HomeMS-ISACCyber Alert: DNS Flag Day

Cyber Alert: DNS Flag Day

Date Issued: January 30, 2019

On Friday, February 1, 2019, major Domain Name Systems (DNS) software and service providers will remove DNS workarounds that allow users to bypass the Extension Mechanisms Protocol for DNS (EDNS). EDNS is a set of extension mechanisms to expand the size of the DNS message as it goes through its query, which allows more information to be included in the communication between each host in the DNS resolution process.

On Friday, several DNS resolver operators, including PowerDNS, Internet System Consortium, and Google, will release updates that implement stricter EDNS handling. This update will speed up the DNS process by forcing everyone to implement the EDNS protocol. Furthermore, the update will simplify the deployment of new features in the future. Consequently, if the update is not implemented on DNS servers, there will be no DNS response to any recursive servers’ request.

The following are DNS resolver versions that will implement this update:

  • BIND 9.13.3 (development) and 9.14.0 (production),
  • Knot Resolver already implemented stricter EDNS handling in all current versions,
  • PowerDNS Recursor 4.2.0, and
  • Unbound 1.9.0.

Important Dates:

  • February 1, 2019: Major DNS software and service providers will start to roll out these updates.

Recommendations:

The MS-ISAC recommends members inventory their DNS servers to determine if they are EDNS compliant. EDNS compliancy testing platforms and a list of participating DNS providers is available at: https://dnsflagday.net/ and http://ednscomp.isc.org/.

If you run a test from http://ednscomp.isc.org/ and get a failure due to timeouts, this may be due to the response rate limiting settings on the server rate-limiting the queries coming from the test tool. Temporarily whitelisting the testing site domain information groper (Dig) queries, which come from 149.20.1.48 and 2001:4f8:1:f::48 will resolve this error.

Lastly, ensure that firewalls or Intrusion Protection Systems (IPS) are the most current version and not blocking EDNS traffic as these services typically block this traffic due to the packet size being larger than 512 bytes.

References:

https://dnsflagday.net/

https://www.isc.org/blogs/dns-flag-day/

DNS Test information:

https://dnsflagday.net/

http://ednscomp.isc.org/

 

Information Hub

MS-ISAC

Advisory04.24.2024
2024-043: Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution
Read More
Advisory04.17.2024
2024-042: Oracle Quarterly Critical Patches Issued April 16, 2024
Read More
Press Release04.17.2024
Center for Internet Security Partners with State and Federal Cyber Experts to Offer Security Solutions for K-12 Schools
Read More
Press Release03.06.2024
Making a Difference and Building Capacity in 2023
Read More