The EDNS(0) Padding Option

"Padding" is EDNS(0) Option code 12, and is used to pad DNS messages (queries as well as responses) to a desired size.

Padding is used in situations where the DNS traffic is encrypted, but size based correlation of encrypted DNS messages could still be used to reconstruct the original query and response information. Padding DNS messages makes it harder to apply size based correlation with known unencrypted messages

The EDNS(0) "Padding" Option was specified by the IETF "dprive" working group, and published in RFC 7830. Subsequently, Padding Policies were described in RFC 8467

• Read the RFC
• Implementations
• Read the "Padding Policies" RFC

News

• 2018-10-13: RFC 8467 is published, specifying Padding Policies for EDNS(0).
• 2018-04-13: The Developer Preview of Android P supports DNS over TLS, and applies Block-Length Padding to 128 bytes.
• 2018-01-17: A new revision of the EDNS(0) Padding Policy draft was submitted to the IETF DPRIVE working group. The document subsequently went to "Working Group Last Call", and will hopefully become an RFC over the next few months.
• 2017-09-13: BIND 9.12.0 will support EDNS0 padding - see the release notes
• 2017-01-25: Knot Resolver (v1.2.0) now supports EDNS Padding out of the box - see the release notes
• 2016-12-05: First working group revision of Padding Policy for EDNS(0) is published. This is essentially a 1:1 copy of the previous individual draft (under a new name).
• 2016-12-02: The Padding Profiles draft was accepted as a working group item in the DPRIVE working group of the IETF.
• 2016-11-12: Stubby, a special mode of getdns to act as a local DNS-over-TLS, is released.
• 2016-10-31: Padding Profiles for EDNS(0) (a new internet draft in the IETF) describes strategies regarding the actual size of EDNS0 Padding
• 2016-09-20: A proposal for DNS over HTTP in the IETF mentions DNS padding to normalize length of queries.
• 2016-08-09: Version 2.3.0 of Knot (Release Notes) now contains kdig with padding support out of the box.
• 2016-06-18: EDNS Padding support was added to kdig, the "dig" equivalent of the Knot Resolver
• 2016-05-17: The specification of DNS over TLS (RFC 7858) cites and discusses EDNS0 padding in it's security considerations section.
• 2016-05-12: The experimental DNS client digit contains support for Padding.
• 2016-05-10: RFC 7830 was published by the RFC Editor.