Home / Blogs

Why DNS Is Broken, Part 2: DoS Target

Continuing from where we left off last time… Before we get into what DNSSEC is and the benefits of it, let’s talk about some of the other potential pitfalls of DNS.

One of the most significant issues we have to deal with are denial-of-service (DoS) attacks. While DoS attacks are not specific to DNS we have seen DNS be a frequent target of these attacks. A DoS attack is when hackers target your DNS server (or any resource) with a flood of so much traffic that the server is unable to keep up and service legitimate requests. Doing this to a DNS server is relatively easy and rather difficult to prevent. Prevention is really only accomplished with border devices such as firewalls which limit the number of connections over time from any one source. However, it is much more difficult to avoid when the attack is distributed. Most current attacks are distributed. Hackers utilize armies of unsuspecting machines which have been compromised, each to do just a little bit of work for them; it is so little that it goes easily unnoticed.

The problem for the DNS administrator is how to determine which of the requests are legitimate and which are not. Not easy. A well executed distributed denial-of-service (DDoS) can be very difficult to thwart. Basically the only way to really avoid the effects of a DDoS is by having an overdesigned and over-provisioned network and servers. VeriSign solves this by having lots of bandwidth available and a small army of DNS servers.

Bottom-line is that as a DNS administrator you need to have a current understanding of how close your servers are operating to their limits; you need to diligently monitor their performance. For Microsoft Windows based DNS take a look at PerfMon for others you will need to dump the statistics and compare them over time. Good stuff. I guess we will have to talk about DNSSEC next time, I promise.

By Paul Parisi, Chief Technology Officer at DNSstuff.com

Filed Under


Not the fault of DNS The Famous Brett Watson  –  May 22, 2009 3:47 PM

This isn’t a pitfall of DNS: it’s a pitfall of public-facing network services in general. It’s safe to assume that DNSSEC will suffer this problem more than vanilla DNS simply due to its additional data overhead. Deployment of DNSSEC will thus result in the need for additional DNS server infrastructure just to maintain the status quo in relation to DoS resistance.

BCP 38 Edward Lewis  –  May 26, 2009 2:48 PM

The reason DDos and DNS seem to go hand in hand (they don’t really, it’s just a perception) is that DNS relies on UDP.  Taking UDP away from DNS is not the answer because it’s UDP that gives DNS a lightweight and quick nature.  BCP 38 (aka RFC 2827, “Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing”, May 2000) deployment would go a long way to stemming the impact of DDoS against DNS.

As far as what can be done within the DNS operating layer, there are a few things that can be done besides trying to “out gun” the attack.  Bringing the data topologically closer to the client (legit or not) is one strategy, for example.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global


Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign


Sponsored byVerisign

Brand Protection

Sponsored byCSC