DNS Flag Day This Past Friday: What You Need to Know About Your Domain

reading time Reading Time: 7 minutes

We’re a few days late getting to this, but we’ve chosen to make DNS Flag Day our topic this week as the ramifications of what’s to come of it will be of ongoing significance for pretty much anyone who has interests in digital marketing and the World Wide Web as a whole. Those that do will very likely be familiar with DNS and what the abbreviation stands for, but for any who don’t DNS is domain name system.

DNS has been an integral part of the information superhighway’s infrastructure for nearly as long as the Internet itself has been in existence. So what’s it’s significance? Well, in the Internet’s early days there wasn’t a perceived need for the levels of security that we know are very much required these days. There as much more in the way of trust and less in the way of pressing concerns. There wasn’t a whole lot of people using it, and as such the importance of DNS as a core service didn’t receive much focus and wasn’t developed with much urgency.

Any Canadian web hosting provider will be on the front lines of any developments regarding web security measures, and here at 4GoodHosting we’re no exception. Offering customers the best in products and services that make their website less vulnerable is always going to be a priority. Creating informed customers is something we believe in too, and that’s why we’re choosing to get you in the know regarding DNS flag day

What Exactly is this ‘Flag Day’?

The long and short of this is that this past Friday, February 1 2019, was the official DNS flag day. So, for the last 3 days, some organisations may now have a non-functioning domain. Not likely many of them, but may will see their domains now being unable to support the latest security features – making them an easier target for network attackers.

How and why? Well, a little bit of background info is needed. These days DNS has a wide-spread complexity, which is ever more necessary because cyber criminals launching are launching ever more complex disruptive distributed denial of service (DDoS) attacks aimed at a domain’s DNS. They’ve been having more success, and when they do it works out that no functioning DNS = no website

Developers have done their part to counter these threats quite admirably, and most notably with many workaround’s put in place to guarantee that DNS can continue to function as part of a rapidly growing internet.

The situation as it’s become over recent years is one where a combination of protocol and product evolution have made it so that DNS is being pushed and pulled in all sorts of different directions. This naturally means complications, and technology implementers typically have to weigh these ever-growing numbers of changes against the associated risks.

Cutting to the chase a bit again, the workarounds have ended up allowing legacy behaviours and slowing down DNS performance for everyone.

To address these problems, as of last Friday, vendors of DNS software - as well as large public DNS providers – have removed certain DNS workarounds that many people have been consciously or unconsciously relying on to protect their domains.

Flag’s Up

The reason this move had to be made is because broken implementations and protocol violations have resulted in delayed response times, far too much complexity and difficulty with upgrading to new features. DNS Flag Day has now put an end to the mass backing of many workarounds.

The change will affect sites with software that doesn’t follow published standards. For starters, domain timeouts will now be identified as being a sign of a network or server problem. Moving forward, DNS servers that do not respond to extension mechanisms for DNS (EDNS) queries will be regarded as inactive servers, and won’t return requests from browsers.

Test Your Domain

If you’re the type to be proactive about these things then here’s what you can do. You can test your domain, and your DNS serves with the extension mechanism compliance tester. You’ll receive a detailed technical report that will indicate your test failing, failing partially, or being successful.

Failures in these tests are caused by broken DNS software or broken firewall configuration, which can be remediated by upgrading DNS software to the latest stable version and re-testing. If the tests still fail, organisations will need to look further into their firewall configuration.

In addition to the initial testing, it’s recommended that business that rely on their online presence (which really is every one of them these days) use the next three months to make sure their domain meets what’s required of it now. Organizations with multiple domains that are clustered on a single network and in a shared server arrangement may well find that there is an increased chance that you may end up being caught up in a DDoS attack on another domain sitting near to yours.

Also, if you’re using a third-party DNS provider, most attacks on the network won’t be aimed at you, but you’re still at risk due to being on shared hosting. VPS hosting does eliminate this risk, and VPS web hosting Canada is already a better choice for sites that need a little more ‘elbow room’ when it comes to bandwidth and such. If VPS is something that interests you, 4GoodHosting has some of the best prices on VPS hosting packages and we’ll be happy to set you up. Just ask!

DNS Amplification and DNS Flood Risks

We’re now going to see more weak domains spanning the internet than ever before, and this makes it so that there is even more opportunity for cyber criminals to exploit vulnerable DNS servers through any number of different DDoS attacks.

DNS amplification is one of them, and it involves attackers using DNS to respond to small look-up queries with a fake and artificial IP of the target. The target is then overloaded with more larger DNS responses that are more than it’s able to handle. The result is that legitimate DNS queries are blocked and the organization’s network is hopelessly backed up.

Another one is DNS floods, and this involves waves of responses being aimed at the DNS servers hosting specific websites. They take over server-side assets like memory or CPU and proceed to fire a barrage of UDP requests generated by running scripts on compromised botnet machines.

Layer 7 (application layer) attacks will almost certainly be on the rise now too, and including those targeting DNS services with HTTP and HTTPS requests. These attacks are built to target applications with requests that look like legitimate ones, which can make them particularly difficult to detect.

What’s Next

Cyber-attacks will continue, as well as continue to evolve. Organizations will continue to spend time, money and resource on security. As regards DNS, it’s now possible to corrupt and take advantage of what was once the fail-safe means of web security. The measures taken as DNS Flagging have been put in place to address this problem, and it’s important that you now that your domain matches the new requirement. Again, use the link above to test yours.

There’s going to be a bit of a rough patch for some, but this is a positive step in the right direction. DNS is an essential part of the wider internet infrastructure. Entering or leaving a network is going to be less of a simple process now, but it’s the way it has to be.

You may also like: