Extension Mechanisms for DNS (EDNS) is a specification for expanding the size of several parameters of the Domain Name System (DNS) protocol which had size restrictions that the Internet engineering community deemed too limited for increasing functionality of the protocol. The first set of extensions was published in 1999 by the Internet Engineering Task Force as, also known as EDNS0[1] which was updated by in 2013 changing abbreviation slightly to EDNS(0).[2]
The Domain Name System was first developed in the early 1980s. Since then, it has been progressively enhanced with new features, while maintaining compatibility with earlier versions of the protocol.
The restrictions in the size of several flags fields, return codes and label types available in the basic DNS protocol prevented the support of some desirable features. Moreover, DNS messages carried by UDP were restricted to 512 bytes, not considering the Internet Protocol (IP) and transport layer headers.[3] Resorting to a virtual circuit transport, using the Transmission Control Protocol (TCP), would greatly increase overhead. This presented a major obstacle to adding new features to DNS. In 1999, Paul Vixie proposed extending DNS to allow for new flags and response codes and to provide support for longer responses in a framework that is backwards compatible with previous implementations.
Since no new flags could be added in the DNS header, EDNS adds information to DNS messages in the form of pseudo-Resource Records ("pseudo-RR"s) included in the "additional data" section of a DNS message. Note that this section exists in both requests and responses.
EDNS introduces a single pseudo-RR type: OPT
.
As pseudo-RRs, OPT type RRs never appear in any zone file; they exist only in messages, fabricated by the DNS participants.
The mechanism is backward compatible, because older DNS responders ignore any RR of the unknown OPT type in a request and a newer DNS responder never includes an OPT in a response unless there was one in the request. The presence of the OPT in the request signifies a newer requester that knows what to do with an OPT in the response.
The OPT pseudo-record provides space for up to 16 flags and it extends the space for the response code. The overall size of the UDP packet and the version number (at present 0) are contained in the OPT record. A variable length data field allows further information to be registered in future versions of the protocol. The original DNS protocol provided two label types, which are defined by the first two bits in the length octet of a label (RFC 1035): 00 (standard label) and 11 (compressed label). EDNS introduces the label type 01 as extended label. The lower 6 bits of the first byte may be used to define up to 63 new extended labels.
An example of an OPT pseudo-record, as displayed by the dig command:
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096
The result of "EDNS: version: 0" indicates full conformance with EDNS0.[4] The result "flags: do" indicates that "DNSSEC OK" is set.[5]
EDNS is essential for the implementation of DNS Security Extensions (DNSSEC).[6]
There are standards for using EDNS to set how much padding should be around a DNS message.[7] [8] Padding is essential when encrypting DNS, because without padding it may be possible to determine the queried domain name from the encrypted size of the query.
EDNS is used for indicating how long a TCP connection should be kept alive.[9]
EDNS is also used for sending general information from resolvers to name servers about clients' geographic location in the form of the EDNS Client Subnet (ECS) option.[10]
In practice, difficulties can arise when using EDNS traversing firewalls, since some firewalls assume a maximum DNS message length of 512 bytes and block longer DNS packets.
The introduction of EDNS made feasible the DNS amplification attack, a type of reflected denial-of-service attack, since EDNS facilitates very large response packets compared to relatively small request packets.