DNS Flag Day
Improving DNS for security, speed and reliability
An ongoing commitment
to enhancing DNS
For over two decades, Infoblox has been relentless in its pursuit to make networking secure, reliable and simple. In the process, the Infoblox DDI platform has become the industry standard for cohesive network visibility, high availability, scalability, automation and control. DNS is our DNA—it’s the heart of all we do and why we support DNS Flag Day.
What is
DNS Flag Day?
DNS Flag Day is a community-driven initiative designed to make the DNS protocol more secure, reliable and resilient and improve performance and operability by removing workarounds for DNS deficiencies.
“Infoblox supports DNS Flag Day 2020 (as we did the first DNS Flag Day in 2019). With the release of NIOS 8.5.1, we changed the defaults on our DNS servers to send DNS messages that won’t cause fragmentation on most networks. This helps our customers by making DNS on the Internet more reliable and secure.”
Cricket Liu, Chief DNS architect, Infoblox
DNS Flag Day 2020 updates
DNS Flag Day 2020 took place on October 1, 2020. Its main goals were to resolve reliability and security risks of large-packet fragmentation by a simple two-step update. The first involved reducing the default maximum EDNS buffer size to less than the smallest IPv6 frame size (1,232 bytes) to stop IP fragmentation altogether. The second step addressed the transmission issue of a DNS response not fitting into a UDP packet over TCP.
Avoid DNS message fragmentation
DNS commonly uses large packets to transfer messages between an authoritative DNS server and a recursive DNS server over UDP. When the maximum transmission unit is exceeded anywhere along the path between the two endpoints, the IP packet is fragmented or split into smaller parts.
Improve DNS reliability
IP fragmentation often fails and makes communication unreliable. Complicating matters is IPv6, where packets must be fragmented by the sender and sent with an ICMP message that is easily blocked by a misconfigured firewall. This fragmentation impacts reliability.
Enhance Internet security
IP fragmentation also poses certain DNS security risks because the DNS UDP port and query ID are transmitted in the first IP fragment. This transmission enables an attacker to spoof the second fragment and infect the cache by substituting malicious fragments in place of those originally intended. Such vulnerability presents a potentially extensive security risk with far-reaching impact.
Deploy Infoblox for DNS reliability and security
In NIOS 8.5.1, Infoblox anticipated these DNS Flag Day updates by exposing two settings: 1) the maximum size of a UDP datagram that a recursive DNS server says it can accept; and 2) the maximum amount of data that an authoritative DNS server will put into a UDP-based DNS message. Infoblox has also changed the defaults for these two settings to values that should prevent fragmentation over most networks. These new defaults ensured that when the change was implemented in October 2020, Infoblox customers would be ready for the updated standard.
Learn more
Related Products
DNS, DHCP
and IPAM (DDI)
Unify DNS, DHCP and IPAM across on-premises and cloud data centers
DNS, DHCP and IPAM (DDI)
Unify DNS, DHCP and IPAM across on-premises and cloud data centers
BloxOne® DDI
Simplify and scale cloud access everywhere with automated, cloud-managed DNS, DHCP and IPAM
BloxOne® DDI
Simplify and scale cloud access everywhere with automated, cloud-managed DNS, DHCP and IPAM
BloxOne®
Threat Defense
Quickly deploy on-premises, cloud or hybrid DNS-layer security everywhere
BloxOne® Threat Defense
Quickly deploy on-premises, cloud or hybrid DNS-layer security everywhere
Advanced
DNS Protection
Protect enterprise DNS infrastructure to ensure maximum uptime
Advanced DNS Protection
Protect enterprise DNS infrastructure to ensure maximum uptime