DNS Flag Day 2019
On February 1, 2019, all major Domain Name System (DNS, IETF RFC1035) providers will be updating their products and services to address known techniques to bypass the Extension Mechanisms Protocol for DNS (EDNS), known as DNS Flag Day.
Summary
On February 1, 2019, all major Domain Name System (DNS, IETF RFC1035) providers will be updating their products and services to address known techniques to bypass the Extension Mechanisms Protocol for DNS (EDNS), known as DNS Flag Day.
Affected platforms
The following platforms are known to be affected:
Threat details
EDNS (IETF RTF2671 and RFC6891) is a specification for expanding several of the parameters used by the DNS protocol in order to improve it's performance. EDNS is used in several other DNS protocol extensions, including DNS Security Extensions (DNSSEC).
Whilst these updates are intended to improve the overall operations of the DNS service, there may be temporary disruptions to regular operations. In addition, domains served by DNS servers operating outdated software may become incompatible or unavailable.
For further information:
Remediation steps
| Type | Step |
|---|---|
|
Users and administrators are encouraged to ensure they are EDNS-compliant using the tool available on the DNS Flag Day site and contact their relevant providers to take any necessary remediation action. Please note that both nhs.net and nhs.uk have been confirmed to be EDNS-compliant. Additionally, they should ensure their firewall and intrusion protection solutions are fully updated and EDNS-compliant. |
Last edited: 14 February 2020 2:44 pm