01 Feb

DNS Flag Day And Legacy Nameservers

Customers may be aware that we have been performing upgrades on our Authoritative resolver clusters, as well as our recursor clusters.  This is primarily due to DNS Flag Day, which is occurring today, 1st February 2019.

 

What is DNS Flag Day?

The Software Vendors of the largest DNS platforms – Bind, PowerDNS, Unbound, Google, got together mid last year and decided that they were no longer going to continue implementing workarounds in their software for DNS servers which do not support the ‘EDNS’ extensions to the DNS framework.  The date they picked for this is 1st February 2019.  Unfortunately, they didn’t put much effort into advertising this date, so a lot of companies around the world have only found out about this in the last couple of weeks.

 

Why did they decide to do this?

Well, to answer that, we need to understand how a DNS lookup works which we have simplified for you below:

Say your computer is set to use 8.8.8.8 as its DNS resolver and you want to visit www.serversaustralia.com.au.  (We’ll pretend for a few minutes that our DNS servers don’t support EDNS.  They do, so don’t worry!). 

  • Your computer queries 8.8.8.8 (google) for a record for www.serversaustralia.com.au.
  • Google queries the .au root servers to get the nameservers for serversaustralia.com.au, and gets back a response saying dns1.servercontrol.com.au.
  • Google sends a query packet for www.serversaustralia.com.au to dns1.servercontrol.com.au with the EDNS flag set.
  • dns1.servercontrol.com.au, not supporting EDNS, sees it as a malformed query and ignores it.
  • Google gets sick of waiting for the response after a few seconds and retries the same query packet without the EDNS flag set.
  • dns1.servercontrol.com.au sees this as a fine query, and sends back the response with the IP address for www.serversaustralia.com.au
  • google receives this response, decides dns1.servercontrol.com.au doesn’t support EDNS, and adds it to an internal list of servers it should not use EDNS with. 

At this point, Google’s DNS server has wasted multiple seconds of CPU time, and probably 1kb of ram to save the entry into its lookup table.  Multiply that by millions of queries an hour, and a million DNS servers, and you now understand why the large public resolver companies had enough!

EDNS has been a defined part of DNS since 1999 – but hasn’t been largely supported because DNS ‘seems’ to work without it.  EDNS’s primary function was to support larger responses – by default, a DNS reply cannot be larger than 512 bytes.  If a response is to be larger than that, the querying server must make a second request – via TCP, instead of UDP.  Which again takes more time.  With EDNS support, packets up to 4096 bytes are supported immediately.

 

What will happen if my domain is on a server which does not support EDNS after flag day?

Well, that depends on how the DNS server which hosts your domain handles requests with EDNS, and how the specific resolver being used to lookup your domain handles that response.  As we understand it, some resolvers are just doing away with that lookup table, so it will mean all requests to an EDNS-incapable server will have that 2-second delay on lookups.  Other resolvers are just completely removing the workarounds, so your domain would become unresolvable.

 

How is this going to affect me, as a Servers Australia customer?

Well, that’s the important question, isn’t it?

There is a simple answer and a complicated answer. 

The simple answer is: If all of your services were purchased directly from Servers Australia – i.e. you were not a customer of any of the companies we have acquired over the years (Dedicated Servers, Syncom, Indigo, Woosaw, Axelera, RackCentral, OzServers), then this is not going to affect you.  Both of our Authoritative hosting clusters and our resolver cluster are fully up to date.

If you were a customer of one of the Brands we purchased, then you may need to check the resolver IP’s you are using.

Servers Australia’s official resolver IP addresses are as follows:

Sydney

221.121.130.3
221.121.134.9

Brisbane

221.121.134.9
221.121.130.3

Melbourne

221.121.130.3
221.121.134.9

Perth

221.121.133.9
221.121.130.3

If you are using legacy brand resolvers, we will be in touch over the coming weeks to ask you to change. However, if you are running a local nameserver of your own (Bind, PowerDNS, etc.), and using one of the legacy resolvers as a forwarder, you will face the same issue as the above, where you will be unable to make queries due to these resolvers not supporting EDNS.

The full list of legacy resolvers are:

Dedicated Servers

118.127.6.6
118.127.6.7

Indigo

114.141.193.250
114.141.200.250

Woosaw

103.2.196.2
103.2.199.2

OzServers

223.252.100.115
223.252.100.116
202.125.32.4
202.125.32.5

Axelera

116.0.16.185
116.0.23.23
203.17.36.1

Indigo Customers do need to redelegate their domains from the Indigo Cluster (ns1/2/3.indigo.com.au) to our portal DNS cluster (ns1/2.servercontrol.com.au) – the customers affected have been emailed with the list of domains needing redelegation.

User Profile Image

Written by Servers Australia

Helping you understand the best Cloud Infrastructure options for your business is our business. For performance, reliability and solutions designed to meet your needs, we won’t be beaten.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

*

SEE MORE

Tips to Keep Your Business Safe from Ransomware Attacks21 Sep

Tips to Keep Your Business Safe from Ransomware Attacks

Ever since the famous ‘WannaCry’ ransomware attacks started affecting...

Read more
Domain Management goes live in V2 Portal12 Jan

Domain Management goes live in V2 Portal

Customers will notice today that Domain Management has now...

Read more