zlacker

Even if ECS only reveals your /24, immediately afterwards you're going to connect to the service with your own IP, so Eve can correlate the pair of domain name and /24 from the ECS request with the source IP from the TCP connection to match your IP with the domain name you're navigating to.

>>majews+(OP)
This is not the privacy concern, check out the https://tools.ietf.org/html/rfc7871#section-11.1 discussing it. Yes, if you open a connection to the target IP, then all transit networks between client and the target IP (including the target itself) know who is talking. These are on-path parties. The main (privacy) issue with ECS is not this, but that it shares client's subnet with potentially every nameserver on the referral path (including transit networks between the recursive and nameserver), for every name client looks up (even when it might not support ECS). The client is also not in control of the prefix length. /24 for IPv4 is a recommended default, but the recursive may use however much it wants and there's no way to prove to the client that it didn't. Opt-out is also difficult (afaik only getdns and Firefox clients support an opt-out).

>>vavrus+43
> but that it shares client's subnet with potentially every nameserver on the referral path [...] for every name client looks up

Does CF DNS not use qname minimization? That would reduce the association between subnets and names looked up.