Skip to content

Implement sensible default EDNS(0) padding policy.

At NDSS 2017's DNS privacy workshop, I presented an empirical study of DNS padding policies:

https://www.internetsociety.org/events/ndss-symposium/ndss-symposium-2017/dns-privacy-workshop-2017-programme#session3

The slide deck is here: https://dns.cmrg.net/ndss2017-dprive-empirical-DNS-traffic-size.pdf

The resulting recommendation from the research is that a simple padding policy is relatively cheap and still protective of metadata when DNS traffic is encrypted:

  • queries should be padded to a multiple of 128 octets
  • responses should be padded to a multiple of 468 octets

Since future research could propose even better policies, and future DNS traffic characteristics might evolve, I've implemented this recommendation as a new function in libknot: knot_edns_default_padding_size()

This changeset also modifies kdig to use this padding policy by default when doing queries over TLS, and defines +padding (with no argument) as a kdig option that forces the use of the default padding policy.

With this changeset, any libknot user who wants to use "a sensible DNS padding policy" can just rely on the library; this means that if a better padding policy is determined in the future, it can be distributed to all users by upgrading libknot.

Merge request reports