This week there are two pieces of news in the DNS world which remind us that DNS is not simply “it just works” technology that can be forgotten about. Like many things, DNS requires a little ongoing care and attention!
First is the US-CERT DNS Infrastructure Hijacking Campaign bulletin. It warns of an organized campaign to use compromised credentials to modify DNS records and direct user traffic to hijacker-controlled sites. Beyond just hijacking, this exposes encryption certificates which can be used to decrypt user-submitted data.
What should you do? Follow the recommendations in the CERT bulletin, including updating DNS admin passwords, implementing MFA, and auditing DNS records and certificates.
Second, this Friday is DNS Flag Day. This is the day by which leading DNS software vendors and DNS service providers have pledged to remove workarounds which accommodate DNS servers that don’t fully implement the long-standardized Extension mechanisms for DNS (EDNS). EDNS was originally introduced in 1999 and updated in 2013, yet even today there are servers that don’t properly support it. This has forced leading DNS server implementations to incorporate workarounds, which over time have increasingly degraded DNS response times. More importantly, this has obviously limited the ability to use EDNS to deploy new DNS protocol features to improve Internet performance and security.
So what can you do? Test your DNS servers and upgrade if required. A good starting point would be to reference the DNS Flag Day website and the ISC’s DNS Flag Day blog post. Ensure that your firewall configurations will not drop DNS packets with EDNS extensions. Actively monitor your DNS performance, and when investigating new issues keep EDNS compatibility in mind as a potential prime suspect.
In addition, give some thought to what you do to provide ongoing “care and attention” to your DNS infrastructure.
And wave a flag on DNS Flag Day. Every technology core to the Internet should have a day dedicated to it!