zlacker

Understood, but why? Privacy is not an acceptable answer for the reasons OP stated. If Cloudflare gave a coherent, understandable reason, I'd probably be more on their side.

"Trust us, our network is big enough it will route right" is both not a good answer, nor true.

>>silisi+(OP)
Privacy isn’t an absolute pass/fail. Giving authoritative nameservers my IP via EDNS leaks my IP. Sure, other things also leak my IP, but that doesn’t mean we should throw in the towel and accept any new way to leak user data.

In many cases, DNS logs aren’t going to the same place as web server logs, so this keeps my data in fewer log files owned by fewer people.

>>akerl_+73
It isn’t the actual IP, it is the subnet. Leaks some info, but unless you own the entire subnet it won’t give up your identity.

https://en.wikipedia.org/wiki/EDNS_Client_Subnet

>>cortes+K7
The entire point of ECS is to give the location, not the actual origin IP, which might be something you'd like to avoid giving away. The main point is that every resolver or network switch in the chain gets the ECS and would be able to combine it with the domain being requested. If you don't only visit Facebook/Google, your ipv4 /24 in combination with some obscure domain only you visit is very likely to give up your identity should an IX or resolver be watching for requests to such domain.

>>judge2+Ib
Sure, that is true. However, the person I responded to said that EDNS would give the authoritative server your IP address, which isn't true.

>>judge2+Ib
I understand that point, to an extent. I mean, your TCP connection in the next step hits how many switches on the way? With which both your actual IP therefore location could be determined. Trying to hide subnet from just a resolver seems...small in the grand scheme.

And if that's your goal, why not proxy your dns requests? I'd surely have a VPN or at least DNS proxy if my threat model were that which you're trying to avoid.