howtouselinux

Exploring EDNS with Examples

Table of Contents

EDNS stands for Extended DNS. EDNS gives us a mechanism to send DNS data in larger packets over UDP. The most popular implementation of EDNS is DNSSEC.

History of EDNS

Traditional DNS responses are typically small in size (less than 512 bytes) and fit nicely into a small UDP packet. Sometimes we have to transfer larger DNS records.

Original DNS protocol uses UDP and stores information in a way that fills the entire UDP packet – meaning one can’t add additional info to the packet.

EDNS “tacks on” an extra packet for additional information so we can utilize more services in DNS.

It also opens us up to an attack using packets called DNS amplification. Check this post to learn more about which protocol DNS use.

Implementation of EDNS

EDNS is essential for the implementation of DNS Security Extensions (DNSSEC). EDNS is also used for sending general information from resolvers to name servers about clients’ geographic location in the form of the EDNS Client Subnet (ECS) option.

The most popular implementation of EDNS is DNSSEC.

This is important for DNSSEC, since the +do bit that signals DNSSEC-awareness is carried within EDNS, and DNSSEC responses are larger than traditional DNS.

How to use EDNS?

In order to support EDNS, both the DNS server and the network need to be properly prepared to support the larger packet size and multiple fragments.

EDNS introduces a single pseudo-RR type: OPT.

As pseudo-RRs, OPT type RRs never appear in any zone file; they exist only in messages, fabricated by the DNS participants.

Example of EDNS query

We can use dig command to start a query with EDNS.

dig google.com A +dnssec

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1280

The result of “EDNS: version: 0” indicates full conformance with EDNS0. The result “flags: do” indicates that “DNSSEC OK” is set.

Advanced examples of EDNS

This is a dig query with noedns option.

dig +norec +noedns soa google.com @8.8.8.8

  • expect: SOA record in the ANSWER section of the query response
  • expect: status is NOERROR

This is a dig query with EDNS and version=0

dig +norec +edns=0 soa zone @server

  • expect: SOA record in the ANSWER section of the query response
  • expect: status is NOERROR
  • expect: OPT record with EDNS version set to 0
  • See RFC6891

Related:

Exploring DNS TTL with Examples

Best and Fastest DNS Servers For Gaming

Flush DNS Cache with Command Quick Guide

What is DNS? DNS Meaning

howtouselinux.com is dedicated to providing comprehensive information on using Linux.

We hope you find our site helpful and informative.

Learn More

Facebook
Twitter
LinkedIn

RHCSA Practice Exam

RHCSA Practice Exam A General Notes Here are some tips to ensure your exam starts with a clean environment: You do not need external servers

Read More »