Cyber Alert: DNS Flag Day
Date Issued: January 30, 2019
On Friday, February 1, 2019, major Domain Name Systems (DNS) software and service providers will remove DNS workarounds that allow users to bypass the Extension Mechanisms Protocol for DNS (EDNS). EDNS is a set of extension mechanisms to expand the size of the DNS message as it goes through its query, which allows more information to be included in the communication between each host in the DNS resolution process.
On Friday, several DNS resolver operators, including PowerDNS, Internet System Consortium, and Google, will release updates that implement stricter EDNS handling. This update will speed up the DNS process by forcing everyone to implement the EDNS protocol. Furthermore, the update will simplify the deployment of new features in the future. Consequently, if the update is not implemented on DNS servers, there will be no DNS response to any recursive servers’ request.
The following are DNS resolver versions that will implement this update:
- BIND 9.13.3 (development) and 9.14.0 (production),
- Knot Resolver already implemented stricter EDNS handling in all current versions,
- PowerDNS Recursor 4.2.0, and
- Unbound 1.9.0.
- February 1, 2019: Major DNS software and service providers will start to roll out these updates.
The MS-ISAC recommends members inventory their DNS servers to determine if they are EDNS compliant. EDNS compliancy testing platforms and a list of participating DNS providers is available at: https://dnsflagday.net/ and http://ednscomp.isc.org/.
If you run a test from http://ednscomp.isc.org/ and get a failure due to timeouts, this may be due to the response rate limiting settings on the server rate-limiting the queries coming from the test tool. Temporarily whitelisting the testing site domain information groper (Dig) queries, which come from 188.8.131.52 and 2001:4f8:1:f::48 will resolve this error.
Lastly, ensure that firewalls or Intrusion Protection Systems (IPS) are the most current version and not blocking EDNS traffic as these services typically block this traffic due to the packet size being larger than 512 bytes.
DNS Test information: