[styanax]

Hoping the HN DNS savvy reading this can help me understand a Quad9 thing I ran into. I was debugging (as in scratching my head) a bank website login problem and ended up doing some DNS checks against their domain, usual stuff, while using Quad9 as my DNS provider.

While testing, I was using Google and Cloudflare as well, and started noticing something - Quad9 does not return all A records listed for a domain, the same way Google/Cloudflare do.

    dig -t A google.com @8.8.8.8 +short (6x IPs)
    dig -t A google.com @1.1.1.1 +short (6x IPs)
    dig -t A google.com @9.9.9.9 +short (1x IP)

This gave me a weird feeling; I get there's a lot of DNS geo magic and 8.8/1.1 serve 2 different subnets, and 9.9 a third. But... where did the other 5 expected IPs from Quad9 get off to?

[df0b9f169d54]

I used quad9 as the primary upstream DNS for my home. about 11 days ago I wasn't able to send any query to quad9, kinda blocking. Their status page was green I suspected my ip was blocked. Now I'm on quad1 :(

[lcnPylGDnU4H9OF]

Have you tried Mullvad?

https://mullvad.net/en/help/dns-over-https-and-dns-over-tls

TL;DR

dns.mullvad.net - 194.242.2.2 (no blocking)

adblock.dns.mullvad.net - 194.242.2.3 (ad and tracker blocking)

base.dns.mullvad.net - 194.242.2.4 (ad, tracker, malware blocking)

And others but I primarily use the last two. They offer it as a public service, similar to quad9.

[styanax]

Thanks to multiple mentions of Mullvad in this overall post comments, I decided to replace dnsmasq with unbound and convert the laptop to DoT. Here's the specific Mullvad snippet if anyone needs:

    # Mullvad Unfiltered
      forward-addr: 2a07:e340::2@853#dns.mullvad.net
      forward-addr: 194.242.2.2@853#dns.mullvad.net
    # Mullvad Adblock
    #  forward-addr: 2a07:e340::3@853#adblock.dns.mullvad.net
    #  forward-addr: 194.242.2.3@853#adblock.dns.mullvad.net

As mentioned in the default unbound config, the "#" is not a comment when used in the value, it's used for TLS checks. I followed this simple blog post from years ago: https://www.jwillikers.com/dns-over-tls-with-unbound

[laz]

I see a single IP for all 3

While I'm here: Google uses edns0 client subnet to geo target your client IP.

Try a dig -t txt o-o.myaddr.l.google.com @8.8.8.8 vs the others to see the src IP of the packet sent to Google's DNS server, and any edns0 info that came along with it.

[styanax]

Interestingly, I get 3 different source IPs, BUT! The one from Quad9 is IPv6 and the ones from 8.8/1.1 are IPv4. Google returns an extra TXT record as well with "edns0-client-subnet 172.56.95.0/24". I'm not a DNS pro, so not sure what to make of it.

As 9.9 returned an IPv6, I tested with AAAA records just now - 1.1/8.8 respond with 4x IPs, 9.9 only 1x so it mirrors the A records in spirit.

[Sanzig]

I really wanted to like Quad9, and used it for a while, but there have been constant issues in the northeast with random SERVFAILs for months now. I had to switch back to Cloudflare.

[miyuru]

Have you tested it with a static domain with multiple IPs?

Using google is bad way to test this scenario, since they use EDNS and many other DNS load balancing methods to distribute the load.

[tom1337]

interestingly, i only get one IP from each command:

$ dig -t A google.com @8.8.8.8 +short

142.250.184.206

$ dig -t A google.com @1.1.1.1 +short

216.58.206.46

$ dig -t A google.com @9.9.9.9 +short

142.250.185.238

[styanax]

I'm sure geo has something to do with it - my connections generally terminate in Austin, TX but it varies around Central US. I have T-Mobile Home Internet and our IPs show up to remotes under the same general ASNs as the traditional mobile network (big huge CGNAT, my IP can change 5 times a day or whatnot and it doesn't reflect where I actually am located).

Edit: in case useful to someone reading, right now I have an IP assigned out of this block:

    NetRange:       172.32.0.0 - 172.63.255.255
    CIDR:           172.32.0.0/11
    NetName:        TMO9
    NetHandle:      NET-172-32-0-0-1

Edit edit: in the network record is a link to the self-reported geo data, I missed that.

    Comment:        Geofeed https://raw.githubusercontent.com/tmobile/tmus-geofeed/main/tmus-geo-ip.txt

[toast0]

If you're behind a big CGNAT and Google knows it, they might intentionally return multiple addresses to have more capacity.

Each service port (IP:Port) can only receive 64k connections from each NAT IP, returning more IPs from DNS makes more connections available. Google is a very popular service, so it makes sense to do. (Less so for v6, though)

Alternately, if they can't get a good feel for where you are, returning A records for multiple locations makes sense, too.

No idea why 4 AAAA vs 6 A; Google runs dual stacked and I'd expect the same number of records for both; IIRC, 8 AAAA will usually fit in a 512 byte udp reply, and anyway DNS64 might expand As into AAAAs, so you have to gauge sizes with those anyway.

[ignoramous]

> Each service port (IP:Port) can only receive 64k connections from each NAT IP

Interestingly, for Tor, the lowest common denominator local port exhaustion threshold at exit is 16384.

https://spec.torproject.org/proposals/348-udp-app-support.ht...

[b3lvedere]

Isn't that because Quad9 does (more) filtering than the other two?

[styanax]

I actually do (did, I demoted it for now) use the unfiltered service (9.9.9.10) but find the same result on both, so I used .9 here to keep the chat more streamlined. But, could still be relevant somehow?