EDNS
Encyclopedia
Extension mechanisms for DNS (EDNS) is a specification for expanding the size of several parameters of the Domain Name System
(DNS) protocol which had size restrictions that the Internet
engineering community deemed too limited for increasing functionality of the protocol. The first set of extensions was published in 1999 by the Internet Engineering Task Force
as RFC 2671, also known as EDNS0.
was first developed in the early 1980s, since which time it has been progressively enhanced with new features, while maintaining compatibility with earlier versions of the protocol.
The restrictions in size of several flags fields, return codes and label types available in the basic DNS protocol were not sufficient to support some desirable features. Moreover, DNS messages carried by UDP were restricted to 512 bytes, not considering the Internet Protocol
(IP) and Transport Layer
headers. Resorting to a virtual circuit transport, using the Transmission Control Protocol
(TCP), would greatly increase overhead. This presented a major obstacle to adding new features to DNS. In 1999, Paul Vixie
proposed extending DNS to allow for new flags and response codes, and to provide support for longer responses in a framework that is backwards compatible with previous implementations.
The OPT pseudo-record provides space for up to 16 additional flags and it extends the space for the response code. The overall size of the UDP packet and the version number (at present 0) are contained in the OPT record. A variable length data field allows further information to be registered in future versions of the protocol. The original DNS protocol provided two label types, which are defined by the first two bits in DNS packets (RFC 1035): 00 (standard label) and
11 (compressed label). EDNS introduces the label type 01 as extended label. The lower 6 bits of the first byte may be used to define up to 63 new extended labels.
(dig) utility tool:
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
The introduction of EDNS made a type of Reflected Denial-of-Service attacks called DNS amplification feasible, since EDNS facilitates very large response packets compared to relatively small request packets.
Domain name system
The Domain Name System is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities...
(DNS) protocol which had size restrictions that the Internet
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
engineering community deemed too limited for increasing functionality of the protocol. The first set of extensions was published in 1999 by the Internet Engineering Task Force
Internet Engineering Task Force
The Internet Engineering Task Force develops and promotes Internet standards, cooperating closely with the W3C and ISO/IEC standards bodies and dealing in particular with standards of the TCP/IP and Internet protocol suite...
as RFC 2671, also known as EDNS0.
Motivation
The Domain Name SystemDomain name system
The Domain Name System is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities...
was first developed in the early 1980s, since which time it has been progressively enhanced with new features, while maintaining compatibility with earlier versions of the protocol.
The restrictions in size of several flags fields, return codes and label types available in the basic DNS protocol were not sufficient to support some desirable features. Moreover, DNS messages carried by UDP were restricted to 512 bytes, not considering the Internet Protocol
Internet Protocol
The Internet Protocol is the principal communications protocol used for relaying datagrams across an internetwork using the Internet Protocol Suite...
(IP) and Transport Layer
Transport layer
In computer networking, the transport layer or layer 4 provides end-to-end communication services for applications within a layered architecture of network components and protocols...
headers. Resorting to a virtual circuit transport, using the Transmission Control Protocol
Transmission Control Protocol
The Transmission Control Protocol is one of the core protocols of the Internet Protocol Suite. TCP is one of the two original components of the suite, complementing the Internet Protocol , and therefore the entire suite is commonly referred to as TCP/IP...
(TCP), would greatly increase overhead. This presented a major obstacle to adding new features to DNS. In 1999, Paul Vixie
Paul Vixie
Paul Vixie is an American Internet pioneer, the author of several RFCs and well-known Unix software.Vixie attended George Washington High School in San Francisco, California. He received a Ph.D in computer science from Keio University in 2011....
proposed extending DNS to allow for new flags and response codes, and to provide support for longer responses in a framework that is backwards compatible with previous implementations.
Mechanism
Since no new flags could be added in the DNS header, the differentiation of the new protocol extensions format was achieved with optional pseudo-resource-records, theOPT
resource records. These are wire-only control records not appearing in any zone files. DNS endpoints insert these optional records in the communications between peers to mark a data transfer using EDNS. This provides a transparently backward compatible mechanism, as older clients without EDNS support simply ignore the new record type. DNS participants should only send EDNS requests to DNS servers if they are prepared to handle EDNS responses; DNS servers should only use EDNS in responses to requests containing OPT records.The OPT pseudo-record provides space for up to 16 additional flags and it extends the space for the response code. The overall size of the UDP packet and the version number (at present 0) are contained in the OPT record. A variable length data field allows further information to be registered in future versions of the protocol. The original DNS protocol provided two label types, which are defined by the first two bits in DNS packets (RFC 1035): 00 (standard label) and
11 (compressed label). EDNS introduces the label type 01 as extended label. The lower 6 bits of the first byte may be used to define up to 63 new extended labels.
Example
An example of an OPT pseudo-record, as displayed by the Domain Information GroperDomain Information Groper
Domain Information Groper is a network administration command-line tool for querying Domain Name System name servers for any desired DNS records....
(dig) utility tool:
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
Issues
In practice, difficulties can arise when using EDNS traversing firewalls, since some firewalls assume a maximum DNS message length of 512 bytes and block longer DNS packets.The introduction of EDNS made a type of Reflected Denial-of-Service attacks called DNS amplification feasible, since EDNS facilitates very large response packets compared to relatively small request packets.