EDNS Padding in LibreDNS & RadicalDNS

LibreOps

Contribute

All ways to contribute

Budget

Connect

Updates

About

Submit expense

EDNS Padding in LibreDNS & RadicalDNS

Published on July 10, 2021 by ebal

A couple weeks ago, we received through community feedback a request to add EDNS Padding support to our DoH/DoT dns service: LibreDNS.

What is EDNS ?

Without making this post too technical, but unfortunately we can not avoid technical details, Extension Mechanisms for DNS (EDNS) if supported by both client & server, can add some addition features to DNS service. The two most recognizable feature flags are the expanding size in dns packets and clients' geographic location . The latter is useful to get dns responses from authoritative Name Servers that get understand your location and reply with services closest to the client. The resolver passes this information to Auth NS.

DNS responses ?

Not all DNS replies have equal size. To give you an example:

$ dig libreops.cc
;; Received 93 B

because you will get one reply with 4 IPs

$ dig libredns.gr
;; Received 45 B

libredns has only 1 IP so the reply is smaller in size.

okay, you get the idea of reply size.

The above questions were UDP thus mean cleartext (unencrypted)

Using a DoH/DoT services, response size should be similar as we depend on the transport layer for encryption.

$ kdig @116.202.176.26 +tls-ca +tls-host=dot.libredns.gr libredns.gr  +noedns +nopadding

;; Received 45 B

But when we enable EDNS option

$ kdig @116.202.176.26 +tls-ca +tls-host=dot.libredns.gr libredns.gr  +edns +nopadding

;; Received 56 B

You see it is a bit larger - but not that much.

What is EDNS Padding ?

EDNS(0) padding option is used to pad queries, optionally to a specific size. That simple means :

Oh Please dear DNS server, give me all the answers in a specific size.
The answer is 56Bytes but I will give them to you in 468Bytes.

And now both LibreDNS & RadicalDNS support this feature !

Why is this important ?

This feature is really important because we "hide", we encapsulate all replies into a specific size. All the answers (if requested of course) should be 468Bytes.

A bad actor, by sniffing your network traffic can identify/profile some of your dns queries even if the transport layer is encrypted. We already know that libredns reply is 45B and with EDNS 56B. That means that a bad actor can document the size of all replies , record and profile your DNS traffic !

By masquerade all the responses in the same size eg. 468bytes we can confuse any bad actor that tries to identify what you visit by guessing the size of your dns query.

Do you want more info ?

If you want to read more on the subject, you can search the internet for

An investigation on information leakage of DNS over TLS

and read the below RFC

https://datatracker.ietf.org/doc/html/rfc8490

If you have addition questions please refer to our matrix channel.