Enable EDNS Padding in PowerDNS recursor
Why EDNS Padding ?
By enabling this option, we protect users by encapsulate the response to 468 Bytes replies in all replies thus "hiding" the real response size.
In the first dig, we see that my requesting padding when offering edns option, the response is 56bytes In the second dig, we see that we hide the answer to a 468bytes
As the UDP packets are 512bytes, we do not fragment the response. 468 is the largest size reply as we need to add also the reply headers in the UDP
Without EDNS Padding
$ kdig @88.198.92.222 example.com +padding +edns
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 35845
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 512 B; ext-rcode: NOERROR
;; QUESTION SECTION:
;; example.com. IN A
;; ANSWER SECTION:
example.com. 35605 IN A 93.184.216.34
;; Received 56 B
;; Time 2021-07-09 12:33:20 EEST
;; From 88.198.92.222@53(UDP) in 71.4 ms
reply:
Received 56 BWith EDNS Padding
$ kdig @88.198.92.222 example.com +padding +edns
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 54705
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 512 B; ext-rcode: NOERROR
;; PADDING: 408 B
;; QUESTION SECTION:
;; example.com. IN A
;; ANSWER SECTION:
example.com. 86400 IN A 93.184.216.34
;; Received 468 B
;; Time 2021-07-09 12:37:27 EEST
;; From 88.198.92.222@53(UDP) in 167.2 ms
reply:
Received 468 B