Continuing from where we left off last time… Before we get into what DNSSEC is and the benefits of it, let’s talk about some of the other potential pitfalls of DNS.

One of the most significant issues we have to deal with are denial-of-service (DoS) attacks. While DoS attacks are not specific to DNS we have seen DNS be a frequent target of these attacks. A DoS attack is when hackers target your DNS server (or any resource) with a flood of so much traffic that the server is unable to keep up and service legitimate requests. Doing this to a DNS server is relatively easy and rather difficult to prevent. Prevention is really only accomplished with border devices such as firewalls which limit the number of connections over time from any one source. However, it is much more difficult to avoid when the attack is distributed. Most current attacks are distributed. Hackers utilize armies of unsuspecting machines which have been compromised, each to do just a little bit of work for them; it is so little that it goes easily unnoticed.

The problem for the DNS administrator is how to determine which of the requests are legitimate and which are not. Not easy. A well executed distributed denial-of-service (DDoS) can be very difficult to thwart. Basically the only way to really avoid the effects of a DDoS is by having an overdesigned and over-provisioned network and servers. VeriSign solves this by having lots of bandwidth available and a small army of DNS servers.

Bottom-line is that as a DNS administrator you need to have a current understanding of how close your servers are operating to their limits; you need to diligently monitor their performance. For Microsoft Windows based DNS take a look at PerfMon for others you will need to dump the statistics and compare them over time. Good stuff. I guess we will have to talk about DNSSEC next time, I promise.