|
Continuing from where we left off last time… Before we get into what DNSSEC is and the benefits of it, let’s talk about some of the other potential pitfalls of DNS.
One of the most significant issues we have to deal with are denial-of-service (DoS) attacks. While DoS attacks are not specific to DNS we have seen DNS be a frequent target of these attacks. A DoS attack is when hackers target your DNS server (or any resource) with a flood of so much traffic that the server is unable to keep up and service legitimate requests. Doing this to a DNS server is relatively easy and rather difficult to prevent. Prevention is really only accomplished with border devices such as firewalls which limit the number of connections over time from any one source. However, it is much more difficult to avoid when the attack is distributed. Most current attacks are distributed. Hackers utilize armies of unsuspecting machines which have been compromised, each to do just a little bit of work for them; it is so little that it goes easily unnoticed.
The problem for the DNS administrator is how to determine which of the requests are legitimate and which are not. Not easy. A well executed distributed denial-of-service (DDoS) can be very difficult to thwart. Basically the only way to really avoid the effects of a DDoS is by having an overdesigned and over-provisioned network and servers. VeriSign solves this by having lots of bandwidth available and a small army of DNS servers.
Bottom-line is that as a DNS administrator you need to have a current understanding of how close your servers are operating to their limits; you need to diligently monitor their performance. For Microsoft Windows based DNS take a look at PerfMon for others you will need to dump the statistics and compare them over time. Good stuff. I guess we will have to talk about DNSSEC next time, I promise.
Sponsored byWhoisXML API
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byVerisign
Sponsored byRadix
Sponsored byDNIB.com
Sponsored byCSC
This isn’t a pitfall of DNS: it’s a pitfall of public-facing network services in general. It’s safe to assume that DNSSEC will suffer this problem more than vanilla DNS simply due to its additional data overhead. Deployment of DNSSEC will thus result in the need for additional DNS server infrastructure just to maintain the status quo in relation to DoS resistance.
The reason DDos and DNS seem to go hand in hand (they don’t really, it’s just a perception) is that DNS relies on UDP. Taking UDP away from DNS is not the answer because it’s UDP that gives DNS a lightweight and quick nature. BCP 38 (aka RFC 2827, “Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing”, May 2000) deployment would go a long way to stemming the impact of DDoS against DNS.
As far as what can be done within the DNS operating layer, there are a few things that can be done besides trying to “out gun” the attack. Bringing the data topologically closer to the client (legit or not) is one strategy, for example.