Using Cloudflare's might lead to slower CDN performance

Disclaimer: All views expressed here are personal

Recently Cloudflare launched their public resolver in partnership with APNIC to great fan-fare boasting performance improvements and increased privacy.

While their claims are true, I would like to talk about them not forwarding EDNS client subnet(ECS). Quad9 does something similar, but provide an ECS capable IP hidden in the docs for users who really care about performance.

In 2010 I wrote a post outlining how using public DNS resolvers leads to degraded performance when accessing non-anycast CDNs. We have come a long way since then, with EDNS Client Subnet being supported by most public resolvers, and a wider pop footprint, that blogpost is very outdated.

According to Cloudflare is a privacy centric resolver so it does not send any client IP information and does not send the EDNS Client Subnet Header to authoritative servers

If I do a DNS lookup for, it is with the intent of connecting to that website(over HTTP/HTTPS/TCP/whatever). The concern appears to be the CDN’s authoritative DNS service provider being able to see the subnet of the end user. Sure that is one way some information about the user could leak. But /24 is not a strong indicator to identify specific user.

When I do make the final connection, I am sending my whole /32 IP address. The /24 (or /28) that would have been sent is hardly any privacy concern compared to the exact IP that’s needed to be exposed while making a TCP connection.

While visiting a typical website, A user exposes their full IP to potentially following parties

  1. The website’s server
  2. The website’s loadbalancer (if any - Like AWS ELB, digital ocean, etc)
  3. The website’s hosting provider (AWS, DO, Google, etc etc…)
  4. 1 - 3 for all 3rd party objects on the webpage (including their CDNs).
  5. All network devices sitting in between 1 - 4

Authoritative DNS service provider is just another piece of a website’s hosting infrastructure, which with ECS only gets partial IP. Sending partial IP, IMHO, is a very trivial privacy concern in comparison to the potential benefits.

For a non-anycast CDN, to get accurate DNS-based routing from user of, the following must work flawlessly.

  1. Internal POP IP of Cloudflare must be very accurate in geoip databases like MaxMind and friends.
  2. The user must always be routed to closest Cloudflare POP. If for some reason the path is wrong, then along with slower Cloudflare, users will experience slower all-CDNs.

But… Doesn’t Cloudflare have POPs almost everywhere?

Yes. But that only gives somewhat geographical granularity. What about ISP-level optimizations. I would like to only send users on Verizon from San Francisco to my Verizon POP. If that user uses, they don’t benefit from all the money I spent in setting up that POP. If another CDN has more locations than Cloudflare, then for a user the CDN has to limit their service based on Cloudflare’s network map. CDNs who host closer to the Edge are impacted more than ones who host at hubs.

Some tests using dnsperfbench tool’s httptest feature. Basically for each resolver it figures out what IP the resolver is returning for Akamai, and then running HTTPS tests over it.

Choosing Akamai as the target of this test was an intentional selection bias on my end to highlight the issue at hand.

From Thailand/AIS Fiber (first hop adds ~20ms latency!)

$ dnsperfbench -resolver -httptest
2018/04/21 20:09:47 Resolving
2018/04/21 20:10:00 Issuing HTTP(s) tests
RESOLVER REMOTE DNS CONNECT TLS TTFB TRANSFER TOTAL (Unknown) 26ms 23ms 83ms 25ms 40ms 197ms (Quad9) 56ms 25ms 89ms 26ms 43ms 238ms (OpenDNS) 71ms 23ms 83ms 25ms 40ms 242ms (Google) 110ms 24ms 84ms 24ms 40ms 281ms
[2001:4860:4860::8888] (Google) 111ms 24ms 83ms 24ms 41ms 282ms
[2620:0:ccc::2] (OpenDNS) 156ms 24ms 82ms 24ms 40ms 326ms
[2606:4700:4700::1111] (Cloudflare) 53ms 53ms 114ms 53ms 69ms 342ms (Cloudflare) 54ms 56ms 120ms 57ms 72ms 358ms (Norton) 89ms 62ms 130ms 60ms 85ms 426ms (Baidu) 129ms 86ms 180ms 86ms 123ms 605ms
[2620:fe::fe] (Quad9) 27ms 223ms 456ms 224ms 317ms 1.247s
[2a0d:2a00:1::] (Clean Browsing) 350ms 228ms 465ms 229ms 278ms 1.55s (Clean Browsing) 382ms 227ms 463ms 227ms 292ms 1.591s (DNSPod) 474ms 236ms 481ms 244ms 335ms 1.772s (114dns) 382ms 283ms 573ms 284ms 401ms 1.924s (Comodo) 219ms 280ms 566ms 279ms 648ms 1.993s

The fastest responding IP 49.231.112.x is hosted inside my ISP, next best is in another ISP in Thailand. If I were to use my access to things hosted with Akamai would get about 2x slower, in exchange for Akamai not getting to see my (partial) IP during DNS resolution.

Sure, Cloudflare’s DNS service (which appears to be serving locally within this ISP) is new, perhaps Akamai has not updated their geoip databases with Cloudflare’s backend IPs, perhaps Cloudflare has not yet published them, but even with that fix, the best Akamai could do is send me to a generic Thailand POP, instead of the one sitting at my ISP.

Similarly for Thailand/True

RESOLVER REMOTE DNS CONNECT TLS TTFB TRANSFER TOTAL (Unknown) 15ms 10ms 29ms 10ms 15ms 80ms (Quad9) 13ms 11ms 57ms 12ms 16ms 109ms (Google) 97ms 10ms 29ms 11ms 17ms 163ms (OpenDNS) 105ms 9ms 29ms 11ms 15ms 169ms (Norton) 66ms 43ms 105ms 43ms 46ms 303ms (Cloudflare) 36ms 67ms 144ms 66ms 110ms 423ms (Baidu) 72ms 84ms 181ms 84ms 114ms 535ms (DNSPod) 70ms 90ms 187ms 90ms 103ms 542ms (Comodo) 225ms 220ms 442ms 221ms 312ms 1.421s (Clean Browsing) 212ms 225ms 464ms 229ms 507ms 1.636s (114dns) 264ms 259ms 527ms 260ms 610ms 1.92s

In this case only Google, OpenDNS and ISP resolvers send me to an ISP-local POP. Quad9 came #2 because of their fast DNS time (this test does not use locally cached DNS).

Cloudflare sends me to Singapore, and others further out.

Cloudflare sending me Singapore IP might be due to the fact that for me is being routed to Cloudflare Singapore, probably True’s fault.

~# mtr --report-wide
Start: Sat Apr 21 21:05:43 2018
HOST: apu                                       Loss%   Snt   Last   Avg  Best  Wrst StDev
  1.|--                                0.0%    10    1.2   1.1   0.9   1.2   0.0
  2.|--                               0.0%    10   18.0  13.4  10.5  18.8   2.8
  3.|--                             0.0%    10    8.8   8.3   6.3   9.7   0.9
  4.|--                              0.0%    10    8.2   9.3   7.8  11.7   1.3
  5.|--                               0.0%    10    9.2   9.4   7.5  15.1   2.1
  6.|--         0.0%    10    8.3   9.2   7.8  10.2   0.5
  7.|--          0.0%    10    8.6  10.2   8.5  13.4   1.4
  8.|--   0.0%    10    9.2   9.7   8.3  11.4   0.7
  9.|--  0.0%    10   11.5  10.6   8.9  15.9   2.0
 10.|--         0.0%    10    9.8   9.3   8.0  10.8   0.7
 11.|--        0.0%    10   10.6  11.8   9.8  16.5   1.9
 12.|--        0.0%    10   39.7  40.5  38.5  47.6   2.5
 13.|--                      0.0%    10   41.8  38.2  36.5  44.5   2.6
 14.|--           0.0%    10   35.3  37.4  35.3  40.0   1.2

Dear Cloudflare, please turn on ECS by default.

PS: Check out to check your performance to major authoritative DNS providers.

Tags: cloudflare 1dot1dot1dot1 dns cdn site performance