Select Page

Learn How We Can Help You Keep Teleworkers Protected During the COVID-19 Crisis

DNS LEADER INFOBLOX IS ACTIVE IN DNS FLAG DAY

Improving DNS for Security, Speed and Reliability

DNS LEADER INFOBLOX IS ACTIVE IN DNS FLAG DAY

Improving DNS for Security, Speed and Reliability

An Ongoing Commitment to Enhancing DNS

For over two decades, Infoblox has been relentless in its pursuit to make networking secure, reliable and simple. In the process, the Infoblox DDI platform has become the industry standard for cohesive network visibility, high availability, scalability, automation and control. DNS is our DNA. It’s the heart of all we do, which is why we are actively engaged in DNS Flag Day. As a part of the DNS community, Infoblox continues its mission to make DNS less complex, more secure and more reliable. Join the world’s largest enterprises in trusting Infoblox to support and improve DNS operability for security and reliability.

An Ongoing Commitment to Enhancing DNS

For over two decades, Infoblox has been relentless in its pursuit to make networking secure, reliable and simple. In the process, the Infoblox DDI platform has become the industry standard for cohesive network visibility, high availability, scalability, automation and control. DNS is our DNA. It’s the heart of all we do, which is why we are actively engaged in DNS Flag Day. As a part of the DNS community, Infoblox continues its mission to make DNS less complex, more secure and more reliable. Join the world’s largest enterprises in trusting Infoblox to support and improve DNS operability for security and reliability.

What Is DNS Flag Day?

DNS Flag Day is a community-driven initiative led by both proprietary and open source Domain Name System (DNS) vendors, operators and service providers and supported by the DNS Operations, Analysis, and Research Center (DNS-OARC). Its goal is to make DNS protocol more secure, reliable and resilient and to improve performance and operability by removing workarounds for DNS deficiencies. Since the DNS protocol is the foundation of the Internet, a coordinated group effort is required to identify, prioritize and resolve issues. The first-ever DNS Flag Day was held on February 1, 2019.

GOALS AND BENEFITS

DNS Flag Day 2020

Challenge

The Internet Protocol (IP) layer fragments large UDP-based DNS messages on networks that cannot transmit large packets. This fragmentation causes potential reliability and security risks.

Goal

Starting on DNS Flag Day 2020 which will be on October 1, 2020, the DNS community will begin reducing the size of UDP-based DNS messages to avoid fragmentation.

Solution

Reducing the size of the UDP-based DNS message may cause some DNS servers to send truncated responses over UDP. This may result in some receiving DNS servers resending queries over TCP even though some DNS servers or operators don’t support TCP. So, two basic configuration updates are required: 1) Set the EDNS buffer size to be compatible with the maximum size of an IP frame on the network (e.g., 1232 bytes); and 2) if the transport message is bigger than this limit, switch to DNS over TCP. NIOS 8.5.1 supports these by exposing two settings and changing their defaults: 1) the maximum size of a UDP datagram a recursive DNS server can accept; and 2) the maximum size of a UDP datagram an authoritative DNS server will send.

Benefits

This change enables Infoblox customers to avoid DNS message fragmentation and improve DNS reliability and Internet security.

DNS Flag Day 2019

Challenge

DNS protocols are impacted by workarounds to accommodate ad hoc implementations, making DNS name resolution unnecessarily slow, inefficient, challenging to upgrade and unable to deploy new security and features.

Goal

The goal of DNS Flag Day 2019 was to remove workarounds in DNS resolvers meant to accommodate authoritative DNS servers that incorrectly responded to queries using the Extension Mechanisms for DNS (EDNS0) specifications.

Solution

The DNS community removed DNS resolver workarounds in their software to accommodate broken EDNS0 implementations in DNS authoritative name servers and other non-compliant network devices (firewalls, Deep Packet Inspection, and load balancers) that prevented EDNS0 from working correctly. It also standardized the Extension Mechanisms for DNS (EDNS0) to enable new functionality.

Benefits

This change resulted in faster average name resolution for Internet users, standardized DNS server implementations by vendors and operators across the globe and enabled organizations to launch new features and security measures and streamline upgrades.

More About Large IP Packet Fragmentation and DNS Flag Day 2020

The focus of DNS Flag Day 2020 is to tackle the reliability and security challenges of IP fragmentation. On the surface, fragmentation may not seem directly related to DNS. However, DNS commonly uses large packets to transfer messages between an authoritative DNS server and a recursive DNS server over UDP. When the Maximum Transmission Unit is exceeded anywhere along the path between the two endpoints, the IP packet is fragmented or split into smaller parts.

Many, including the Internet Engineering Task Force (IETF), believe that IP fragmentation often fails and makes communication unreliable. Complicating matters is IPv6, where packets must be fragmented by the sender and sent with an ICMP message that is easily blocked by a misconfigured firewall.

IP fragmentation also poses certain DNS security risks because the DNS UDP port and query ID are transmitted in the first IP fragment. This transmission enables an attacker to spoof the second fragment and infect the cache by substituting malicious fragments in place of those originally intended. Such vulnerability presents a potentially extensive security risk with far-reaching impact.

DNS Flag Day 2020 is an effort to solve these reliability and security risks by a simple two-step update. The first involves reducing the default maximum EDNS buffer size to less than the smallest IPv6 frame size (1232 bytes) to stop IP fragmentation altogether. The second step transmits a DNS response not fitting into a UDP packet over TCP.

Infoblox is committed to DNS and supporting DNS Flag Day. To anticipate these changes, Infoblox NIOS 8.5.1 exposed two settings: 1) the maximum size of a UDP datagram that a recursive DNS server says it can accept; and 2) the maximum amount of data that an authoritative DNS server will put into a UDP-based DNS message. Infoblox has also changed the defaults for these two settings to values that should prevent fragmentation over most networks. These new defaults ensure that when the change is implemented later this Fall, Infoblox customers will be ready for the new standard.

Infoblox Prepares You for DNS Flag Day 2020

To comply with Flag Day 2020 requirements, Infoblox NIOS 8.5.1 has you covered by exposing two settings and changing their defaults. These actions limit the size of UDP-based DNS messages sent by an authoritative DNS server and advertised by a recursive DNS server. If you typically process large packets on your authoritative server, and do not yet have NIOS 8.5.1, you may wish to upgrade before DNS Flag Day 2020.

If you are not an Infoblox customer but would like more information, you can contact our account team, or try DDI by selecting the link below.

Infoblox NIOS

Industry-leading core network services for your most demanding requirements

Infoblox NIOS 8.5/8.5.1 elevates integration, reliability, security and performance for critical DNS, DHCP and IP address management services. The newest chapter in the evolution of NIOS, 8.5/8.5.1 lets organizations deploy robust, secure and cost-effective DDI services to networks of any size for the indefinite future.

Infoblox NIOS

Industry-leading core network services for your most demanding requirements

Infoblox NIOS 8.5/8.5.1 elevates integration, reliability, security and performance for critical DNS, DHCP and IP address management services. The newest chapter in the evolution of NIOS, 8.5/8.5.1 lets organizations deploy robust, secure and cost-effective DDI services to networks of any size for the indefinite future.

RELATED PRODUCTS

DNS, DHCP & IPAM (DDI)
Automate and centralize DNS management

BloxOneTM DDI
Radically improve network experiences in remote and branch locations

BloxOneTM Threat Defense
Unleash the full power of your security stack

Advanced DNS Protection
Defend against the widest range of DNS-based threats

RELATED SOLUTIONS

IT Compliance
Ensure compliance with automation and intelligence

Next-Generation Data Centers
Gain true agility for your next-generation data center

Digital Economy
Make your network ready for ebusiness

Data Protection and Malware Mitigation
Protect users and data

Download an Evaluation of Our Market-Leading Enterprise-Grade DDI

[contact-form-7 id="10507" title="Contact form 1"]