Introduction
How many phone numbers can you recall offhand? Probably very few, because we rely on contact lists to remember them. In the early days of the internet, reaching a computer required the same memorization: you had to know its IP address. But as networks expanded, this became unsustainable.
Enter the Domain Name System (DNS), introduced in 1983 — a foundational innovation that translated human-readable domain names into IP addresses, making the internet more usable, scalable, and accessible.
Today, DNS is far more than just a digital directory. It powers nearly every aspect of internet functionality: from loading websites and delivering email to enabling content delivery networks (CDNs), cloud services, load balancing, and even supporting modern cybersecurity systems like threat intelligence and filtering.
Despite its age, DNS remains one of the most essential — and frequently targeted — layers of the internet stack, precisely because it is both mission-critical and inherently vulnerable, with limited built-in security and a global attack surface.
The Evolution of DNS
While DNS was originally built for simplicity and resilience, its core design didn’t anticipate the performance, scale, and security demands of today’s hyperconnected digital world.
Each DNS lookup introduces some latency — often several hundred milliseconds — especially when queries pass through multiple recursive resolvers or interact with poorly optimized authoritative servers. In high-traffic environments, this can cause noticeable delays, failed connections, and degraded user experience.
Additionally, DNS uses UDP by default, leaving it vulnerable to spoofing, cache poisoning, and amplification attacks. As applications become more global and latency-sensitive, DNS can quickly become a performance bottleneck — one that technologies like CDNs, DNS-over-HTTPS (DoH), and DNS-over-TLS (DoT) now strive to address.
What is EDNS?
Traditional DNS messages were limited to just 512 bytes over UDP. As the internet matured — introducing technologies like DNSSEC, IPv6, and more complex record types — this limit became a serious constraint.
To solve this, Extension Mechanisms for DNS (EDNS) were introduced in RFC 2671 and later refined in RFC 6891. EDNS allows clients and servers to exchange additional metadata and increase the DNS message size — typically up to 4096 bytes — without breaking compatibility with legacy systems.
Why EDNS Matters
EDNS is the enabler for many modern DNS capabilities:
- Supports larger DNS responses, essential for DNSSEC and complex queries.
- Introduces new flags and metadata without altering the DNS header structure.
- Lays the groundwork for performance and security enhancements like ECS.
How Radware ADC Uses EDNS for Geo-Intelligent and Load-Aware Routing
In today’s distributed application environments, low latency and high availability are non-negotiable. Radware’s Application Delivery Controller (ADC) utilizes EDNS Client Subnet (ECS) — a powerful extension of EDNS — to enable precise, geo-aware, and lease-aware DNS-based routing.
EDNS Client Subnet (ECS): Enhancing Geographic Awareness
Typically, recursive resolvers (like Google Public DNS or Cloudflare) obscure the original user’s IP address when forwarding DNS queries. This limits the ability of DNS-based load balancers to determine the end user’s actual location.
ECS solves this by including a truncated portion of the user's IP address (usually a /24 subnet for IPv4) in the DNS query. This allows authoritative servers — such as Radware ADC — to make smarter, location-aware routing decisions.
How ECS Works in Radware ADC
- A user tries to access a service like api.company.com.
- The local resolver (e.g., ISP or Google DNS) checks its cache. If no cached answer exists, it forwards the query upstream.
- With ECS enabled, the resolver attaches the user's subnet information to the DNS query using EDNS.
- Radware's ADC, acting as the authoritative server, inspects the ECS data and applies logic to:
- Choose the closest or healthiest data center,
- Route based on latency, capacity, geo-policies, or least connections.
- The ADC responds with the optimal IP address, ensuring the user connects to the best available server.
Benefits: Speed and Security
Improved Performance
- Lower latency: Users are routed based on actual location, not the location of the resolver.
- Faster content delivery: Crucial for global web applications, streaming, and gaming.
- Seamless CDN integration: Aligns with edge caching and regional delivery strategies.
Stronger Security Posture
- Subnet masking for privacy: ECS typically includes only partial IP information, balancing personalization with anonymity.
- Mitigates DDoS attack redirection: By directing only legitimate traffic to the nearest point, the ADC reduces surface exposure.
- Supports DNS rate limiting & anomaly detection per region: Enables faster detection of suspicious patterns.
Conclusion
Radware's DNS solution, enhanced by EDNS and advanced GSLB (Global Server Load Balancing) algorithms, offers a smarter, location-aware, and security-conscious approach to traffic routing. It ensures users are always connected to the closest, healthiest, and most secure application instance. This not only reduces latency and improves performance but also strengthens your security posture by isolating traffic, minimizing attack surfaces, and integrating with WAF protection.
For organizations striving to deliver fast, reliable, and secure digital experiences at a global scale, Radware's ADC-powered DNS is not just an optimization — it's a future-proof foundation.