- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
01-21-2019 07:48 AM
Anybody has hear about it and are PA firewalls effected by it. It seems they are making some changes to its functioning. Does PA application supports the said change?
https://dnsflagday.net
______________________________ What is happening? The current DNS is unnecessarily slow and suffers from inability to deploy new features. To remediate these problems, vendors of DNS software and also big public DNS providers are going to remove certain workarounds on February 1st, 2019. This change affects only sites which operate software which is not following published standards. Are you affected? ______________________________
01-29-2019 02:14 AM
In short, DNS flag day is about dropping support for communicating with broken "DNS servers" that don't support EDNS (one feature of which is support for DNS within UDP packets of size > 512 bytes) - there are currently work-arounds in place that slow down DNS. As support for EDNS has been around for years, it's time the work-arounds were dropped.
As an indication of how old this stuff is, I recall testing that EDNS support worked when I rolled out a Cisco FWSM back in 2004/5.
You might run into trouble if you're running authorititative DNS servers :-
a) On really ancient DNS software (Microsoft DNS has been mentioned although I suspect they're talking about NT4 era)
b) Behind a broken firewall that assumes that DNS packets > 512 bytes is in error. For anything released in the last 5 years this would probably mean a deliberate configuration choice.
I'm running some of my authorititative DNS servers behind PA firewalls and have tested them for complience a couple of days ago - no issues.
01-22-2019 08:58 AM
Hello,
I think as long as you point to a reputable DNS provider, you should be OK. If you run your own, then this might affect you. A good free DNS service that also provides some DNS protection is opendns.com. I dont work for them but love what they are doing on a DNS level.
Hope that helps.
01-22-2019 09:23 AM
@raji_toor wrote:Anybody has hear about it and are PA firewalls effected by it. It seems they are making some changes to its functioning. Does PA application supports the said change?
https://dnsflagday.net
______________________________ What is happening? The current DNS is unnecessarily slow and suffers from inability to deploy new features. To remediate these problems, vendors of DNS software and also big public DNS providers are going to remove certain workarounds on February 1st, 2019. This change affects only sites which operate software which is not following published standards. Are you affected? ______________________________
Your post doesn't really refer to anything for us to go off of. Some Googleing I found this:
I'm not really sure how this will have any effect on Palo Alto as a product. This seems to have more to do with how DNS administrators configure their enviornment.
01-29-2019 02:14 AM
In short, DNS flag day is about dropping support for communicating with broken "DNS servers" that don't support EDNS (one feature of which is support for DNS within UDP packets of size > 512 bytes) - there are currently work-arounds in place that slow down DNS. As support for EDNS has been around for years, it's time the work-arounds were dropped.
As an indication of how old this stuff is, I recall testing that EDNS support worked when I rolled out a Cisco FWSM back in 2004/5.
You might run into trouble if you're running authorititative DNS servers :-
a) On really ancient DNS software (Microsoft DNS has been mentioned although I suspect they're talking about NT4 era)
b) Behind a broken firewall that assumes that DNS packets > 512 bytes is in error. For anything released in the last 5 years this would probably mean a deliberate configuration choice.
I'm running some of my authorititative DNS servers behind PA firewalls and have tested them for complience a couple of days ago - no issues.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!