EDNS Options Inspector

Domain:

Examples: example.com, cloudflare.com, or https://example.com/path.

Record type:

Choose A/AAAA for address checks, TXT/MX/CAA for service data, or DNSKEY/DS for DNSSEC.

Resolver path:

Cloudflare, Google, and Quad9 may answer differently; compare paths when debugging resolver behavior.

EDNS request preset:

Baseline, DNSSEC proof, Resolver ID, Privacy padded, ECS sample, or Custom.

UDP payload:

Allowed range: 512-4096 bytes; 1232 is a conservative modern default.

bytes

Request timeout: {{ normalizedTimeout }} ms

Use 2000-12000 ms; increase only for slow resolver or network paths.

DO flag:

Turn on for DNSSEC evidence such as RRSIG, DNSKEY, DS, NSEC, or NSEC3.

CD flag:

Use when comparing raw DNSSEC material with and without resolver validation.

Request NSID:

Turn on to probe resolver node identity; absence is often policy, not a packet failure.

Padding:

Allowed range: 0-512 bytes; privacy preset uses 128 bytes.

bytes

ECS token:

Format: IP/prefix such as 203.0.113.0/24, 2001:db8::/32, or 0.0.0.0/0.

Field	Value	Copy
{{ row.label }}	{{ row.value }}

Element	Request	Response	Reading	Copy
{{ row.label }}	{{ row.request }}	{{ row.response }}	{{ row.reading }}

Section	Name	Type	TTL	Data	Copy
{{ row.section }}	{{ row.name }}	{{ row.type }}	{{ row.ttl }}	{{ row.data }}

Replay item	Value	Copy
curl replay	{{ curlCommand }}
kdig replay	{{ kdigCommand }}
dig replay	{{ digCommand }}
Replay note {{ index + 1 }}	{{ note }}

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

DNS troubleshooting often starts with the answer record, but the answer alone can hide how the request was negotiated. Extension Mechanisms for DNS, usually shortened to EDNS or EDNS(0), add a control envelope to a DNS message so a requester and responder can exchange capability clues without changing the meaning of the domain name itself.

The EDNS envelope is carried in an OPT pseudo-record. It is not an A, AAAA, MX, TXT, DNSKEY, or DS record for the domain. It is extra message metadata that can advertise a UDP response size, signal DNSSEC OK, carry option data, and extend response-code space when the older DNS header is too small for modern resolver behavior.

Payload size: The response size the requester says it can receive over UDP for that exchange.
DO bit: The DNSSEC OK flag, used to ask for DNSSEC records when they are relevant to the selected name and type.
Option code: A numbered EDNS extension such as NSID, EDNS Client Subnet, Padding, Cookie, or Extended DNS Error.
Resolver policy: The resolver's choice to return, omit, normalize, or rewrite optional EDNS data in a response.

Several practical DNS questions depend on those details. DNSSEC material can make responses larger. Anycast resolver pools may hide which node answered a query unless NSID is honored. Encrypted DNS deployments may use padding to reduce message-size clues. Location-sensitive answers can be affected by EDNS Client Subnet, where a shortened network prefix may be sent or echoed instead of a full address.

EDNS is negotiated for one DNS exchange, not permanently for a domain. A resolver can return a perfectly valid answer while omitting an OPT record, declining NSID, trimming padding, or not echoing an ECS prefix. That difference may reflect resolver policy, cache state, anycast routing, message-size limits, or the exact record type being queried.

A useful EDNS reading keeps the DNS response code, returned OPT record, option rows, packet sections, and replay evidence together. Treat one run as evidence for a selected resolver path at a particular moment, then repeat the same query elsewhere before turning it into a domain-level conclusion.

How to Use This Tool:

Set up one DNS probe, send it to a selected public resolver, then compare the requested EDNS envelope with the decoded response.

Enter Domain as a host, email-like host fragment, or URL. The input is reduced to a hostname before lookup; blank input stops with Enter a domain or hostname before inspecting EDNS options.
Choose Record type. Use A or AAAA for address behavior, TXT, MX, CAA, NS, SOA, or HTTPS for service records, and DNSKEY or DS for DNSSEC-oriented probes.
Select Resolver path. Cloudflare 1.1.1.1, Google Public DNS, and Quad9 can answer the same EDNS request differently, so keep this field fixed when you are testing one option and change it only when resolver policy is the question.
Pick an EDNS request preset. Baseline OPT only sends the envelope without optional EDNS payload data. DNSSEC proof turns on DO. Resolver ID requests NSID. Privacy padded adds padding and a broad ECS token. ECS sample uses a documentation-prefix client subnet.
Keep the preset fixed while you compare resolver paths, or keep the resolver fixed while you compare presets. Changing both at once makes the ledger harder to interpret.
Open Advanced when you need exact request values. UDP payload is bounded from 512 to 4096 bytes, Request timeout from 2000 to 12000 ms, Padding from 0 to 512 bytes, and ECS token must be an IPv4 or IPv6 prefix such as 203.0.113.0/24 or 2001:db8::/32.
A malformed ECS token stops before the request is sent. Use IPv4 prefixes from /0 to /32 or IPv6 prefixes from /0 to /128.
Click Inspect OPT. The status text should move through packet building, resolver send, and OPT parsing. If an input warning appears, fix the value and rerun the same request shape before interpreting the ledger.
Start with Negotiation Brief for the headline, then read OPT Ledger for request-versus-response detail. Use Packet Sections to confirm actual DNS records, Replay Kit for follow-up commands, and JSON when you need the full structured result. For repeat tests, change one variable at a time.

Interpreting Results:

Read the transport result, DNS response code, and EDNS evidence as separate facts. HTTP transport tells you whether the DNS-over-HTTPS exchange returned a response. Response code describes the DNS message. OPT Ledger explains whether the EDNS envelope and requested option codes appeared in the reply.

EDNS inspector result patterns and follow-up checks
Result pattern	What it means	Best follow-up
`OPT missing`	The response did not include a visible OPT pseudo-record.	Replay the same request and compare a second resolver before treating it as a domain fault.
`EDNS visible`	An OPT record returned when no optional EDNS payload data was requested.	Use this as a baseline before adding NSID, ECS, padding, DO, or CD.
`Header-only EDNS`	The response kept the OPT envelope but did not echo requested option codes.	Check each requested option row; public resolvers often suppress optional echoes by policy.
`Partial echo`	At least one requested option returned and at least one did not.	Compare NSID, ECS, and padding rows independently instead of relying on the headline.
`Option echo`	Every requested option code appeared in the response.	Read returned values because ECS scope and padding length may still differ from the request.
Non-zero `EDNS version` or BADVERS	The resolver is signaling EDNS version trouble or extended response-code context.	Repeat with `Baseline OPT only` and keep replay output with the packet rows.

Do not overread a clean headline. NOERROR with OPT returned proves that one resolver path produced a decodable EDNS response, not that every resolver, cache, or authoritative hop will behave the same way. NSID identifies an answering node only when returned. ECS describes a prefix and scope in the DNS exchange, not a person's exact location. Padding changes message size handling but does not guarantee privacy by itself.

When the result will be shared with another engineer, keep Query target, Resolver, Response code, Header flags, the matching OPT Ledger rows, and one Replay Kit command together.

Technical Details:

EDNS(0) extends the DNS wire format with an OPT pseudo-record, DNS RR type 41, placed in the additional section. The OPT record uses its class field to advertise UDP payload size and uses parts of its TTL field for extended RCODE bits, the EDNS version, and EDNS flags. Version 0 is the normal deployed version.

The OPT record is hop-by-hop. A stub-to-recursive exchange, a recursive-to-authoritative exchange, and a DNS-over-HTTPS exchange can each negotiate different EDNS details. That is why an EDNS inspection should be read as evidence for the selected resolver path, selected record type, and selected request shape.

Rule Core

The governing rule is a request-and-response comparison. The meaningful question is not only whether the DNS answer exists, but whether the EDNS envelope and requested option codes returned in the decoded packet.

EDNS OPT fields and interpretation rules
EDNS item	Wire location or code	Technical meaning	Reading rule
OPT record	RR type 41 in the additional section	Control envelope for EDNS metadata in one DNS message.	`Returned` confirms visible EDNS evidence. `Missing` means the DNS answer can still be valid while EDNS detail is absent.
UDP payload size	OPT class field	Advertises the largest UDP response size the requester is prepared to receive.	A smaller returned value means the responder advertised a tighter response ceiling than the request asked for.
EDNS version	OPT TTL field	Identifies the EDNS version used for negotiation.	`0x0` is expected for EDNS(0). A non-zero value deserves compatibility review.
DO bit	EDNS flag	Requests DNSSEC data when the selected name and type can return it.	DO on without DNSSEC records can still be normal for a name, type, resolver, or cache state.
CD flag	DNS header flag	Requests checking disabled so resolver validation behavior can be compared.	Compare CD off and on before blaming a DNSSEC validation symptom on the domain alone.
Extended response code	DNS header plus OPT extended RCODE bits	Adds response-code space beyond the original DNS header.	BADVERS and other extended meanings should be kept with the replay evidence.

Option data is separate from the OPT record header. The request can include NSID, EDNS Client Subnet, and Padding. The decoded response may also expose other registered option codes, including Cookie, TCP keepalive, Key Tag, Extended DNS Error, Client Tag, Server Tag, or Report Channel when a resolver returns them.

EDNS options and decoded result cues
Option	Code	Request behavior	Decoded result cue
NSID	3	Sends an empty request option asking the answering resolver or name server to identify itself.	A returned value may be readable text or hex. Absence is often policy, not failure.
EDNS Client Subnet	8	Sends a valid IPv4 or IPv6 prefix such as `203.0.113.0/24`, `2001:db8::/32`, or `0.0.0.0/0`.	Read the echoed address, source prefix, and scope prefix; do not assume the request token was forwarded unchanged.
Padding	12	Adds zero padding bytes to the request when the selected value is greater than zero.	Response padding can be absent or a different length because the resolver chooses its own response shaping.
Extended DNS Error	15	Not requested directly by the controls, but decoded when returned.	Can add resolver policy or failure context beyond the base response code.
Cookie, TCP keepalive, Key Tag, Client Tag, Server Tag, Report Channel	10, 11, 14, 16, 17, 18	Not generated by the presets.	Returned values are labeled as decoded text, hex, timeouts, tags, or empty values where possible.

Mechanism Walkthrough

The entered host is normalized from a host, URL, bracketed address, or email-like value into a DNS name to query.
The selected record type and EDNS settings are encoded into a DNS wire-format query with recursion desired, an additional-section OPT record, and any requested option codes.
The wire-format query is sent to the selected DNS-over-HTTPS resolver with a timeout, and the byte response is decoded back into DNS header flags, answer records, authority records, additional records, and EDNS options.
The result compares requested EDNS items with returned EDNS items, then summarizes the finding as missing OPT, visible EDNS, header-only EDNS, partial echo, or option echo.

EDNS inspector validation and boundary rules
Input or setting	Accepted values	Boundary behavior
`Domain`	Host or URL-like value that can be reduced to a hostname.	Blank input stops the inspection before any resolver request.
`Record type`	`A`, `AAAA`, `MX`, `TXT`, `NS`, `SOA`, `CAA`, `HTTPS`, `DS`, or `DNSKEY`.	The selected type changes the answer mix and the DNSSEC evidence that may appear.
`UDP payload`	512 to 4096 bytes.	Out-of-range values are clamped before the DNS packet is built.
`Request timeout`	2000 to 12000 ms.	A slow or unreachable resolver reports a timeout after the selected delay.
`Padding`	0 to 512 bytes.	Zero omits padding. Positive values add an EDNS Padding option to the request.
`ECS token`	IPv4 prefix `/0` to `/32` or IPv6 prefix `/0` to `/128`.	Malformed tokens stop the run with an IP/prefix error.

Formula Core is not used because this is a standards and packet-inspection workflow rather than a deterministic numeric calculator. The core mechanism is rule-based comparison between requested DNS message features and returned DNS message features.

Limitations and Privacy Notes:

Each run sends the normalized domain, selected record type, chosen public resolver, EDNS flags, UDP payload size, and any requested NSID, padding, or ECS token to the selected DNS-over-HTTPS resolver. Use documentation prefixes or broad ECS tokens when you only need behavior evidence, and avoid sending a real client subnet unless the test requires it.

Resolver answers can change with cache state, anycast routing, resolver policy, and response normalization. One result is useful evidence for the selected path and moment, not proof that every public resolver or authoritative DNS path behaves the same way.

The DNS query itself is built in the browser and sent to the selected resolver. If the DNS packet encoder does not load, the inspection stops before a resolver request is sent and shows an encoder error.

Worked Examples:

Baseline address probe

Enter example.com, choose A, keep Resolver path on Cloudflare 1.1.1.1, and use Baseline OPT only. If Response code is NOERROR and OPT record is Returned, the result is a baseline EDNS exchange for that resolver. Keep Request size, Response size, and Additional mix with the baseline before testing optional EDNS features.

DNSSEC proof check

For a DNSSEC-oriented run, enter a signed domain, choose DNSKEY or DS, and select DNSSEC proof. A useful response has DO bit requested, OPT record returned, and DNSSEC-related types in Answer mix, Authority mix, or Packet Sections. If DO is on but no DNSSEC records appear, repeat with the same settings on another resolver before treating the zone as the cause.

ECS and padding comparison

Use Custom, set ECS token to 203.0.113.0/24, and set Padding to 128. The Client subnet (8) row shows whether a prefix came back and what scope was returned. The Padding (12) row may show a different response length or no returned padding, which is resolver behavior rather than a malformed request by itself.

Invalid client-subnet input

Entering 203.0.113.0/33 in ECS token stops with ECS token must be an IP/prefix pair such as 203.0.113.0/24 or 0.0.0.0/0. because IPv4 prefixes end at /32. Changing it to 203.0.113.0/24 lets the probe proceed and moves the evidence into the OPT Ledger.

FAQ:

Why can HTTP success still show a DNS error?

HTTP status describes the DNS-over-HTTPS transport. The DNS message inside that response can still report NXDOMAIN, SERVFAIL, BADVERS, or another DNS response code.

Does missing NSID mean the resolver failed?

No. NSID is optional, and many resolvers choose not to reveal node identity even when Request NSID is on.

Should I use Cloudflare, Google, or Quad9?

Use the resolver that matches the behavior you need to inspect. When policy differences matter, run the same Domain, Record type, and EDNS settings across all three resolver paths.

Why did padding not come back at the same length?

The Padding value affects the request. A resolver may omit response padding, return a different padding length, or apply its own size policy.

What should I do after an ECS token error?

Check that the value is an IP address followed by a prefix, such as 203.0.113.0/24 for IPv4 or 2001:db8::/32 for IPv6. IPv4 prefixes must be /0 to /32, and IPv6 prefixes must be /0 to /128.

Which replay command should I share?

Use the curl replay when the exact DNS wire message matters. Use kdig replay or dig replay when another engineer wants a familiar DNS command and has local command support for the selected EDNS options.

Glossary:

EDNS(0): Extension Mechanisms for DNS version 0, the deployed DNS extension envelope for larger messages, extra flags, and option data.
OPT pseudo-record: The additional-section record that carries EDNS payload size, version, flags, and options for one DNS exchange.
DoH: DNS-over-HTTPS, a way to send DNS wire-format messages inside HTTPS requests and responses.
DO bit: DNSSEC OK, an EDNS flag that asks for DNSSEC data when it is relevant to the selected name and type.
CD flag: Checking Disabled, a DNS header flag used when comparing resolver DNSSEC validation behavior.
NSID: Name Server Identifier, an EDNS option that lets an answering resolver or name server identify itself when policy allows.
ECS: EDNS Client Subnet, an option carrying a shortened IPv4 or IPv6 client network prefix and scope information.
EDE: Extended DNS Error, an EDNS option that can add resolver policy or failure context beyond the base DNS response code.

References:

RFC 6891: Extension Mechanisms for DNS (EDNS(0)), IETF/RFC Editor, April 2013.
Domain Name System (DNS) Parameters, IANA.
RFC 8484: DNS Queries over HTTPS (DoH), IETF/RFC Editor, October 2018.
RFC 5001: DNS Name Server Identifier (NSID) Option, IETF/RFC Editor, August 2007.
RFC 7871: Client Subnet in DNS Queries, IETF/RFC Editor, May 2016.
RFC 7830: The EDNS(0) Padding Option, IETF/RFC Editor, May 2016.
RFC 8914: Extended DNS Errors, IETF/RFC Editor, October 2020.