CircleID

What is so secret about the word, "Capacity”? As I read and talk with people I realize the word, "capacity" is typically missing from the DNS discussion. "Capacity" and "Security" are the two cornerstones to maximizing DNS resilience; both of which are typically missing from the DNS discussion.

Have you seen a single DNS node easily process over 863,000 queries per second? Have you seen a network routinely handle over 50Gbits/second in outbound traffic alone without breaking a sweat?

What is DNS? We all know that the Domain Name System serves as the proverbial address book for the Internet. While most humans find it difficult to remember IP addresses, we need some way to convert our human-brain oriented way of remembering Internet destinations to a destination's respective numerical IP address; hence the DNS.

What I tend to hear touted about DNS are:

"Global"
"Anycast"
"Node numbers and location"
"Bandwidth"
"Resolution speed"
"IPv6"

What I don't hear in the overall discussion is that of "Security" and "Capacity". While I will cover "Security" (meaning more than DNSSEC) in a future post, this post will focus on "Capacity".

As we know DDoS (Distributed Denial of Service) attacks occur daily. As mentioned in an earlier blog post, A Forrester survey indicated organizations experienced more than 350,000 DDoS attacks in 2009. Another study, from Arbor Networks, yielded a statistic of approximately 3% of the Internet's traffic is tied to DDoS, or roughly 1,300 attacks each day.

Because of such attacks we have learned where other DNS providers of differing platforms have failed due to not having the capacity to handle the traffic load. Such examples include UltraDNS hit twice in 2009 with regional outages. DNS Made Easy was targeted with a 1.5 hour outage in 2010. Register.com suffered a 3 day attack in 2009 and a more recent attack a couple of days ago.

What do I mean by "capacity"? "Capacity" in this conversation deals with the capacity of the actual DNS platform to handle very large volumes of traffic. I am not talking about the DNS server on which DNS code operates, "DNS platform" refers to the code and its efficiencies in handling DNS. While some consider bandwidth and hardware as the major part of the "capacity" equation, we should be examining the "capacity" of respective DNS platforms as being one of the two cornerstones for truly maximizing DNS resilience. ("Security" being the other cornerstone.) When looking at the overall picture it is easy to see where a slow or inefficient DNS platform can be slow in handling large volumes of DNS lookups or queries. As such throwing bandwidth or servers at the issue does not solve the problem of inefficient DNS platforms. May networks be busy? Yes, but should they be backlogged by the respective DNS platform? No.

A good example of "capacity" occurred in August of 2010 where CommunityDNS' Hong Kong node experienced a heavy spike in traffic. The spike lasted for just under 2 hours. During that time frame CommunityDNS noticed the Hong Kong node comfortably processed over 863,000 queries per second. What that means is while the system was processing such large volumes of traffic, the platform itself still had plenty of idle time; ready to handle more; ensuring every legitimate query continued to be handled. There was no way of determining if CommunityDNS was the target of a DDoS attack but the fact remains that the platform itself was designed to handle the capacity of exceedingly large volumes of traffic. This also supports the fact that during an average, non-busy period of time, the CommunityDNS network handles 20Gbits per second of traffic inbound while also handling 50Gbits per second of traffic outbound. DNS platforms have faltered over lesser amounts of traffic. Again, the ability to comfortably handle such levels is based on the respective DNS platform's design. When starting to view the importance of capacity, resolution speed becomes irrelevant as the platform will always be far faster than what a bandwidth provider can deliver.

So yes, when looking at the various factors used in maximizing resilience of the DNS, "capacity" is one of the major cornerstones to a healthy and vibrant Internet.

Why is this important? Why should we always strive to set the bar high? For people the Internet means:

• Their business
• Their nation's online perception
• Their national, regional and global online economies

So when looking at DNS providers or platforms, be sure to examine the respective platform's "capacity". It's time for "capacity" to come out of hiding and be part of the standard conversation.

By Chuck Kisselburg, Director, Strategic Partnerships at CommunityDNS

Related topics: Cyberattack, DNS, Security