icon-unified.svg
Experience Center

About EDNS Client Subnet (ECS) Injection

The Zscaler service supports EDNS Client Subnet (ECS) in DNS queries to obtain geo-located responses from DNS resolvers. Client Subnet is an option in Extension Mechanisms for DNS (EDNS0) that allows the IP address or subnet information of the requesting client device to be passed in DNS requests. An authoritative or intermediate DNS nameserver resolves the domain name to an IP address that is geographically closer to the client’s (query originator) subnet passed in the DNS request. The client then establishes a connection with the application or service using the resolved IP address.

When DNS queries are forwarded through the Zscaler service to an external DNS service, the DNS resolution is geo-optimized based on the Internet & SaaS Service Edge (Public, Private, or Virtual) since the external DNS service receives the DNS query from the public IP address of the Service Edge. However, this resolution using the Service Edge location may not always be optimal as organizations sometimes require DNS resolution based on the geolocation of the requesting clients or a specific subnet that represents the customer and not Zscaler.

For example, when clients in Ireland connect to Zscaler's data center in the UK due to the non-availability of Zscaler data centers in Ireland, the DNS responses are geo-located for the data center in the UK. This may prevent the clients in Ireland from accessing cloud applications and services specific to their geographic location. To inform third-party DNS services of the original requesting client and/or customers and allow these clients to access geographic-specific content, you can use the ECS option to pass the client's masked IP address in the DNS queries as they transit the Zscaler service. An authoritative or intermediate DNS nameserver with ECS support can provide geo-located responses for clients using the ECS value.

EDNS Client Subnet (ECS) provides the following benefits and enables you to:

  • Obtain geo-located DNS responses for clients by including the client's IP subnet information in DNS requests.
  • Access cloud applications and services hosted on Content Delivery Networks (CDNs) in the preferred geographic location and ensure compliance with regulatory requirements or geographical restrictions.
  • Leverage external DNS resolvers' ability to examine ECS value for identifying clients and enforcing policies.

The ECS value is typically a prefix obtained from the requesting client's public IP address by masking a specific sequence of bits. For example, if the client's public IP address is 2.2.2.2 and the ECS value is configured to mask the bits following the 24th bit, then 2.2.2.0/24 would be the prefix sent as the ECS value to the DNS resolver on behalf of the client. The Zscaler service allows you to configure the prefix length ranging from /20 to /24 (the full IP address), depending on your requirements. Zscaler also provides a default prefix of length /24, which is part of the IP address commonly used as the ECS value. Based on your configuration, Zscaler obtains the ECS prefix value from the requesting client's IP address and embeds it into the DNS queries. Alternatively, you can configure a synthetic ECS prefix to be added to DNS requests instead of deriving the prefix from the requesting client's IP address.

Optionally, you can also choose to retain the already-present ECS prefix in client DNS queries. Using the appropriate configuration in the Admin Portal, you can either choose to insert the configured prefix or retain the already-present ECS prefix in DNS queries. If the ECS prefix is inserted by Zscaler, then the corresponding ECS option in the DNS response may be removed before the response is sent back to the client.

Zscaler supports the ECS option irrespective of the traffic forwarding method used by the client to send the DNS queries to the Service Edge. The DNS resolver that performs the name lookup must support the ECS option to return geo-located responses. If the DNS resolver does not support ECS, it ignores the extension when performing domain resolution and provides a regular DNS response. The ECS option is supported for the following DNS record types: A, AAAA, CNAME, MX, NS, and PTR records.

  • Exercise caution when configuring the ECS option to safeguard the privacy and security of clients by preventing the unnecessary exposure of the client’s IP network information.
  • Due to the differences in the support for the ECS functionality, some DNS resolvers might not honor the ECS value in DNS requests (essentially, ignore the value), and others might return a REFUSED error code. Zscaler recommends validating with the third-party DNS service provider to confirm their handling of ECS before configuring ECS injection.

You can configure ECS prefixes under Policies > Access Control > Internet & SaaS > DNS Control > EDNS Client Subnet. After configuring the ECS prefixes, you must enable the ECS option and designate an ECS prefix to be embedded into DNS queries using the Advanced Settings.

DNS Insights Logs provides visibility into the logs recorded for DNS traffic that contains the ECS prefix. You can also track this data using interactive charts in the DNS Overview Dashboard. Using Nanolog Streaming Service, you can stream your logs in real time from the Zscaler Nanolog to your security information and event management (SIEM) system.

  • ECS support requires a subscription that includes advanced functionalities of DNS Control.
  • Zscaler supports ECS prefixes corresponding to the IPv4 family only. ECS prefixes corresponding to the IPv6 family in client DNS queries are not processed by Zscaler.
  • The Zscaler Trusted Resolver does not currently support the ECS option.

About the EDNS Client Subnet Prefix Objects Page

On the EDNS Client Subnet Prefix Objects page (Policies > Access Control > Firewall > EDNS Client Subnet), you can do the following:

  1. Add an ECS prefix.
  2. View the list of configured ECS prefixes. By default, the table displays the following information:
    • Name: The name of the ECS prefix.
    • Prefix Length: The length of the ECS prefix.
    • Static Prefix: The static ECS prefix with the subnet mask.
    • Description: Additional information about the ECS prefix.
  3. Edit an existing ECS prefix. You can also delete an ECS prefix from the Edit ECS Prefix window.
  4. View the default ECS prefix created by the Zscaler service.
  5. Modify the table and its columns.
  6. Search for an ECS prefix.

A screenshot of the EDNS Client Subnet Prefix (ECS) Objects page

Related Articles
About Network ServicesConfiguring Network ServicesModifying Predefined Network ServicesAbout Network Service GroupsConfiguring Network Service GroupsAbout Network ApplicationsAbout Network Application GroupsConfiguring Network Application GroupsAbout Application Service GroupsAbout Source IP GroupsConfiguring Source IP GroupsAbout Destination IP GroupsConfiguring Destination IP GroupsAbout DNS Application GroupsConfiguring DNS Application GroupsAbout IP PoolAbout Threat CategoriesAdding Threat CategoriesAbout EDNS Client Subnet (ECS) InjectionAdding EDNS Client Subnet (ECS) PrefixesAbout DNS GatewaysAdding DNS Gateways