DNS DDoS Attack Protections to be Forcefully Enabled for Non-Compliant Sites
Multiple DNS software and service providers will update their DNS software to speed up DNS traffic and fight against DDoS attacks by stopping the implementation of DNS resolver workarounds still used by numerous DNS authoritative systems.
The change will be added by major resolver vendors (i.e., ISC, CZ NIC, NLNET Labs, PowerDNS) to their open source DNS resolvers, an update that will directly affect all authoritative servers that "do not comply either with the original DNS standard from 1987 (RFC1035) or the newer EDNS standards from 1999 (RFC2671 and RFC6891)."
The current DNS is unnecessarily slow and suffers from inability to deploy new features. To remediate these problems, vendors of DNS software and also big public DNS providers are going to remove certain workarounds on February 1st, 2019. This change affects only sites which operate software which is not following published standards.
At the moment, CZ.NIC, Cloudflare, NLnet Labs, CleanBrowsing, ISC, PowerDNS, Facebook, Cisco, Google, and Quad9 are the DNS software and service providers backing this initiative.
As suggested in the beginning, besides the obvious uptick in speed by lowering DNS traffic latency and making it easier to add new DNS protocol features, the most important consequence of these upcoming changes in DNS systems is a newfound capability of DNS providers to fight back against and weaken DDoS that abuse the DNS protocol.
These workarounds excessively complicate DNS software and are now also negatively impacting the DNS as a whole. The most obvious problems caused by these workarounds are slower responses to DNS queries and the difficulty of deploying new DNS protocol features. Some of these new features (e.g. DNS Cookies) would help reduce DDoS attacks based on DNS protocol abuse.
Domain holders are advised to check if their websites are ready for the February 1st change seeing that "sites hosted on incompatible authoritative servers may become unreachable through updated resolvers."
The dnsflagday.net website provides a diagnostic tool which domain holders can use to check for DNS issues and receive advice on what steps they have to take to avoid being impacted.
DNS changes to help reduce DNS-based DDoS attacks
Although the ISC or the DNS Flag Day page do not directly name what type of DNS-abusing DDoS attacks could be reduced by these changes in DNS resolver software starting, DNS flood and DNS amplification attacks are most probably the main culprits, although cache poisoning and fast flux DNS attacks, among others, may also very well be affected by future changes in DNS resolver software.
In the first case, according toCloudfare, a domain's DNS servers are flooded with DNS requests to disrupt its DNS resolution services, usually used by attackers with access to large scale IoT botnets to target major providers and thus disrupting the highest possible number of targets.
DNS amplification attacks, on the other hand, use another weakness in DNS servers which allows attackers to generate huge amounts of traffic with the help of poorly configured open DNS resolvers which are instructed to send their responses to the target of the attack.
Owners of huge botnets can successfully use this type of attack to both remove the targeted machine from the Internet altogether by causing a denial-of-service state and hide their true identity.
The ISC blog post ends with this, as a conclusion of the changes soon to be implemented in DNS resolvers:
"Our goal is a reliable and properly functioning DNS that cannot be easily attacked."