Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Are you Ready for DNS Flag Day? SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Are you Ready for DNS Flag Day?

One of the interesting/horrifying things I see as part of my work in Domain Generation Algorithms is the horrifying things people do to their zone files and bizarre DNS server implementations out there. DNS as a protocol has been around a long time and its core to how the Internet works. As such, every update to DNS servers have included backwards compatibility that have left some inefficiencies and gaps that the community is seeking to close. Accordingly, on 1 February 2019, they announced DNS Flag Day. That will be the day for a coordinated release of DNS software to remove support for incompatible implentations of DNS server software that are still operating out there (and often causing problems).

This means for every organizations, the need to verify if their domain and authoritative DNS resolver are prepared for the change. The website linked above has a rudimentary testing script where you enter your domain and it tells you if your domain is supported and good to go.

If not, you'll need to update your auth DNS server to a modern version to accomodate these changes. If you operate your own recursive resolver, you don't need to do anything, but if you do use the following modern versions of DNS resolvers, you will no longer support those incompatible name servers:

  • BIND 9.13.3 (development) and 9.14.0 (production)
  • Knot Resolver has already implemented stricter EDNS handling in all current versions
  • PowerDNS Recursor 4.2.0
  • Unbound 1.9.0

TL;DR check out https://dnsflagday.net to ensure your domain is ready and if not, update your nameservers or you will see your infrastructure start to go dark.

--
John Bambenek
bambenek \at\ gmail /dot/ com
ThreatSTOP

John

258 Posts
ISC Handler
Be certain to also check major and critical vendors as well as any domains you "include" in your SPF record. We've found a few that came up "Fatal Error" meaning it stops working on Feb. 1st.

No one significant, just the Internet cloud phone provider for the company...
Anonymous

Sign Up for Free or Log In to start participating in the conversation!