Connect with us


DNS Flag Day 2020: DNS servers must support both UDP and TCP queries



An industry group of the world’s biggest DNS service providers has agreed on a plan to improve the state of the DNS ecosystem by forcing certain configuration changes upon the smaller server operators that are affecting the speed and performance of the entire internet.

According to this group, starting with February 1, 2020, DNS servers that can’t handle DNS queries over both UDP and TCP may be pushed out of the DNS ecosystem and stop working.

The idea is to get DNS server operators to update their server software and configurations and ensure their servers can handle DNS queries received as either UDP or TCP packets.

DNS Flag Day 2019 — first edition

This concerted industry push is part of a new event called DNS Flag Day, which had its first edition this year, on February 1, 2019.

During this first DNS Flag Day, participants pledged to roll out support for the Extensions to DNS (EDNS) protocol on their DNS servers and lock out any communications with servers that did not run DNS resolvers that were also EDNS compliant.

The event was deemed a success, according to the Internet Systems Consortium (ISC) and other DNS Flag Day 2019 participants, with several major service providers updating their infrastructure, resulting in more companies running DNS resolvers that were both faster and couldn’t be abused as part of DDoS attacks.

DNS Flag Day 2020

Now, the same industry group has met again and agreed on a new DNS Flag Day program for next year, and they’ve decided on pushing the entire ecosystem towards enabling support for DNS over TCP.

Today, as dictated by internet standards, all DNS servers support receiving and answering DNS queries via UDP, but not all support DNS queries via TCP.

A 2017 statistic showed that only 3% of all DNS queries were sent via TCP, and the rest being handled via the more insecure UDP protocol.

A big hurdle in adopting DNS over TCP is that not all DNS service providers support this feature, which leads to many software makers avoid using it by default, as this could break their applications.

“Analysis of 34 million domains out of 59 TLDs makes it evident that the requirement to use TCP leads to problems for approximately 7% of domains,” Qrator Labs, a provider of DDoS mitigation services, said in a blog post on Monday.

The common method of dealing with DNS service providers or domain registrars that don’t support DNS over TCP queries has been until now to implement workarounds that translate the same DNS over TCP query into the standard UDP.

Unfortunately, DNS provider who deploy these workarounds are slowdowns, and so are the users who are making these DNS over TCP queries.

The same ol’, same ol’ providers

Qrator Labs said that the vast majority of these problems with handling domain queries via TCP are localized to Chinese domain registrars, with 72% of the total 7% DNS over TCP breakage coming out of three Chinese companies only.

DNS over TCP problems

Image: Qrator Labs

Furthermore, most of these problems were also found on the networks of the same entities that had problems with EDNS-compatible resolvers during DNS Flag Day 2019, showing that most of the DNS ecosystem is being dragged down by the same group of companies that can’t be bothered to update or properly configure their servers.

“Flag Day organizers have reached a consensus that thousands of ISPs and DNS operators which make up the DNS community should no longer pay for workarounds to benefit a couple dozen companies that are not updating their servers,” Qrator Labs said.

The main plan is to stop deploying workarounds that rewrite DNS over TCP queries starting with February 1, 2020. DNS servers that will not update their configurations until then will most likely see DNS queries remain unanswered from upstream providers/servers.

More DNS Flag Days to come

With DNS Flag Day 2019 being a resounding success, this industry group now plans to hold a similar push every year and slowly force companies to move away from old software or bad configurations.

Members of the DNS Flag Day group include the ISC, Cloudflare, Facebook, Google, Cisco, Quad9, CZ.NIC, NLnet Labs, CleanBrowsing, and PowerDNS.

A video of the meeting where DNS Flag Day 2020 was decided is available here. More details and guidance on how operators can configure servers for DNS over TCP will be published on the DNS Flag Day website in the coming months.

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published.


The Real Reason America Banned The Land Rover Defender



The 1993 Land Rover Defender 110 was sold in the United States, but it was extensively modified to meet the safety regulations required by the U.S. Department of Transportation (USDOT). Unlike the models that were sold abroad, the U.S. version of the Land Rover Defender 110 was fitted with brush guards, a roof rack, an external roll cage, and an air conditioning system (via Autoweek). The Land Rover Defender 90 was introduced to the North American market the next year to replace the 110 models.

As fate would have it, Land Rover’s dream to continue selling the Defender 90 in the United States was cut short in 1998 when new airbag regulations came into effect. As per the regulation, all new vehicles sold in the United States were to be fitted with airbags on the front passenger and driver seats. Ironically, Land Rover installed dual airbags in other models that were available in the North American market, like the Discovery (via the IIHS). The Defender wasn’t given the same treatment, so it was ultimately banned because it couldn’t meet the safety regulations.

Continue Reading


The Incredible And Controversial Evolution Of Elon Musk’s Neuralink



During a 2021 interview with the Wall Street Journal, Musk outlined his desire to put a Neuralink chip in a person at some point in 2022. During the interview, Musk described the device as “safe,” “reliable,” and “something that can be removed safely.” Musk again confirmed the first patients the device would be tested on would be people who suffer from serious, debilitating spinal cord injuries such as quadriplegics and tetraplegics (people who have lost the ability to voluntarily control the movement of multiple limbs). The world’s richest man went on to say he is “cautiously optimistic” about Neuralink’s chances of success.

Although Neuralink is still waiting for FDA approval, some of the company’s direct rivals have been given the green light to proceed with human testing. New York-based Synchron Inc., which has been around since 2012, got the go-ahead in 2021 and announced the enrollment of their first patient in early May 2022 (via Businesswire). Like Neuralink, Synchron is developing a product that will allow the human brain to interface with existing electronic devices. Synchron also intends to use its device to improve the lives of people with debilitating medical conditions. So Neuralink may one day change the world, but there’s a good chance another company will get there first.

Continue Reading


Apple’s New Privacy Commercial Puts Data Brokers On Notice



Since then, we’ve seen a number of other options added, some of which this new commercial — called, simply, “Data Auction” — calls out. Some are active, like Intelligent Tracking Prevention in Safari, which when activated will use machine learning to figure out what in websites is functional and what is for tracking, and then block the latter. More recently, it has also gained the ability to hide your IP address, too.

That’s something Mail Privacy Protection does as well, as well as blocking the so-called “invisible pixels” which can report back to data brokers whether or not you opened an email. Obscuring location in a more granular way is something Apple has been exploring for a while now: iOS 14, for example, introduced the ability to share approximate location with apps and sites. Rather than giving exact coordinates, it narrows your position down to a roughly 10 square mile zone; enough to get local recommendations and news, but nothing more specific.

Other additions have focused more on awareness. App Privacy Report, for example, shows which apps have tapped which hardware and software permissions on your iPhone and iPad, including a list of the domains that app might be contacting in the background. Safari Privacy Report does much the same thing, only for website trackers.

Continue Reading