What is DNS Flag Day?

February 1^st 2019 is DNS Flag Day from when multiple public DNS providers and DNS software vendors will not support bad or vulnerable DNS implementations. On or around this date, major open source resolver vendors will release updates that implement stricter EDNS handling. These resolvers will not connect to non-compliant DNS servers.
 

Is Citrix ADC impacted?

Domains hosted on all Citrix ADC MPX/SDX/VPX appliances in ADNS mode or proxy mode will continue to be accessible after DNS Flag Day without any performance impact.
Citrix ADC can be deployed in multiple modes for DNS traffic and the following table captures the impact in each mode.

Deployment Mode	Test Result
DNS proxy mode with caching enabled	No impact on domain availability and performance. Overall minor impact is identified due to our approach of EDNS options handling
DNS proxy mode with caching disabled
GSLB mode (zone same as GSLB domain)
ADNS mode with authoritative zone
Load Balancing virtual server with authoritative zone
Resolver mode with authoritative zone
Content Switching with authoritative zone
DNS proxy mode with caching enabled with EDNS Client Subnet enabled on backend server
DNS proxy mode with caching disabled with EDNS Client Subnet enabled on backend server
GSLB with DNSSEC
GSLB with EDNS Client Subnet enabled
DNSSEC enabled ADNS

 
If you test your application domain in https://dnsflagday.net/ portal, you could get the following result - “Minor problems detected!” (see Appendix A). This is because of our approach of EDNS options handling. It is assured that there will be no impact on domain availability and performance post DNS Flag Day.

Citrix ADC supports EDNS0 on all supported versions – 10.5, 11.0, 11.1, 12.0 and 12.1 – and you shall get the same result i.e. “Minor problems detected!” on all versions, if configured correctly. We will release a build in future with all required EDNS standards and comply completely. 
 
If you are getting a result other than “All Ok!” or “Minor problems detected!” see next section on Citrix recommendation.
 

What is Citrix Recommendation?

• Configure SOA and NS records for the zones you are authoritative for.
• If Citrix ADC is deployed in proxy mode, configure DNS_TCP type virtual server also. Ensure that this virtual server is up and running.
• If Citrix ADC is deployed in ADNS mode, configure ADNS_TCP type service also. Ensure that this service is up and running.

See Appendix B to find how to configure these entities on Citrix ADC.
If these steps do not give you a “Minor problems detected!” result, kindly contact Citrix Support.
 

Example Failure Cases

Some examples of failure cases are given below:
Example 1: Test result: “Fatal error detected!”
Cause: This happens when test tool gets timeout on TCP queries.
Solution: Ensure that DNS_TCP type virtual server (in case of DNS proxy deployment) and ADNS_TCP service (in case of ADNS deployment) are up and running on Citrix ADC.
 
Example 2: Test result: “Serious problem detected!”
Cause: This is seen in cases when there is some network connectivity issue with the DNS server. Also, the result can change to “Minor problem detected!” intermittently.
Solution: Ensure there is no network connectivity issue with the server and recommended steps above are followed.
 

Appendix A

 
Testing domain on https://dnsflagday.net/ can give the following results:


 

Appendix B

Configuring SOA record

CLI: add dns soarec <domain name> -originserver <> -contact <>
GUI: Citrix ADC GUI -> Configuration -> Traffic Management -> DNS -> Records -> SOA Records

Configuring NS record

CLI: add dns nsrec <domain name> <NS record>
GUI: Citrix ADC GUI -> Configuration -> Traffic Management -> DNS -> Records -> Name Server Records

Configuring DNS_TCP type virtual server

CLI: add lb vserver <vserver name> DNS_TCP <IP> 53
GUI: Citrix ADC GUI -> Configuration -> Traffic Management -> Load Balancing -> Virtual Servers

Configuring ADNS_TCP type service

CLI: add service <service name> <IP> ADNS_TCP 53
GUI: Citrix ADC GUI -> Configuration -> Traffic Management -> Load Balancing -> Services
 

February 1st 2019 is DNS Flag Day from when multiple public DNS providers and DNS software vendors will not support bad or vulnerable DNS implementations. Domains hosted on all Citrix ADC MPX/SDX/VPX appliances in ADNS mode or proxy mode will continue to be accessible after DNS Flag Day without any performance impact.