DNS Flag Day dawns with renewed effort to avoid IP fragmentation

Laggards obliged to update systems as support for workarounds gets pulled

A second round of attempts to encourage laggards to update obsolete Domain Name Server (DNS) infrastructure by dropping support for cumbersome workarounds takes place today (October 1).

The second DNS Flag Day is focused on pushing network administrators towards tighter compliance with established standards for supporting DNS transport over the Transmission Control Protocol (DNS-over-TCP).

Some DNS responses are too big to be handled by the User Datagram Protocol (UDP), resulting in fragmentation of IP packets. Fragmentation presents a well-known security risk, as organizers of the DNS Flag Day 2020 explain.

IP fragmentation is unreliable on the internet today, and can cause transmission failures when large DNS messages are sent via UDP. Even when fragmentation does work, it may not be secure; it is theoretically possible to spoof parts of a fragmented DNS message, without easy detection at the receiving end.

The UDP protocol is effective and efficient with small responses. In the case of large packers, DNS resolvers ought to switch from using from UDP to TCP.

Standards-compliant software already handles the switch between UDP to TCP so the problem boils down to getting authoritative servers and DNS resolvers to update and configure their systems.

Securing DNS

DNS Flag Day 2020 involves dropping support for cumbersome workarounds so stragglers need to apply updates to stay in the game.

Cricket Liu, chief DNS architect at Infoblox, a cybersecurity firm, told The Daily Swig: “The changes should reduce the possibility of fragmentation, and if your DNS servers have been suffering from lost fragments, that would mean better reliability and possibly better performance.

“The changes should also provide protection against the attacks possible against fragmented DNS, so that’s a security benefit,” he added.

Client-side (stub resolver) systems including Windows have supported DNS-over-TCP for years so what work needs to be done is solely focused on the server-side of DNS. The upgrade process on the server side is straightforward, according to Liu.

“It’s really just reconfiguration for most people, not even an upgrade,” he explained.

“If you’re running a BIND DNS server, for example, it’s just a matter of adding two new options substatements to your named.conf file:

“For Infoblox customers, we’ll change those defaults on upgrade to the latest version of NIOS,“ Liu added.

Flying the flag

The delayed second edition of DNS Flag Day follows its first predecessor, which took place in February 2019. The inaugural DNS Flag Day encouraged DNS vendors including Bind 9 and PowerDNS, along with large DNS resolver operators, such as Google and Cloudflare, to disable workarounds for broken EDNS implementations.

The underpinning philosophy behind DNS Flag Day is that the ISPs and DNS operators that make up the DNS community should no longer suffer the inconvenience and cost caused by workarounds that only benefit a small number of organizations that are way behind in following network security best practices.

No follow-up DNS Flag Days are scheduled at present.

RELATED DNS enforcers mull second round of stricter controls