skip to Main Content

DNS Flag Day

Improving DNS for security, speed and reliability

An ongoing commitment
to enhancing DNS

For over two decades, Infoblox has been relentless in its pursuit to make networking secure, reliable and simple. In the process, the Infoblox DDI platform has become the industry standard for cohesive network visibility, high availability, scalability, automation and control. DNS is our DNA—it’s the heart of all we do and why we support DNS Flag Day.

What is
DNS Flag Day?

DNS Flag Day is a community-driven initiative designed to make the DNS protocol more secure, reliable and resilient and improve performance and operability by removing workarounds for DNS deficiencies.

Key goals

DNS Flag Day 2020

  • Avoid DNS message fragmentation
  • Improve DNS reliability
  • Enhance Internet security

DNS Flag Day 2019

  • Gain faster average name resolution
  • Standardize vendor and operator DNS server implementations
  • Launch new features and security measures
  • Streamline upgrades

DNS Flag Day 2020 updates

DNS Flag Day 2020 took place on October 1, 2020. Its main goals were to resolve reliability and security risks of large-packet fragmentation by a simple two-step update. The first involved reducing the default maximum EDNS buffer size to less than the smallest IPv6 frame size (1,232 bytes) to stop IP fragmentation altogether. The second step addressed the transmission issue of a DNS response not fitting into a UDP packet over TCP.

Avoid DNS message fragmentation

DNS commonly uses large packets to transfer messages between an authoritative DNS server and a recursive DNS server over UDP. When the maximum transmission unit is exceeded anywhere along the path between the two endpoints, the IP packet is fragmented or split into smaller parts.

Improve DNS reliability

IP fragmentation often fails and makes communication unreliable. Complicating matters is IPv6, where packets must be fragmented by the sender and sent with an ICMP message that is easily blocked by a misconfigured firewall. This fragmentation impacts reliability.

Enhance Internet security

IP fragmentation also poses certain DNS security risks because the DNS UDP port and query ID are transmitted in the first IP fragment. This transmission enables an attacker to spoof the second fragment and infect the cache by substituting malicious fragments in place of those originally intended. Such vulnerability presents a potentially extensive security risk with far-reaching impact.

Deploy Infoblox for DNS reliability and security

In NIOS 8.5.1, Infoblox anticipated these DNS Flag Day updates by exposing two settings: 1) the maximum size of a UDP datagram that a recursive DNS server says it can accept; and 2) the maximum amount of data that an authoritative DNS server will put into a UDP-based DNS message. Infoblox has also changed the defaults for these two settings to values that should prevent fragmentation over most networks. These new defaults ensured that when the change was implemented in October 2020, Infoblox customers would be ready for the updated standard.

Related Products

DNS, DHCP
and IPAM (DDI)

Unify DNS, DHCP and IPAM across on-premises and cloud data centers

DNS, DHCP and IPAM (DDI)

Unify DNS, DHCP and IPAM across on-premises and cloud data centers

BloxOne®
DDI

Simplify and scale cloud access everywhere with automated, cloud-managed DNS, DHCP and IPAM

BloxOne® DDI

Simplify and scale cloud access everywhere with automated, cloud-managed DNS, DHCP and IPAM

BloxOne®
Threat Defense

Quickly deploy on-premises, cloud or hybrid DNS-layer security everywhere

BloxOne® Threat Defense

Quickly deploy on-premises, cloud or hybrid DNS-layer security everywhere

Advanced
DNS Protection

Protect enterprise DNS infrastructure to ensure maximum uptime

Advanced DNS Protection

Protect enterprise DNS infrastructure to ensure maximum uptime

Dive a little deeper

Take enterprise-grade DDI for a test drive

Back To Top