Cyber Alert: DNS Flag Day

Cyber Alert: DNS Flag Day

Date Issued: January 30, 2019

« On Friday, February 1, 2019, major Domain Name Systems (DNS) software and service providers will remove DNS workarounds that allow users to bypass the Extension Mechanisms Protocol for DNS (EDNS).

EDNS is a set of extension mechanisms to expand the size of the DNS message as it goes through its query, which allows more information to be included in the communication between each host in the DNS resolution process.

On Friday, several DNS resolver operators, including PowerDNS, Internet System Consortium, and Google, will release updates that implement stricter EDNS handling. This update will speed up the DNS process by forcing everyone to implement the EDNS protocol.

Furthermore, the update will simplify the deployment of new features in the future. Consequently, if the update is not implemented on DNS servers, there will be no DNS response to any recursive servers’ request.

The following are DNS resolver versions that will implement this update:

BIND 9.13.3 (development) and 9.14.0 (production),
Knot Resolver already implemented stricter EDNS handling in all current versions,
PowerDNS Recursor 4.2.0, and
Unbound 1.9.0.

Important Dates:

February 1, 2019: Major DNS software and service providers will start to roll out these updates. »

www.cisecurity.org/ms-isac/cyber-alert-dns-flag-day/