Setup information
Pi-hole installed with One-Step Automated Install script on Ubuntu 22.04.
Pi-hole is external to the network, connected to by a firewalled public IP address.
Issue
Initially pihole was resolving DNS, but all the records had been geo-located close to the source of the Pi-hole server, and not the requester. This caused high latency to a lot of services.
I've searched the forums on how to enable ECS and added the following lines to a .conf file
add-mac
add-subnet=24,56
I confirmed this worked against Google DNS and OpenDNS (which both support ECS) as they now return lookups closer to the requesting user.
However when I enter my Cloudflare Gateway servers as upstream DNS (which has ECS enabled), pi-hole returns addresses geo-located with the pi-hole server, as experienced when ECS was disabled.
Have I missed something required to pass EDNS/ECS information to custom upstream servers?
Please upload a debug log and post just the token URL that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:
Pi-hole is intended to be run as a local resolver within your home network's private IP range.
In such an environment, enabling EDNS0 ECS does not provide any benefits.
On the contrary: You'd leak both private IPs as well as MAC addresses of your home network clients to public DNS servers, which may have security as well as privacy implications.
Furthermore, an upstream would not be able to geo-locate private IPs anyway, and MAC addresses are neither required nor suitable for geo-location.
Without these options, if an upstream DNS server would employ ECS and use the requestor's IP (which in this case would be your Pi-hole's public IP as identified by your network), and the responsible authoritative DNS server processes that ECS info, that would allow for an authoritative DNS server to pick and reply with the topologically closest IP from its records.
Your case is different, as your debug log shows your Pi-hole to operate on a public IP address.
You are running your Pi-hole as a publicly available open resolver.
Open resolvers pose a potential threat for all Internet users, e.g. by serving as a multiplier in a DNS Amplification attack.
The Pi-hole team strongly discourages Pi-hole’s usage as an open resolver, and we won't provide support in that case.
Close inbound port 53 from public Internet on your VPS firewall.
The recommended way to run a cloud-base Pi-hole would be to exclusively allow VPN clients via authenticated, secure VPN connections.
Another option, would be to run your Pi-hole behind a DNS-over-TLS(853) or DNS-over-HTTPS(443) proxy, where only that proxy would be publically exposed.
Using DoT would also allow you to use certain smartphone's Private DNS feature to connect to your cloud-based Pi-hole.
This is probably a better fit for your specific used case (as you intend to use ECS).
In my situation its not feasible to operate a pi-hole server within the LAN network at all sites, and such has been run in a VPS in order to service all locations.
The VPS are already firewalled at the infrastructure level, restricting TCP/UDP 53 to the trusted static addresses originated at the various downstream sites, in order to reduce the possibility of DNS amplification attacks.
The logic behind using the custom DNS of CloudFlare Gateway (ZTNA/SASE product) is to add an extra layer of protection, both for downstream clients (blocking malicious sites, blocked categories, etc) and for authoritative nameservers (cloudflare won't pass on an amplification attack).
In my scenario as the packets are translated by the internet facing router, wouldn't the ECS data contain the public IP (or at least the first 24/56 bits of the network address) as the requestors IP in the lookups sent upstream? - And hence why Google/ OpenDNS both return lookup results closest to the requestors location?
As explained, leaking MAC addresses is not required at all, and if you want to use ECS, installing a DoT proxy in front of Pi-hole would allow you to do so, without being prone to DNS amplification attacks, while offering the additional benefit of allowing smartphones to enable their Private DNS feature to use your cloud-based Pi-hole (and it is not public DNS servers like Google or OpenDNS picking topologically closer IPs for replies, but authoritative DNS servers).
Some cloud providers may offer the necessary software and instructions how to do set up a DoT server, and we also received reports from users successfully adding Pi-hole to such a solution, e.g. Specifying UDP Bind Address - #22 by matan129.