The more of your address that travels with the question, the smaller the crowd you hide in. A /24, the usual choice, narrows you from a whole region down to a few hundred neighbours.
ECS is a trade. You give up a slice of your location to gain a faster, closer server. Whether that trade is worth it depends on something you usually never get to see: how big a slice, and to how many strangers.
What EDNS Client Subnet actually does
When your resolver does not have an answer cached, it goes and asks the servers responsible for the name, the onward journey described in how DNS actually works. Normally those upstream servers see only the resolver asking, not you. They know a query came from, say, a big public resolver, but not which of its millions of users sent it.
EDNS Client Subnet changes that by adding an extra field to the forwarded query: a truncated piece of your address. Not the whole thing, just a prefix, most often the first three octets, written as a /24. So instead of your full 203.0.113.47, the upstream server is told the request comes from somewhere in 203.0.113.0/24. Enough to place you on roughly the right block; not, by itself, your exact line.
Why it exists, and why it is not a villain
It solves a real problem. Large sites and content delivery networks run servers in many places and use DNS to send each visitor to a near one, which is what makes a video start quickly instead of crossing an ocean first. To pick well, the network wants to know roughly where the visitor is. If everyone behind one public resolver looks like they are at the resolver's location, a network might steer a user in Riga to a server chosen for a data centre hundreds of kilometres away.
ECS was the fix: let the resolver pass along a coarse hint of the real user's location so the steering is based on the user, not the resolver. Used as intended, it makes the internet faster for people who sit far from the resolver they use. The mechanism is reasonable. The privacy cost is simply the other side of that same coin, and it is rarely shown to the person paying it.
The catch: it widens who learns where you are
Without ECS, your approximate location is known to your resolver and nobody else in the lookup. With ECS, that hint is handed to the authoritative servers and content networks behind every name you resolve, which can be a great many different operators over a day of browsing. A detail you might accept telling one resolver is now told to a crowd of third parties you never chose, attached to a record of which names you were looking up at the time.
And the precision is finer than people assume. A /24 is about 256 addresses. That is not "your country" or even "your city"; it is closer to your building or your block, paired with a timestamp and the domain you asked for. It does not name you, in the same way an IP address alone does not name you, but it is a much tighter and more widely shared locator than the lookup needs to function.
Does encrypting my DNS stop this?
Not by itself, and this is the part worth being precise about. Encrypted DNS protects the hop between you and your resolver: it stops your network and provider from reading the lookup. ECS lives on a different hop, the one after the resolver, when it forwards the query onward. Encryption hides the question from the people next to you; it does nothing about what your resolver chooses to staple on when it asks the next server.
So the two protections answer different questions. Encrypted transport decides who can read your lookup on the wire. The resolver's ECS policy decides how much of your location it passes on. You want both: the wire sealed, and a resolver that does not broadcast your subnet to everyone it talks to.
With ECS and without
Same lookup, two policies. The difference is who learns where you are, and how precisely.
| ECS off (or /0) | ECS on (/24) | |
|---|---|---|
| Who learns your location | Your resolver only | Every upstream server and CDN it asks |
| How precise | The resolver's region | Your block (~256 addresses) |
| Server steering | Based on the resolver's location | Based on your location (can be closer) |
| Best when | You sit near your resolver, or value privacy over the last few milliseconds | You sit far from your resolver and want the closest server |
For most people on a well-placed resolver, the speed gained from ECS is small and the location given up is not. That is why privacy-focused resolvers tend to send a coarse prefix or none at all.
What is actually in your hands
ECS is a decision the resolver makes, not a switch on your device, so the lever you hold is which resolver you trust to make it. A resolver can do one of three things: forward your subnet, forward a deliberately coarsened version, or send nothing at all. The ones built around privacy lean toward the last two by default, treating your subnet as something not to spread unless it truly has to.
Pair that with encrypted transport and you have closed both halves: the network beside you cannot read the lookup, and the resolver is not quietly telling the rest of the internet which block you sit on. That is the whole point of choosing your resolver deliberately rather than accepting whichever one your network handed you.
Seal the wire, and mind the prefix
Encrypted DNS keeps your lookups unreadable on the network. Choosing a privacy-minded resolver keeps a slice of your address from being handed to everyone it queries. Set both in a couple of minutes.
Set up encrypted DNSRelated: what your IP address reveals, what your ISP can see, and how DNS actually works.