On Wednesday May 5, the Internet Corporation for Assigned Names and Numbers (ICANN) (and other partners) plan to complete the first phase of DNSSEC introduction, by rolling DNSSEC out to all thirteen of the Internet’s root DNS servers. DNSSEC makes some significant changes to the way typical DNS traffic “looks” to networking devices. As a result, some experts worry that certain networks and devices may not handle DNSSEC traffic properly after this change, thus potentially preventing you from accessing the Internet (using domain names). Below, we’ll list a few of the DNSSEC changes that could affect some of your networking gear. However, the main point of this alert is to inform you that WatchGuard’s Firebox and XTM appliances should handle the DNSSEC changes without problem — whether you use our packet filtered or proxied DNS policies.
As you probably know, the Domain Name System (DNS) is an Internet protocol that makes it possible for computers to learn the IP address associated with a human readable name, called a domain name. While DNS works well, over the years experts have realized that the protocol isn’t entirely secure. In fact, in the middle of 2008, a well-known security researcher named Dan Kaminsky warned the world of some underlying flaws in the DNS protocol that could allow attackers to perform DNS cache poisoning attacks. You can learn more about these flaws in this alert, or this Radio Free Security episode. Some of Kaminsky’s flaws were fixable. However, at least one flaw was a core vulnerability in the underlying DNS protocol itself. Kaminsky’s attack illustrated to the world that we simply needed a more secure DNS standard.
DNSSEC is that new standard. Specifically, it is an update to DNS protocol that adds some new security extensions. In a nutshell, DNSSEC uses public key cryptography to add digital signatures to DNS responses, so your computer can make sure that the DNS response really comes from an authoritative DNS server. Without getting too deep into the technical details, DNSSEC changes the way DNS traffic looks in the following ways:
- DNS responses will come in significantly larger packets, to allow room for digital signatures
- DNS responses may arrive in multiple packets (fragments), which would rarely happen with the small packets used by traditional DNS
- DNS will use TCP packets more often; traditionally, DNS primarily used UDP
- DNS responses will contain the EDNS extension.
If you have any network devices, like routers or firewalls, that parse DNS traffic to look for anomalies, the device may have trouble with these new DNS changes. For instance, the networking device may not like large DNS responses, or it may not allow fragmented IP traffic; it may not even support the EDNS extension. In these cases, the device in question may prevent your DNS clients or DNS server from communicating with ICANN’s root DNS servers, after May 5th. If you use any network devices that parse or filter DNS traffic, we highly recommend you check those devices’ compatibility with DNSSEC.
In that respect, WatchGuard’s Firebox and XTM appliances should NOT have any issues with these new DNSSEC packets. WatchGuard has verified that DNSSEC queries work through our XTM appliances running the latest firmware, and further verified the queries work fine through both our DNS proxy and DNS packet filter policies. We tested both incoming and outgoing DNSSEC queries, with our DNS server on both the trusted and external networks. In all cases, our appliance had no problems passing DNSSEC queries. Your WatchGuard Firebox should not have any issues with the DNSSEC changes coming this Wednesday.
If you are interested in all the gory technical details about DNSSEC, see this RFC. Also, if you want to learn more about how these DNSSEC changes might affect your other networking devices, we recommend these informational links [ 1 / 2 ].
As always, if you have any Firebox or XTM related issues, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.
- U.S. End Users: 877.232.3531
- International End Users: +1.206.613.0456
- Authorized WatchGuard Resellers: +1.206.521.8375