byreaper01-31-201904:44 AM - edited 02-28-201904:30 AM
DNS Flag Day, Are You Ready? Learn how DNS providers will disable workarounds for legacy systems and how DNS operations get more efficient against DDoS attacks.
DNS providers will disable workarounds for legacy systems that do not follow current standards. DNS operations will become more efficient as DNS operators do more to protect against DDoS attacks. However, domains hosted on non-compliant servers may become unavailable.
DNS Service Providers have agreed to coordinate and remove support of DNS systems that are not in compliance with EDNS standards on on February 1st 2019 and have named this event "DNS Flag Day."
DNS providers worldwide will collectively disable workarounds accomodating for legacy systems that are not following present-day standards (introduced in 1999). The downside to this is that domains hosted on non-compliant servers may become unavailable.
The upside is that overall DNS operations will become slightly more efficient and DNS operators will be able to deploy new functionality, including mechanisms to protect against DDoS attacks.
DNS clients will not be affected by this change, but DNS server operators, anyone that has a resolver/cacher/forwarder, or a Layer7 firewall may need to take some steps to ensure they are compliant and ready for the 'switch.'
What are the consequences for your Palo Alto Networks firewall?
Do I need to add a new application to my policy?
"EDNS" will be identified by App-ID as 'dns' as it is an extension to normal DNS rather than a new protocol. This means you won't need to change any of your policies and reports and logs will still look the same.
What about EDNS response packets that are larger than 512 bytes?
App-ID will also accomodate for EDNS extensions and will not drop packets larger than 512 bytes.