EDNS - DNS extension

EDNS - DNS extension

I recently became aware of an extension to DNS called EDNS. As I work a lot with DNS I not quite sure how I could have missed this extension until now.

EDNS is an extension of the DNS protocol which allows more flags, label types and return codes to be defined, and enhances the transport of DNS data in UDP packets. The version of EDNS specified by RFC 2671 is known as EDNS0.

Wikipedia

EDNS - why?

According to the specifications of DNS, UDP packets should be no longer than 512 bytes in length. There are not any space left for additional flags in the header. For normal use this is  no problem at all, but to implement new features in DNS, such as DNSSEC, changes were needed.

EDNS uses a pseudo resource record called OPT to identify this extension. More links are found in the links section below.

Our firewall, a Fortigate FG-500A from Fortinet, logs oversized packets as a potential vulnerability in the IPS module. At the same time, it only logs the packet as bad, but it does not drop the packet. So it can't be that bad :)

EDNS - what you should know!

This extension is almost invincible for system administrators. Windows 2003 supports this extension by default, but I have never seen any problems as a result of this until today.

• Legacy DNS servers that don't know anything about EDNS will just ignore the OPT resource sent from the other side.
• DNS clients (such as computers) usually never use this option as it do not need to send packets greater than 512 bytes. Most DNS packets are between 150 and 200 bytes.
• There is an hotfix available for Windows 2000 to solve issues related to EDNS queries.
• Window 2003 DNS server do not announce itself as an EDNS capable server to other servers. But it replies to other hosts as EDNS capable when asked to do so.
• Newer versions of BIND seems to advertise itself as EDNS capable.
• EDNS usually adds as little as 10-15 bytes extra data into an UDP packet. In most queries you are still way below the limit of 512 bytes. Some intrusion prevention systems, firewalls or DNS servers may drop packets because of invalid options in the packet. Except for old Windows 2000 implementations (see above) and some Cisco PIX I don't know of any issues related to this.
• Some Cisco PIX firewalls are reported to drop oversized packets. But I do not have any information about what versions do so or how to fix this.
• Before EDNS, DNS reverted to TCP based transactions if the query exceeded 512 bytes. The only consequence from this is some extra IP packets on the network, and somewhat slower DNS. If the client asks a question where the server needs to send more than a 512 bytes reply it answers back that the client need to revert to TCP.
• DNS tries to compress the packets. That is, everything between two dots are only sent one time in the packet. If you query for www.novell.no and get a reply back with lots of additional records, novell is only sent once in the packet. Additional records are records that you did not ask about, but  what the DNS server think that you probably want to ask about later.

EDNS - turn off in Windows 2003

You can't turn off EDNS in Windows 2003 - it will always reply as EDNS capable if the source includes EDNS in the original packet. To make sure you do not send out EDNS probes to all hosts on the Internet you can make the following change in registry. (By default this feature is disabled, and the registry key is not present.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
EnableEDNSProbes=0x0

External links:

• Report from Fortiguard center.
• RFC2671 - the original specification.
• Article from Microsoft that talks about how to install the tool dnscmd.exe.
• How to change EDNS settings in Windows 2003.

• Tags: EDNS, DNS, EDNS0