DNS Flag Day is here and with it comes new changes that could impact your domain’s availability. What do you need to know and how can you quickly identify its impacts on you and your users? Read on for our quick guide to what it’s all about and how to avoid disruption to your digital services.
What is DNS Flag Day?
DNS Flag Day is a day when a group of prominent recursive DNS providers, including Google, Cisco and Quad9, have jointly agreed to remove workarounds for non-standard responses from authoritative DNS servers. Responses must comply with either the original DNS standard (RFC1035) or more recent EDNS standards (RFC2671 and RFC6891).
How will this impact you?
Not only will the major public recursive resolvers no longer support non-standard responses, other recursive resolver operators will also likely follow suit. So, as of today, February 1, 2019, you should have taken steps to ensure your authoritative DNS servers are compliant. If you haven’t (or your managed DNS provider hasn’t), large portions of Internet users will not be able to resolve queries for your domain.
What should you do?
First and foremost, you need to ensure that all of your authoritative nameservers support the EDNS standards. You can do that by updating your DNS server software to the current, stable version or checking your DNS provider’s software for compliance using a tool like one found at ISC. You’ll also need to check your firewall rules to ensure that they don’t block DNS packets with EDNS extensions.
Monitoring Your Nameservers for DNS Flag Day and Beyond
To ensure your nameservers won’t be impacted by the changes brought on with DNS Flag Day, you should monitor the availability of your domain through the recursive resolvers that are leading the new changes. You only need to test a single zone that’s hosted on each of your authoritative servers. If you have different DNS providers, you will need to ensure that you separately test each to ensure that they are all queryable by recursive resolvers.
You can quickly set up these tests using ThousandEyes, as shown below:
Testing with Queries to Your Nameservers Through Popular Recursive Resolvers
Testing the availability of your domain through common recursive resolvers will enable you to verify that your nameservers are compliant with DNS standards and there are no issues with your firewall configurations. Figure 1 below shows a ThousandEyes test from multiple locations around the globe recursively querying example.com through four public recursive resolvers (Cloudflare, Google, Cisco, and Quad9).
The domain example.com is fully available through these resolvers and will likely be unaffected on DNS Flag Day, as the nameservers that host the example.com zone’s records are compliant with EDNS standards.
Independent of DNS Flag Day, it’s critical that you monitor your nameservers to ensure that they are available and recursive resolvers are getting DNS responses within acceptable time ranges.
Testing Availability of Your Authoritative Nameservers
To verify that your nameservers are continuously up and running and performing within acceptable thresholds, you can set up a ThousandEyes test to iteratively query your authoritative servers directly.
This test ensures that your nameservers are globally available (or at a minimum are reachable from markets that you care about) and that they are resolving queries in well under 100ms.
Monitoring your DNS servers is key to ensuring that your website or cloud-based application is reachable for all of your users. It also enables you to quickly resolve issues — such as network latency or packet loss — that could impact the availability or performance of your DNS servers.
ThousandEyes can help you stay globally available through DNS Flag Day and beyond. Download our 2018 Global DNS Performance Report and contact us for a complementary briefing on DNS research findings, along with a custom assessment of your DNS availability and performance.