Seeing EDNS client-subnet in two steps
1. Build a dig client with support
- Download the patch from http://wilmer.gaa.st/edns-client-subnet/README.html
- Download Bind 9.71 from ftp://ftp.isc.org/isc/bind9/9.7.1-P2/bind-9.7.1-P2.tar.gz . I had tried 9.8.4 first but the patch failed.
- patch -p1 < bind-9.7.1-dig-edns-client-subnet.diff
- Since we only want dig we can forgo openssl required by DNSSEC: ./configure –without-openssl && make
2. Query an Auth that speaks the language
Now that we have a compiled version of dig that supports including the client subnet into the query we’re able to query authoritative servers with the flags enabled.
Here’s what a regular query for our favorite video site looks like:
Notice that the A records handed back are in North America. Now let’s resolve the record for a client in China:
The response now has an additional CLIENT-SUBNET flag specifying this response is only valid for that subnet. The next difference is the lack of A records in the response, instead we get a CNAME chain which’ll require another lookup.
On the UDP side, an additional record of type OPT is included in both request and response with the extended data. At this time Wireshark doesn’t support displaying the specific data but a patch is available @ https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7552