Multi-State Information Sharing & Analysis Center (MS-ISAC) released an alert on Domain Name System (DNS) Flag Day, which is the coming Friday.
On DNS Flag Day, DNS software and service providers will roll out updates to remove workarounds that allow users to bypass the Extension Mechanisms Protocol for DNS (EDNS). While the updates will improve DNS operations, some domains served by DNS servers operating out-of-date software may become unavailable.
On Friday, several DNS resolver operators, including PowerDNS, Internet System Consortium, and Google, will release updates that implement stricter EDNS handling. This update will speed up the DNS process by forcing everyone to implement the EDNS protocol. Furthermore, the update will simplify the deployment of new features in the future. Consequently, if the update is not implemented on DNS servers, there will be no DNS response to any recursive servers’ request.
The following are DNS resolver versions that will implement this update:
• BIND 9.13.3 (development) and 9.14.0 (production)
• Knot Resolver already implemented stricter EDNS handling in all current versions
• PowerDNS Recursor 4.2.0
• Unbound 1.9.0
MS-ISAC recommends members inventory their DNS servers to determine if they are EDNS compliant. EDNS compliancy testing platforms and a list of participating DNS providers.
If you run a test from http://ednscomp.isc.org/ and get a failure due to timeouts, this may be due to the response rate limiting settings on the server rate-limiting the queries coming from the test tool. Temporarily whitelisting the testing site domain information groper (Dig) queries, which come from 18.104.22.168 and 2001:4f8:1:f::48 will resolve this error.
Ensure firewalls or Intrusion Protection Systems (IPS) are the most current version and not blocking EDNS traffic as these services typically block this traffic due to the packet size being larger than 512 bytes.