HostingCon, Afilias was able to talk to hosting companies about their current DNS problems and why they need to now look at advanced DNS solutions to improve reliability or to seek new revenue with premium DNS offerings.Hosting companies face many challenges today, from differentiating their services in a crowded market with decreasing margins, to an increasing pressure to defend against growing sets of attacks against their infrastructure. As more and more services drift into the cloud, up-time is becoming one of the most critical factors for customers choosing a web host. A hosting company's record of reliability can often be the deciding factor for a customer to choose one service over another. Recently at
What we've been saying for some time now was confirmed by many of the hosting companies visiting and exhibiting at HostingCon. Over the last year we've seen an increase in size and number of attacks against the DNS. Both continue to grow as criminals seek any way to exploit vulnerabilities in networks. DDoS attacks against DNS infrastructure as well as sophisticated DNS hijacking attacks are now top of mind for most hosting companies.
Recent research from Arbor Networks shows that the risk of DDoS attack is by far the most worrying problem facing companies today, with 35% of organizations classifying such attacks as their biggest fear. The same research shows that over a quarter of all DDoS attacks target application-layer protocols such as DNS, with the largest attacks amounting to almost 50 Gigabytes per second (Gbps).
Here are some suggestions we have for hosting companies to not only improve their DNS architecture, but also how they can utilize a more superior and reliable DNS network to expand the services they currently offer today:
Add a secondary DNS provider to shoulder the load
An attack against a single hosting customer can severely impact performance and availability for a hosting company's entire network, especially when a DDoS flood is large and targets a shared network bottleneck such as DNS resolution. Every customer who puts content online, blogs, or shares links to your hosted sites in social media, creates a target that could put your entire customer base at risk.
The risk of taking out an entire set of customers based on the target of just one popular or controversial customer, presents a greater need for hosting companies to harden their DNS infrastructure from attack. Rather than bearing the added capital expense of building out a bigger DNS network, simply integrating a second DNS provider to serve part of your DNS traffic can alleviate bottlenecks in your current DNS infrastructure and give you an entire second network to rely on incase of a crippling DDoS attack.
Indeed, we've even seen some customers reap additional positive outcomes of integrating a secondary DNS provider. This approach allows them to seamlessly take out any or all of their own DNS nodes for planned or unplanned maintenance or even deploying critical patches.
Strengthening your network with Anycast
Of course, the DDoS problem is not confined to DNS alone. DNS is just one piece in the overall architecture of a hosting company. However, DNS is one area that is often not provisioned as well as other, more obvious, pieces of potentially vulnerable infrastructure. The risk of attacks taking down DNS for all hosting customers can be substantially mitigated by building out a robust DNS infrastructure that uses a diverse selection of technology providers and is globally distributed using IP Anycast.
Anycast enables companies to advertise the same IP address from multiple nodes, deployed on different parts of the Internet, simultaneously. In the DNS context, this allows companies to present a more localized way to resolve domain names, reducing latency and increasing performance for end users, while mitigating the impact of one node going down for maintenance or due to attack.
Don't run a monoculture - integrate diversity
The number of vulnerabilities found in ubiquitous data center hardware and software platforms is forever increasing, and is expected to double this year compared to 2009. Companies that have adopted software monocultures, or failed to incorporate enough vendor diversity in their DNS architectures, could find themselves more at risk from exploitation. By also introducing some of Afilias' principles of DNS Diversity, where each node is provisioned by more than one connectivity provider, and uses more than one vendor for each of its operating system, name server, server hardware and network infrastructure needs, single points of failure in your DNS are virtually eliminated.
Premium DNS is a selling feature
Advanced DNS not only does not need to be a cost center, it should also be viewed as an opportunity to increase revenues. As your customers' businesses depends more on their Web services, they are aware of just how critical the availability of their website actually is. Customers that want to safeguard their e-commerce revenue will pay for Service Level Agreements (SLA) and guarantees on their DNS resolution. Even a marginal increase in your per month hosting fee could be just enough to differentiate a premium DNS package, and collectively across your customer base can present an easy added revenue stream to help your bottom line this year.
Afilias is a global provider of Internet infrastructure services that connect people to their data. Afilias' reliable, secure, scalable, and globally available technology supports a wide range of applications including Internet domain registry services and Managed DNS. (Learn More)
|Cybersquatting||Policy & Regulation|
|DNS Security||Registry Services|
|IP Addressing||White Space|
Neustar DNS Services
Minds + Machines
Neustar DDoS Protection