1. Home
2. Documentation
3. How it works

EDNS Client Subnet (ECS)

EDNS Client Subnet (ECS) is an extension to the Domain Name System (DNS) that allows recursive resolvers to include a portion of the user's IP address when making DNS queries to authoritative name servers. This helps content delivery networks (CDNs) and other services return geographically optimised responses, potentially improving performance and reducing latency.

How ECS Works

1. A user queries a recursive DNS resolver for a domain (e.g., example.com).
2. If the resolver supports ECS, it sends the query to the authoritative name server with part of the user's IP address (typically the first few bits representing the subnet, e.g., 192.168.x.x/24).
3. The authoritative server responds with an IP address optimised for the provided subnet, directing users to a geographically closer or lower-latency server.
4. The recursive resolver caches and returns the optimised response to the user.

This mechanism allows CDNs to direct users to the nearest server, improving load balancing and performance.

Why is ECS a Privacy Concern?

While ECS can enhance performance, it also introduces several privacy risks:

User Tracking and Fingerprinting

By exposing parts of a user's IP address, ECS makes it easier for entities to track users across DNS queries. Even though full IP addresses are not transmitted, the subnet information is enough to approximate a user's location.

Reduced Anonymity in DNS Queries

Traditional DNS queries from recursive resolvers do not reveal user-specific information to authoritative servers. With ECS enabled, resolvers leak partial location data, reducing the privacy benefits of using a public DNS resolver.

Increased Data Exposure

ECS enables more granular tracking of users by third parties, including ISPs, advertisers, and content providers. This could lead to targeted advertising or even profiling without user consent.

Potential for Security Exploits

If misused, ECS can be leveraged to de-anonymise users or introduce attack vectors where adversaries infer sensitive details about network topology and user behavior.

How to Protect Your Privacy from ECS?

Some DNS resolvers, including those operated by privacy-focused organisations, disable ECS entirely or only enable it under strict privacy policies. At the UK DNS Privacy Project we do not forward ECS data to upstream servers, any sites that use geolocation will just use our server addresses to retrun geotargeted responses.

Conclusion

EDNS Client Subnet (ECS) is a double-edged sword—while it improves content delivery performance, it also raises significant privacy concerns. Privacy-conscious users should be aware of how ECS works and take steps to mitigate potential risks by using DNS services that respect user anonymity.

For users prioritising privacy, choosing DNS resolvers that limit or disable ECS and implementing encrypted DNS solutions can significantly reduce exposure to tracking and data leakage.