[SingCERT] Alert on DNS Flag Day

Published on Friday, 01 February 2019 11:30

Background

Domain Name System (DNS) infrastructure operators and Internet service providers are taking part in the first DNS Flag Day [1] on 1 February 2019. This is a global initiative to promote the use of Extension Mechanism Protocol for DNS (EDNS) [2] where participants, software and service providers such as Google and Cloudflare, are going to remove non-standard DNS workarounds.


Affected

Authoritative nameservers that bypass and do not support the EDNS protocol and those with proprietary implementations of the DNS protocol, e.g. legacy load balancing appliances.


Impact

Internet users might experience slowness or inaccessibility issues when interacting with domains whose authoritative nameservers are affected, such as accessing websites or sending emails.


Recommendations

Internet users who experience an issue when accessing a particular website are advised to reach out to the site owner via telephone. Network Administrators are advised to check your domain with the ISC EDNS Compliance Tester at https://ednscomp.isc.org/ednscomp

A domain result edns=timeout indicates that your domain is not EDNS compliant and may experience issues after the Flag Day. For more details, please refer to https://dnsflagday.net


References

[1] https://www.cisecurity.org/ms-isac/cyber-alert-dns-flag-day/
[2] https://en.wikipedia.org/wiki/Extension_mechanisms_for_DNS
[3] https://support.umbrella.com/hc/en-us/articles/360022604411-Umbrella-support-for-DNS-Flag-Day
[4] https://groups.google.com/forum/m/#!msg/public-dns-announce/-qaRKDV9InA/CsX-2fJpBAAJ