What is the responsibility of the DNS? Should the DNS be responsible for policing traffic across its infrastructure? Should the blocking and blacklisting of names or throttling of query packets be the responsibility of the DNS?

From experience I know my opening paragraph has started passionate debates in more than one section of this globe. We at CommunityDNS have found ourselves right in the middle of such heated debates. “Oh YES you will!”, “Oh NO you will not!”

In keeping up with efforts of various governments around the globe we have seen the rise and disappearance of such “legal” debates on what the Internet, or what those at its endpoints should do to protect users within respective governmental jurisdictions. Again, “Oh YES you will!”, “Oh NO you will not!” Even when seeking input from organizations forming the Internet’s substructure within the same jurisdictional borders, we can still receive “Oh YES you will!”, “Oh NO you will not!”. So the debate continues.

While the Internet continuously proves its amazing value, it is a legal quagmire on what laws can be passed when the Internet extends beyond legal jurisdictions. It also provides for continuous debate on the question regarding its technical “responsibilities” to the end user.

What is the DNS? In my mind the Domain Name System was best described as being the “address book of the Internet”. Since “most” humans find names easier to remember they rely on the DNS to translate language-based Internet destinations (or URLs) into a destination server’s IP address.

One thing is clear, however, the malicious community is intelligent, well organized and well funded. Their efforts have impacted national and regional online economies as well as individual businesses and the end user.

So what is the responsibility of the DNS?

The U.S. National Security Agency (NSA), according to their site says they are “home to America’s code makers and code breakers”. Some also know the agency for developing and utilizing advanced technology in areas of communications monitoring. Having also worked with start-up technology companies, I have come to know the NSA as an organization helping technology-based companies bring advanced technologies to the market place. In April the NSA released a document on “Best Practices for Keeping Your Home Network Secure”. Having been an IT manager as well as provided for large-scale network deployments I can say the basic concepts of the NSA’s report not only speaks to common sense, the basic concepts can apply to an organization’s IT infrastructure.

One of the “best-practice” items mentioned by the NSA is to, “Implement an Alternate DNS Provider as they [referring to a user’s ISP] typically don’t provide enhanced security services such as the blocking and blacklisting of dangerous and infected web sites.” CommunityDNS has this capability, but again our customers have tended to argue for the purity of the DNS’ original function.

With that said the malicious community has continued to push the envelope about what role the DNS should take in protecting users from the tactics of the hacker. While the malicious community feasted on innocent users by redirecting them to malicious sites for purposes of malicious intent, (a process known as “cache poisoning”) the DNS community came together and, over a long period of time, developed the specifications for DNSSEC (DNS SECurity). While not the magic cure-all that will shut down the malicious community, DNSSEC was designed with the idea of providing the end user with the assurance of reaching their intended destination and not a malicious imposter. While DNSSEC may be only one small piece of the security puzzle, it is an example of how the DNS community came together to provide a level of security within the DNS to prevent cache poisoning. In the interest of helping move this effort forward have helped multiple ccTLDs sign their zones as well as support customers who have already signed their zones with DNSSEC. While progress in this area is being made, there is still a ways to go for registries and name holders to understand and “sign” their respective zones.

But what about the other large, and growing threat of DoS or DDoS attacks? DoS (Denial of Service) or DDoS (Distributed Denial of Service) attacks are techniques the malicious community can use to render specific sites, or even DNS providers inoperable.

Through the article titled, “Ensuring Maximum Resilience to the DNS” we have seen through reports how organizations have experienced more than 350,000 DDoS attacks in 2009 and 3% of the Internet’s traffic tied to DDoS through roughly 1,300 attacks each day. The article also points out how such attacks have actually impacted DNS operations of specific DNS providers whose platforms failed under such levels of traffic.

With all that said it does not surprise me that last year’s Pan European cyber security exercise focused heavily on DDoS attacks. In 2006 the IETF touched upon this topic through RFC 4732. While the RFC discusses this phenomenon and its effects, it also provides suggestions regarding various network components, but nothing specific for the DNS.

With the shear volume of traffic handled for our customers, we see various styles and sizes of such attacks occurring daily, though most small in nature. From CommunityDNS’ perspective we have taken multiple approaches towards mitigating the affects of DoS/DDoS attacks. Aside from using Anycast technology and other special capabilities within each of our nodes, our most effective defense is how the platform was designed to provide for large amounts of capacity, as noted last August when our node in Hong Kong handled a sustained traffic spike by comfortably processing over 863,000 queries per second. Even with a platform designed to handle vast amounts of capacity, we still find it doesn’t necessarily assist clients who may be targeted with a DDoS attack.

Even with client’s who are specifically targeted for DDoS attacks we find our clients are very responsive in efficiently working through such attacks, however we are finding such effective partnerships can still be improved to minimize affects of such targeted attacks. Is it OK for our customers’ service to be completely taken down until the issue has been worked through or shall we take a more proactive approach to minimize impacts as attacks start to unfold? We have taken this approach in applying throttles based upon traffic patterns at the individual node level. These node level throttles are established high enough to allow for normal increased traffic, but will step in if a site is targeted for take-down. Also on the proactive approach our monitoring platform provides our customers with a view in how much of their traffic may be associated with such attacks, whether large or small and whether the traffic is IPv4 or IPv6-based.

So as the debate rages on with “Oh YES you will!” and “Oh NO you will not!” we feel partnering with the customer in providing them with tools and proactive service helps customers provide resilience for users, businesses, countries and their various online-economies.

Do we agree with the NSA’s best-practice of implementing an alternate DNS provider? Absolutely! As a secondary authoritative service we have always advocated utilizing multiple DNS providers for purposes of diversity.

• Diversity of network providers.
• Diversity of platform software.
• Diversity of platform hardware.
• Diversity among open source and non-open source platforms.

Along with our recommended approach to maximum resilience through diversity and capacity, it is also important to view what tools are available at mitigating attacks from the malicious community. The “Oh YES you will!” and “Oh NO you will not!” will always provide for a passionate discussion.