Information Security / Why you should be paying attention to DNS Flag Day
Why you should be paying attention to DNS Flag Day
4 March 2019
Cricket Liu, Chief DNS Architect at Infoblox, explains how changes to the internet's DNS system will affect businesses globally.
If you follow news about the Domain Name System, you might have heard or read about DNS Flag Day, which took place at the beginning of February. You might also be frantically asking yourself, “What is this new change?” and “How does it affect my business?”
DNS has been around for over 30 years now, since the days of the Advanced Research Projects Agency Network (or ARPANET), the precursor network to the Internet. As a DNS architect, I believe DNS is remarkable: It has scaled from serving a network of thousands of computers to a network of billions of computers and other devices. It is decentralized and made up of millions of cooperating resolvers and DNS servers, yet it (usually) provides rapid resolution of arbitrary domain names from all over the globe.
There are dozens of makes and models of DNS servers, and as you might guess, not all of them implement all aspects of DNS specifications equally. Take, for instance, the Extension Mechanisms for DNS (also known as EDNS0), which notably enable the use of larger DNS messages over the User Datagram Protocol.
Despite the fact that EDNS0 was written decades ago, there are some DNS servers that don’t support it correctly. EDNS0’s specifications say that if a DNS server that doesn’t support EDNS0 receives a query with EDNS0 options in it, it’s supposed to respond with a standard response code called a “Format Error.” But some DNS servers respond instead with a “Not Implemented” or “Server Failed” response code — or they simply don’t respond at all.
This last case is particularly troublesome. To accommodate those servers that do not respond, a recursive DNS server that queries an authoritative DNS server (but doesn’t get a response) must consider a possibility: that the authoritative DNS server doesn’t support EDNS0, and that the authoritative server is one that simply doesn't respond at all to queries with EDNS0 options. Until recently, almost all recursive DNS servers accommodated this small percentage of misbehaving DNS servers by retransmitting the same query — without EDNS0 options — to an unresponsive DNS server.
But what if the unresponsive DNS server didn’t respond because it was down, its IP address was wrong or for some other reason? Well, your recursive DNS server would still retransmit a query to it, rather than quickly moving along to a different authoritative DNS server, and your resolution performance would suffer. In other words, DNS would slow down.
In my opinion, we shouldn't penalize everyone on the internet for the few DNS server implementations out there that do not support a 20-year-old extension. (I like to think of it as, “The needs of the many outweigh the needs of the few.”) This issue is the focus of DNS Flag Day. A group of DNS server developers and operators of DNS services announced that as of February 1, they will start tearing out the mechanisms that accommodated these old DNS servers.
This won’t happen overnight. The latest versions of software from these developers will incorporate the changes, but it will take time before everyone upgrades to new versions of DNS servers. Even then, it will take time for DNS vendors to test it and integrate it into new products. The big DNS services won't tear off the Band-Aid all at once: they'll gradually stop accommodating broken DNS servers. But the good news is that before long — or in the foreseeable future, anyway — I believe DNS resolution will speed up for most of the Internet.
What do changes to DNS mean for business?
So as a business leader, what should you be doing?
First, check to see whether your organization's DNS servers support EDNS0 properly. You can do so at the DNS Flag Day website by entering the name of one of your company's domains.
If the test fails, determine whether your DNS servers don't support EDNS0 or if some intermediate device between your DNS server and the internet, such as a firewall, is causing the problem. (The DNS Flag Day website includes statements from many DNS server developers regarding their support.) In my experience, unless you're running seemingly ancient DNS server software, it's likely an intermediate device. For example, one customer I worked with recently discovered that a distributed denial of service mitigation device wasn't passing EDNS0 options through to their DNS servers.
If you've ruled out your DNS server software and suspect an intermediate device, make a list of those devices on the path between your DNS servers and the internet, including load balancers, firewalls and other security devices. You'll also need to know the release of firmware or software they run. Then, check to see whether those devices and software support EDNS0. Some networking vendors have posted information about whether their equipment supports EDNS0 on their websites. Once you've identified the device that's the culprit, upgrade it so that it does support EDNS0 or swap it for a new one that does.
I believe if you take these precautions, you can avoid the collateral damage that DNS Flag Day could potentially cause you if you're operating with outdated software. And in turn, you could help speed up DNS resolution on the internet for everyone.
Infoblox focuses on managing and identifying devices connected to networks: especially for the Domain Name System, Dynamic Host Configuration Protocol, and IP address management.
Image under licence from iStockPhoto.com, credit scyther5