EDNS Options Inspector
Inspect online EDNS options through DoH wireformat requests for OPT records, DNSSEC flags, NSID, padding, ECS behavior, and replay diagnostics.EDNS Options Inspection
| Field | Value | Copy |
|---|---|---|
| {{ row.label }} | {{ row.value }} |
| Element | Request | Response | Reading | Copy |
|---|---|---|---|---|
| {{ row.label }} | {{ row.request }} | {{ row.response }} | {{ row.reading }} |
| Section | Name | Type | TTL | Data | Copy |
|---|---|---|---|---|---|
| {{ row.section }} | {{ row.name }} | {{ row.type }} | {{ row.ttl }} | {{ row.data }} |
curl replay
{{ curlCommand }}
kdig replay
{{ kdigCommand }}
dig replay
{{ digCommand }}
Replay notes
- {{ note }}
{{ formattedJSON }}
1. The web tool provided is for general informational purposes only and should not be considered as professional advice.
2. We do not guarantee the accuracy, completeness, or reliability of the tool.
3. The use of this tool is at your own risk, and we are not liable for any damages or losses resulting from its use.
4. We reserve the right to modify or discontinue the tool without prior notice.
5. By embedding the tool, you agree to indemnify us from any claims arising from its use.
6. We may use Google Analytics or similar tools for data collection and analysis.
7. Please review this disclaimer periodically, as we may update it without notice.
If you do not agree with any part of this disclaimer, please refrain from embedding the tool on your website.
Introduction:
Extension Mechanisms for DNS, usually called EDNS or EDNS(0), let DNS messages carry an OPT pseudo-record with extra capabilities. That envelope can advertise a UDP payload size, carry the DNSSEC OK bit, request resolver identity with NSID, add padding, include client-subnet information, or return extended error context.
EDNS details matter when a DNS answer changes between resolvers, DNSSEC records are missing, a privacy setting should suppress client subnet forwarding, or packet size and truncation need to be explained. The OPT record is not a normal DNS answer; it is negotiation and diagnostic context around the answer.
Resolvers are allowed to normalize, ignore, or withhold some options. An absent echo is therefore a policy clue, not automatically a failed query.
Technical Details:
EDNS(0) extends DNS without changing ordinary record types. The OPT pseudo-record carries extended RCODE bits, EDNS version, flags such as DO, UDP payload size, and zero or more typed options. Version 0 is the normal baseline; non-zero version behavior can indicate negotiation trouble.
The inspector sends browser-side DNS-over-HTTPS wireformat requests to Cloudflare or Google. Presets set the request profile: baseline OPT only, DNSSEC proof, resolver ID with NSID, privacy padded, ECS sample, or a custom request. Advanced inputs control UDP payload, timeout, DO and CD flags, NSID request, padding length, and ECS token.
| Option or flag | Meaning | Reading caution |
|---|---|---|
| UDP payload size | Advertised DNS message size the requestor can receive. | Resolvers may return a smaller value. |
| DO bit | Requests DNSSEC data where available. | No DNSSEC records can still be normal for the chosen name and type. |
| NSID | Asks the resolver to identify the answering server. | Many resolvers intentionally hide it. |
| Padding | Adds EDNS padding for traffic-size shaping. | Reply padding length can differ from request padding. |
| ECS | Conveys an EDNS Client Subnet prefix. | An echoed prefix may differ from the requested scope. |
The option ledger compares what was requested with what came back. It also reports HTTP transport status, DNS RCODE, request and response sizes, header flags, answer mix, authority mix, additional-section records, and replay commands for curl, kdig, and dig.
Extended DNS Error option 15 can add resolver policy context beyond the base RCODE. When present, it should be read as resolver-supplied context, not as a universal authoritative statement about the domain.
Everyday Use & Decision Guide:
Use Baseline OPT only when you first want to know whether the resolver returns an OPT envelope. Switch to DNSSEC proof when the question is DO behavior, Resolver ID for NSID, Privacy padded for padding, and ECS sample for client-subnet echo behavior.
- Keep the default 1232-byte payload unless you are testing a specific size boundary.
- Use the documentation ECS prefix only as a behavior probe, not as a real client-location signal.
- Read
EDNS Option Ledgerbefore trusting the headline summary. - Copy the exact curl replay when another engineer needs to reproduce the same wireformat request.
A clean NOERROR with missing options can still be a useful result. It tells you the DNS answer worked but the resolver did not return the requested option data.
Step-by-Step Guide:
- Enter a hostname or URL in
Name; the tool normalizes it to a host-like DNS name. - Select
Record typeand resolver. - Choose an EDNS profile or set payload, flags, NSID, padding, and ECS token manually.
- Run the inspection and read
EDNS Brieffor response code, packet size, and OPT presence. - Use
Option Ledger,Packet Sections, and replay commands for deeper diagnosis.
If the ECS token is invalid, the request uses no ECS option until the token is corrected to a valid IPv4 or IPv6 prefix.
Interpreting Results:
OPT missing means the response did not include EDNS evidence, even if the DNS answer itself succeeded. Header-only EDNS means the envelope was visible but requested options did not echo. Option echo means each requested option code appeared in the response.
The Response code and section tables explain the DNS result, while the option ledger explains EDNS negotiation. Keep those readings separate when troubleshooting.
Worked Examples:
For a DNSSEC check on a signed domain, select DNSSEC proof and an A or DNSKEY query. A NOERROR response with DO on and DNSSEC-related records in the answer or authority section shows that the DO path returned useful DNSSEC material.
For resolver identity, select Resolver ID. If NSID is not returned, record that as resolver policy rather than a broken DNS answer, then use the replay command if you need CLI confirmation.
For privacy padding, select Privacy padded. If padding comes back with a different byte length, the useful output is the response option value, because the resolver chooses its own response shaping.
FAQ:
Why use DNS-over-HTTPS for EDNS inspection?
The inspector can send wireformat DNS messages from the browser to supported DoH endpoints while preserving raw OPT details for display.
Does an ECS echo reveal my real subnet?
The preset uses a documentation prefix. A custom ECS token is sent as entered, so use only prefixes you intend to test.
Is an absent NSID a failure?
No. Many public resolvers do not reveal NSID. Treat absence as a policy result unless the replay also shows packet failure.
Glossary:
- OPT pseudo-record
- The EDNS carrier record used for payload size, flags, and options.
- DO bit
- DNSSEC OK, a request flag for DNSSEC records.
- ECS
- EDNS Client Subnet, an option that can influence location-aware answers.