Configure Umbrella and ECS

Available Languages

Download Options

  • PDF     (104.1 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (139.7 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (139.2 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:September 10, 2025
Document ID:224852

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes EDNS Client Subnet (ECS) and how it works with Cisco Umbrella.

    What is ECS?

    Traditional DNS is a request at a DNS server that responds back with a single A-record answer. This discussion is simplified by discussing A records only. The same process applies to IPv6 and AAAA records. With the advent of widely distributed content delivery networks (CDNs) and recursive DNS services, geolocation is increasingly important for an optimal experience.

    Traditional DNS geolocates the answer to a DNS question at the authoritative DNS server and provides an answer in return which best matches the source of the DNS query. To use a metaphorical example, take a phone book. Traditionally, the only phone book that was relevant was the local phone book, so you always find the local store. A query of "call Jim's hardware store". Today, where a single web address has many locations worldwide, it is imperative for a good experience to connect to a nearby server. With recursive DNS servers and more distributed networks, the source IP of the DNS query is not necessarily result in the best source of geolocation data.

    Figure 2: Example for a user in New Jersey seeking an answer from authoritative DNS

    Example of User Seeking Answer from Authoritative DNS

    In our phone book metaphor, a business might have 50 locations across the globe, but as the reader, you know what the closest one is and call them. Jim's has been doing well, so our query for "call Jim's hardware store" might bring you to the New Jersey store or the Chicago store depending on who you ask. ECS performs the same service, but for a DNS lookup. EDNS Client Subnet (ECS) is a mechanism for the desired source IP address of a DNS query to be embedded within the EDNS information of a DNS packet. The authoritative DNS server supporting ECS reads this source information and answer with the A record of the best located server possible. For our phone book metaphor, ECS is equivalent to a note specifying which area's phone book to look into. This request would be "call Jim's hardware store in Belvidere, NJ" and an ideal answer can be provided. For more information, visit the home page for the ECS project here at umbrella.cisco.com

    ECS and Recursive DNS servers

    Cisco Umbrella, like other recursive DNS services, are a challenge to DNS-based geolocation. Traditionally, users would request DNS from the ISP, which queries the DNS authority. This provides natively good geolocation for the ISP's network IP ranges. 

    Recursive DNS providers are located off of an ISP's network, and can be located anywhere. Cisco Umbrella operates many datacenters under anycast IP addresses, and DNS queries can hit one of a variety of resolver locations worldwide. Most frequently the closest location is queried; however, this is dependent on optimal routes with each ISP. Most importantly, when it comes to widely distributed web services such as CDNs, the nearest Umbrella resolver might not be close network-wise to the requester's location and might receive a poor CDN server in response. For example, a user in Costa Rica might hit Cisco Umbrella's Miami datacenter and be served content from a Miami CDN. For our phone book metaphor, this is the equivalent of calling the operator and asking for the number for Jim's hardware. Based on where the operator is located, you receive the answer based on that region. Chicago returns Jim's of Wheaton and Miami can return Jim's of South Beach.

    Figure 2: Example for a user in New Jersey seeking an answer from Cisco Umbrella

    Example of User Seeking Answer from Cisco Umbrella

    ECS is invaluable to CDNs for recursive DNS providers since the original source subnet can be passed on via ECS to the CDN's authoritative DNS infrastructure. A query via Umbrella to an ECS-enabled nameserver includes the Class C network of the requesting user (/24 CIDR block) to the authoritative DNS query, and return and cache (according to TTL) the relevant answer. For our phonebook metaphor, this is calling the operator and requesting Jim's hardware near San José, Costa Rica. The operator in Miami would reply with the number for Jim's of San Pedro. 

    In conclusion, ECS enables a user, anywhere in the world, to query a nameserver anywhere in the world and receive a custom answer based on their source location even if using a far away recursive DNS server (supporting ECS). The end result is the fastest CDN server possible from anywhere in the world through any supported DNS service. 

    ECS and Cisco Umbrella

    Cisco Umbrella supports ECS for authoritative DNS resolvers based on an opt-in basis for nameserver owners. Many CDNs enjoy fast, accurate geolocation for Umbrella users, while some CDNs and services do not yet support ECS.

    Know a service that does not yet utilize ECS? Contact the CDN network and ask about implementing ECS. ECS is required to be supported by the authoritiatve nameservers before Umbrella can send it ECS data. 

    Site owners, if you utilize ECS today, contact us at umbrella-support@cisco.com to validate your implementation and start receiving ECS data from Cisco Umbrella today! IPv6 and IPv4 ECS data is supported. Include a list of nameservers (by name) to validate and a domain to validate against. 

    Using ECS in dig

    Did you know that dig natively supports ECS in DNS queries beginning in version 9.10? Append "+subnet=<subnet>" to your dig against the authoritative nameserver directly. Note, this data is dropped if querying Umbrella directly, and is replaced with your source /24. See our article here for details https://support.opendns.com/hc/en-us/articles/227987687

    dig +subnet=208.67.222.0/24 <domain> @<nameserver>

    Look for this subsection in the response to confirm that a nameserver makes use of ECS data:

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 512
    ; CLIENT-SUBNET: 208.67.222.0/24/32

    Authoritative Nameserver Owners

    Are you using ECS on your nameserver and looking to unlock its potential for Cisco Umbrella users worldwide? Let us know at umbrella-support@cisco.com so that we can start sending ECS data to your nameservers! Include with your request a list of your nameserver domains and a sample domain that is ECS enabled that we can use to validate your configuration. Let us build a faster Internet together. 

    Revision History

    Revision Publish Date Comments
    1.0
    10-Sep-2025
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products