January 30th, 2019

DNS Flag Day: What is it and will your website survive the domain doomsday?

The domain name system (DNS) first rose to fame during the early, innocent days of the internet, when trust and standardization were assumed, and security was nothing more than an afterthought. Since the pool of users was so small and the internet was scarcely used, the importance of DNS as a core service was widely misunderstood and as a result, left somewhat underdeveloped and more importantly, unprotected.

Fast-forward to today and you can see the result of this initial naivete: an explosion of wide-spread complexity – DNS is now described by no less than 185 RFCs – and cyber criminals launching disruptive distributed denial of service (DDoS) attacks aimed at the DNS.

With malicious actors finding innovative ways to take down the DNS and the landscape growing more problematic, the stakes are high, but the outcome remains simple: no functioning DNS, no website.

Which is how February 1, 2019 became known as DNS Flag Day. 

Past and present

There are many gifted, dedicated individuals who make it their job to ensure that DNS works for everyone, allowing the protocol to run smoothly.

Over the years, DNS has grown in sophistication and many workarounds have been put in place to guarantee that the protocol can continue to function as part of a rapidly growing internet. However, encouraging server operators, application developers and network infrastructure vendors to update can be a slow process.

As a vital piece of the wider internet puzzle, a combination of protocol and product evolution have forced DNS to be pushed and pulled in various different directions. While requirements from operators can complicate DNS, implementers usually have to push back on such changes because they fear the associated risks.

In these cases, rather than supporting aging and non-compliant implementations, the workarounds wind up allowing legacy behaviors that down DNS performance for everyone. DNS Flag Day was created to solve these problems for vendors of DNS software, as well as large public DNS providers, by removing some of these problematic workarounds. 

Flying the DNS Flag

After years of attempting to cover for broken implementations and protocol violations – resulting in delayed response times, high complexity and difficulty upgrading to new features – DNS Flag Day will put an end to these mass backing of many workarounds.

This change – which will affect sites that operate non-standard publishing software – means technology from DNS vendors will interpret domain timeouts as a sign of a network or server problem. Beginning in just three months’ time, this effectively means that all DNS servers which do not respond to extension mechanisms for DNS (EDNS) queries are going to be treated as dead.

Put simply, as of February 1st, some organizations could be left with a non-functioning domain. In many other cases, affected domains will be unable to support the latest security features and will become an easier target for network attackers.

DIY Domain Testing

As the old security saying goes, you’re only as strong as your weakest link. But what if you could improve your strength posture by eliminating the weak links altogether?

The first thing organizations need to do is to directly test their current domain, as well as their DNS servers. This can be done using the extension mechanism compliance tester, which will then provide businesses with a detailed technical report summarizing either a failed, partially failed or successful test. Failures in these tests are caused by broken DNS software or broken firewall configuration, which can be remediated by upgrading DNS software to the latest stable version and re-testing. If the tests still fail, organizations will need to look further into their firewall configuration.

As well as carrying out the initial testing, businesses also need to use the next three months to get their domain ducks in a row. For organizations with multiple domains that are clustered on a single network and share a name server with many others, there is an increased chance that you will end up feeling the knock-on effect of someone else’s attack. For those using a third-party DNS provider, most attacks on the network won’t be aimed at you, but a domain sharing your provider puts you at greater risk.

The weakest link

With a fresh wave of potentially weak domains spanning the internet, there is even greater opportunity for cyber criminals to exploit the vast number of vulnerable DNS servers through numerous types of DDoS attacks.

DNS amplification is just one of these, with attackers using DNS to respond to any, and all, small look-up queries with a spoofed IP of the target. The target then receives much larger DNS responses that quickly overwhelms its capacity, with the goal of blocking legitimate DNS queries and exhausting an organization’s network.

Another common type of attack is DNS floods, which are directed at the DNS servers hosting specific websites. These try to drain server-side assets (for instance, memory or CPU), with a barrage of UDP requests, generated by running scripts on compromised botnet machines.

We can also expect to see more Layer 7 (application layer) attacks, including those targeting DNS services with HTTP and HTTPS requests. These attacks are often designed to target applications in a way that mimics actual requests, which can make them particularly difficult to detect.

What’s to come?

Recognizing that cyber-attacks aren’t going away any time soon, organizations are now spending a significant amount of time, money and resources on security. Today’s malicious online actors are able to focus on the results that they want and, in many cases, use the DNS to get there. Combined with misplaced priorities and the assumption that a variety of problems can be treated with just one or two types of technology, and the threat landscape has been left wide open.

While there is still a lot of work to be done when it comes to DNS, Flag Day is certainly a step in the right direction. It’s time businesses not only understand the critical role that DNS plays in the wider internet infrastructure, but that they got more aggressive with their approach to security. The Domain Name System should be the first step towards complete protection, acting as an initial line of defense for any communication attempting to enter or leave the network.

Let's Connect

Find out how Neustar can help you succeed in the connected world.

Contact Us   Give us a call 1-855-898-0036