Welcome

EDNS-PING is an option within the EDNS DNS framework which allows nameservers to protect themselves from certain "spoofing" attacks.

By default, responses to DNS questions are matched to their questions by making sure they share the same DNS transaction ID, IP and network endpoints.

In certain scenarios, it may be feasible for an external attacker to inject responses that artificially match the criteria outlined above.

This problem would not occur if the DNS transaction ID had not been limited to 65536 distinct values.

EDNS-PING in effect allows for a far longer DNS transaction ID, making it infeasible for an external attacker to inject "fake" responses.

It should be noted that EDNS-PING offers no protection against in-line attackers with the ability to not only inject responses, but to modify existing ones, or to intercept questions and inject tailored responses.

This website contains information on EDNS-PING standardisation status, which DNS implementations support EDNS-PING, and which third party patches are available to add support.