Exploring EDNS with Examples

Updated: Jul 1

EDNS stands for Extended DNS. EDNS gives us a mechanism to send DNS data in larger packets over UDP. The most popular implementation of EDNS is DNSSEC.



History of EDNS

Traditional DNS responses are typically small in size (less than 512 bytes) and fit nicely into a small UDP packet. Sometimes we have to transfer larger DNS records.


Original DNS protocol uses UDP and stores information in a way that fills the entire UDP packet – meaning one can’t add additional info to the packet.


EDNS “tacks on” an extra packet for additional information so we can utilize more services in DNS.


It also opens us up to an attack using packets called DNS amplification. Check this post to learn more about which protocol DNS use.




Implementation of EDNS

EDNS is essential for the implementation of DNS Security Extensions (DNSSEC). EDNS is also used for sending general information from resolvers to name servers about clients' geographic location in the form of the EDNS Client Subnet (ECS) option.


The most popular implementation of EDNS is DNSSEC.


This is important for DNSSEC, since the +do bit that signals DNSSEC-awareness is carried within EDNS, and DNSSEC responses are larger than traditional DNS.




How to use EDNS?

In order to support EDNS, both the DNS server and the network need to be properly prepared to support the larger packet size and multiple fragments.


EDNS introduces a single pseudo-RR type: OPT.


As pseudo-RRs, OPT type RRs never appear in any zone file; they exist only in messages, fabricated by the DNS participants.



Example of EDNS query

We can use dig command to start a query with EDNS.


dig google.com A +dnssec 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1280

The result of "EDNS: version: 0" indicates full conformance with EDNS0. The result "flags: do" indicates that "DNSSEC OK" is set.




Advanced examples of EDNS

This is a dig query with noedns option.

dig +norec +noedns soa google.com @8.8.8.8 
  • expect: SOA record in the ANSWER section of the query response

  • expect: status is NOERROR


This is a dig query with EDNS and version=0

dig +norec +edns=0 soa zone @server 
  • expect: SOA record in the ANSWER section of the query response

  • expect: status is NOERROR

  • expect: OPT record with EDNS version set to 0

  • See RFC6891





55 views
udemylinux.png

Join our newsletter! Get a free cloud server!  Never miss a post!

Thanks for submitting!