topic DNS is changing? in General Topics

DNS is changing?

raji_toor — Mon, 21 Jan 2019 15:48:24 GMT

Anybody has hear about it and are PA firewalls effected by it. It seems they are making some changes to its functioning. Does PA application supports the said change?

https://dnsflagday.net

______________________________
What is happening?
The current DNS is unnecessarily slow and suffers from inability to deploy new features. To remediate these problems, vendors of DNS software and also big public DNS providers are going to remove certain workarounds on February 1st, 2019.
This change affects only sites which operate software which is not following published standards. Are you affected?
______________________________

Re: DNS is changing?

OtakarKlier — Tue, 22 Jan 2019 16:58:07 GMT

Hello,

I think as long as you point to a reputable DNS provider, you should be OK. If you run your own, then this might affect you. A good free DNS service that also provides some DNS protection is opendns.com. I dont work for them but love what they are doing on a DNS level.

Hope that helps.

Re: DNS is changing?

Brandon_Wertz — Tue, 22 Jan 2019 17:23:16 GMT

@raji_toor wrote:

Anybody has hear about it and are PA firewalls effected by it. It seems they are making some changes to its functioning. Does PA application supports the said change?

https://dnsflagday.net

______________________________
What is happening?
The current DNS is unnecessarily slow and suffers from inability to deploy new features. To remediate these problems, vendors of DNS software and also big public DNS providers are going to remove certain workarounds on February 1st, 2019.
This change affects only sites which operate software which is not following published standards. Are you affected?
______________________________

Your post doesn't really refer to anything for us to go off of. Some Googleing I found this:

https://www.reddit.com/r/sysadmin/comments/agqdkf/dns_flag_day_on_february_1_2019_check_your_domains/

I'm not really sure how this will have any effect on Palo Alto as a product. This seems to have more to do with how DNS administrators configure their enviornment.

Re: DNS is changing?

MikeMeredith — Tue, 29 Jan 2019 10:14:48 GMT

In short, DNS flag day is about dropping support for communicating with broken "DNS servers" that don't support EDNS (one feature of which is support for DNS within UDP packets of size > 512 bytes) - there are currently work-arounds in place that slow down DNS. As support for EDNS has been around for years, it's time the work-arounds were dropped.

As an indication of how old this stuff is, I recall testing that EDNS support worked when I rolled out a Cisco FWSM back in 2004/5.

You might run into trouble if you're running authorititative DNS servers :-

a) On really ancient DNS software (Microsoft DNS has been mentioned although I suspect they're talking about NT4 era)

b) Behind a broken firewall that assumes that DNS packets > 512 bytes is in error. For anything released in the last 5 years this would probably mean a deliberate configuration choice.

I'm running some of my authorititative DNS servers behind PA firewalls and have tested them for complience a couple of days ago - no issues.