ECS and HTTPDNS, services can achieve both security and location-aware routing, greatly enhancing performance in mobile and multi-region scenarios.
Conclusion
- ECS allows DNS servers to return IPs based on the client’s geographic subnet.
- Many public DNS servers now support ECS, but 114 DNS does not fully support it and should be avoided in precision scenarios.
- You can test ECS support using
dig +subnet, Go code, or regional comparisons. - HTTPDNS and ECS together form a strong foundation for modern DNS performance and security strategies.