ecs question

[schm0]

Hi!
What does the edns_client_subnet_private actually do?
Does this set some flag in the edns options to inform the (configured in stubby) recursive resolvers
not to send the client subnet to the root servers (or whatever dns server they use)?
Or does this toggle if stubby sends the actual client subnet to the (configured in stubby) recursive resolvers?
If the latter is the case, what subnet is used?
In a typical home network where stubby is running most likely on a router, this would make no sense because it would send the clients private IP address?
I think there is no way to prevent ecs leak when the (configured in stubby) recursive resolver is configured with ecs support.
Except there first case with flag is actually a thing...

[saradickinson]

Hi - it is the first behaviour you describe - it is an instruction to the recursive resolver not to use ESC when resolving the query (so the client subnet doesn't get sent to the authoritative servers upstream). Of course, this only works if the recursive resolver honours the flag, but most 'privacy' servers do. If you want more detail see here: https://datatracker.ietf.org/doc/html/rfc7871#section-7.1.2

Using this option increases privacy but at the potential cost of not getting a geo located answer (which can make accessing web content slower). The stubby default is to use the option.