February 1, 2019 your site may stop working
Cisco is one of the largest DNS providers in the world, providing a secure DNS service based on Cisco Umbrella (formerly OpenDNS), but today it’s not about it and not even about security. The fact is that on February 1 there will come the so-called DNS Flag Day, after which your website may be inaccessible to users on the Internet.
What is this about? The DNS protocol was developed in the early 80s. Since then, much water has passed and new functions and features have been added to the DNS protocol. This work was begun in 1999, when the first version of extensions under the names EDNS0 (Extension Mechanism for DNS) was published as RFC 2671. This version allowed removing some restrictions, for example, by the size of some flag fields, return codes, etc. The current version of the extended EDNS protocol is described in RFC 6891.. At the same time, DNS servers continued to exist on the Internet, which did not support and do not support EDNS, thus creating certain difficulties in interaction, the need to provide backward compatibility, which in turn leads to both slowing down the work of the entire DNS system and to the inability to fully least realize all the new features of EDNS.
But this bacchanalia came to an end - from February 1, non-standard EDNS servers will be unavailable and it will be impossible to get to them. Changes will be made to the most popular software that is responsible for the work of DNS - Bind, Knot Resolver, PowerDNS and Unbound, which will only accept EDNS-compliant traffic. Traffic from old and non-upgraded servers will be considered as illegitimate and these servers will not be serviced, which may lead to the inaccessibility of domains that hang on these servers.
For most companies, DNS Flag Day will go unnoticed, as many DNS providers have already updated or updated their software to the required versions. Difficulties may arise for those companies that independently maintain their own DNS servers, as well as many government agencies that do not update the software too quickly in their infrastructure, without having either funds or qualified specialists. As a result, from February 1, the sites of many departments may become unavailable or face access problems.
Checking the prospects of access to your site in February 2019 is quite simple - you just have to go to the site dnsflagday.net, enter there the name of your domain and get the result, which will have different values. Ideally, you should see a picture similar to the one shown below for the cisco.ru site :
If you see a picture similar to the one that is issued, for example, for the Digital Economy ANO site, this means that the site will work, but it does not support the latest DNS standard and will not be able to fully implement the necessary security features and may become a target for hackers who might (and suddenly) attack this site.
The first two pictures from this note with redtraffic signs are the worst that you can see. It is better to quickly update the software that ensures the operation of your DNS. On dnsflagday.netYou can get all the necessary instructions and links for updating your software. There are also links to various utilities for administrators who allow you to scan your DNS infrastructure in search of weak spots.
In conclusion, I can not help but touch on security issues. The fact is that some firewalls can block DNS packets longer than 512 bytes (with EDNS extensions), which can lead to DoS attacks (for example, the ITU can block DNS cookies that are part of EDNS and are intended to protect from DoS attacks) and slow Internet speeds. Therefore, it is worth paying attention to the rules of your ITU, as earlier it was quite common and many have already simply forgotten when and why rules were added to their network perimeter security tools.
There is less than two weeks before the onset of DNS Flag Day - there is still enough time to begin to meet the standard and not reduce the loyalty of customers and citizens who, faced with the inaccessibility or slowness of your site, will begin to impartially express themselves on this in social networks.
Of course, talking about a global apocalypse is not worth it. Moreover, for many this day, as I wrote above, will pass completely unnoticed. But the DNS settings on this day will be changed by many providers, which may affect the availability of some sites. This is a risk worth knowing and for which you have to be prepared.
What is this about? The DNS protocol was developed in the early 80s. Since then, much water has passed and new functions and features have been added to the DNS protocol. This work was begun in 1999, when the first version of extensions under the names EDNS0 (Extension Mechanism for DNS) was published as RFC 2671. This version allowed removing some restrictions, for example, by the size of some flag fields, return codes, etc. The current version of the extended EDNS protocol is described in RFC 6891.. At the same time, DNS servers continued to exist on the Internet, which did not support and do not support EDNS, thus creating certain difficulties in interaction, the need to provide backward compatibility, which in turn leads to both slowing down the work of the entire DNS system and to the inability to fully least realize all the new features of EDNS.
But this bacchanalia came to an end - from February 1, non-standard EDNS servers will be unavailable and it will be impossible to get to them. Changes will be made to the most popular software that is responsible for the work of DNS - Bind, Knot Resolver, PowerDNS and Unbound, which will only accept EDNS-compliant traffic. Traffic from old and non-upgraded servers will be considered as illegitimate and these servers will not be serviced, which may lead to the inaccessibility of domains that hang on these servers.
For most companies, DNS Flag Day will go unnoticed, as many DNS providers have already updated or updated their software to the required versions. Difficulties may arise for those companies that independently maintain their own DNS servers, as well as many government agencies that do not update the software too quickly in their infrastructure, without having either funds or qualified specialists. As a result, from February 1, the sites of many departments may become unavailable or face access problems.
Checking the prospects of access to your site in February 2019 is quite simple - you just have to go to the site dnsflagday.net, enter there the name of your domain and get the result, which will have different values. Ideally, you should see a picture similar to the one shown below for the cisco.ru site :
If you see a picture similar to the one that is issued, for example, for the Digital Economy ANO site, this means that the site will work, but it does not support the latest DNS standard and will not be able to fully implement the necessary security features and may become a target for hackers who might (and suddenly) attack this site.
The first two pictures from this note with red
In conclusion, I can not help but touch on security issues. The fact is that some firewalls can block DNS packets longer than 512 bytes (with EDNS extensions), which can lead to DoS attacks (for example, the ITU can block DNS cookies that are part of EDNS and are intended to protect from DoS attacks) and slow Internet speeds. Therefore, it is worth paying attention to the rules of your ITU, as earlier it was quite common and many have already simply forgotten when and why rules were added to their network perimeter security tools.
There is less than two weeks before the onset of DNS Flag Day - there is still enough time to begin to meet the standard and not reduce the loyalty of customers and citizens who, faced with the inaccessibility or slowness of your site, will begin to impartially express themselves on this in social networks.
Of course, talking about a global apocalypse is not worth it. Moreover, for many this day, as I wrote above, will pass completely unnoticed. But the DNS settings on this day will be changed by many providers, which may affect the availability of some sites. This is a risk worth knowing and for which you have to be prepared.