Source IP used in Recursive DNS Lookup
While we all know that DNS Recursive server will not use end user IP address for DNS query, it is also very important to note that the IP address used from Local DNS to authorize DNS server may not be the IP of local DNS server as well.
For example:
End user config 8.8.8.8 as his Local DNS Server, and issue multiple DNS requests from the same client;
on the Authorize DNS server, we observed the source IPs for incoming requests are NOT 8.8.8.8 at all;
but appeared to be some other IP subnet that belongs to google.
74.125.0.0 /16
Further testing shows these IPs are not responding to DNS queries (but pingable) so this appears to be some source IPs the DNS Anycast 8.8.8.8 will use to fetch the response from Authorize Server.
First, some GSLB or DNS server actually will attempt to store the entry of [ received source IP and Response sent back ], and might use this entry for further DNS Response persistence. But clearly we could see per IP host(/32) entry definitely will not work as expected (as the source IP might change every time );
and per IP subnet (/16) entry might work but still have the risk of failure.
Secondly, some GSLB or DNS server will try to actively determine the RTT values between user DNS Request source IP (assume to be the same as user Local DNS IP) and multiple sites, then compare the result to select the best DNS response that is closer to end user.
But again, since now the IPs used to fetch Authorize DNS server are not the local DNS IP, this have a much bigger chance to fail.
The options left here might be
- Use EDNS option as the real client IP and store entry based on this info
- for better RTT selection, also needs to look for a way to detect to EDNS option IPs.
As the section "Locations of IP address ranges Google Public DNS uses to send queries" fromhttps://developers.google.com/speed/public-dns/faq shows, Google does use different IPs to send queries.