DNS Flag Day 2020: DNS servers must support both UDP and TCP queries
An industry group of the world’s biggest DNS service providers has agreed on a plan to improve the state of the DNS ecosystem by forcing certain configuration changes upon the smaller server operators that are affecting the speed and performance of the entire internet.
According to this group, starting with February 1, 2020, DNS servers that can’t handle DNS queries over both UDP and TCP may be pushed out of the DNS ecosystem and stop working.
The idea is to get DNS server operators to update their server software and configurations and ensure their servers can handle DNS queries received as either UDP or TCP packets.
DNS Flag Day 2019 — first edition
This concerted industry push is part of a new event called DNS Flag Day, which had its first edition this year, on February 1, 2019.
During this first DNS Flag Day, participants pledged to roll out support for the Extensions to DNS (EDNS) protocol on their DNS servers and lock out any communications with servers that did not run DNS resolvers that were also EDNS compliant.
The event was deemed a success, according to the Internet Systems Consortium (ISC) and other DNS Flag Day 2019 participants, with several major service providers updating their infrastructure, resulting in more companies running DNS resolvers that were both faster and couldn’t be abused as part of DDoS attacks.
DNS Flag Day 2020
Now, the same industry group has met again and agreed on a new DNS Flag Day program for next year, and they’ve decided on pushing the entire ecosystem towards enabling support for DNS over TCP.
Today, as dictated by internet standards, all DNS servers support receiving and answering DNS queries via UDP, but not all support DNS queries via TCP.
A 2017 statistic showed that only 3% of all DNS queries were sent via TCP, and the rest being handled via the more insecure UDP protocol.
A big hurdle in adopting DNS over TCP is that not all DNS service providers support this feature, which leads to many software makers avoid using it by default, as this could break their applications.
“Analysis of 34 million domains out of 59 TLDs makes it evident that the requirement to use TCP leads to problems for approximately 7% of domains,” Qrator Labs, a provider of DDoS mitigation services, said in a blog post on Monday.
The common method of dealing with DNS service providers or domain registrars that don’t support DNS over TCP queries has been until now to implement workarounds that translate the same DNS over TCP query into the standard UDP.
Unfortunately, DNS provider who deploy these workarounds are slowdowns, and so are the users who are making these DNS over TCP queries.
The same ol’, same ol’ providers
Qrator Labs said that the vast majority of these problems with handling domain queries via TCP are localized to Chinese domain registrars, with 72% of the total 7% DNS over TCP breakage coming out of three Chinese companies only.
Furthermore, most of these problems were also found on the networks of the same entities that had problems with EDNS-compatible resolvers during DNS Flag Day 2019, showing that most of the DNS ecosystem is being dragged down by the same group of companies that can’t be bothered to update or properly configure their servers.
“Flag Day organizers have reached a consensus that thousands of ISPs and DNS operators which make up the DNS community should no longer pay for workarounds to benefit a couple dozen companies that are not updating their servers,” Qrator Labs said.
The main plan is to stop deploying workarounds that rewrite DNS over TCP queries starting with February 1, 2020. DNS servers that will not update their configurations until then will most likely see DNS queries remain unanswered from upstream providers/servers.
More DNS Flag Days to come
With DNS Flag Day 2019 being a resounding success, this industry group now plans to hold a similar push every year and slowly force companies to move away from old software or bad configurations.
Members of the DNS Flag Day group include the ISC, Cloudflare, Facebook, Google, Cisco, Quad9, CZ.NIC, NLnet Labs, CleanBrowsing, and PowerDNS.
A video of the meeting where DNS Flag Day 2020 was decided is available here. More details and guidance on how operators can configure servers for DNS over TCP will be published on the DNS Flag Day website in the coming months.