|
Yesterday’s DDoS attack against DNSimple brought to light a longstanding need for DNS nameserver operators to have an ability to unilaterally repudiate domains from their nameservers.
The domains under attack started off on DNSMadeEasy, migrated off to DNSimple and took up residence there for about 12 hours, causing a lot of grief to DNSimple and their downstream customers. It could have been anybody, as we’ve long intimated: every DNS provider is a logical SPOF unto themselves. The only difference is whether they’ll openly admit it, or lie about it (“no! never happened!”)
A few years ago while at an ISOI conference in Washington, DC I sounded a few people out about the idea of having a registry protocol where nameserver operators could “disavow” or “repudiate” a domain—that is to unilaterally cause a given domain to have it’s root delegation to the target nameservers dropped at the nameserver operator’s dictum. The idea didn’t get a lot of traction.
Every time I see this happening (especially when it happens to us), I see the need for this as more pressing. Last night DNSimple made a request to the target domain’s registrar, Godaddy, to make an emergency change to the domain nameserver delegation and remove the DNSimple nameservers. While they had a sympathetic ear from some Godaddy backchannels, the hours dragged on and the outage persisted and the pain compounded until the domain finally hopped to yet another DNS provider (one I’ve never heard of based out of China), who (surprise!) is now offline as well.
These DDOS target domains are like Typhoid Mary’s of the internet world, in many cases having operated if not a dodgy net presence of some sort, at least mired in a deep shade of grey; they hop from DNS provider to DNS provider hoping to leverage said provider’s built-in DDOS mitigation for their own purposes—leaving a trail of destruction across the internet.
DNS Providers, when they are not the registrar of the domain in question, have few tools to employ to deal with these scows of toxic waste when they come in to port:
The pure-play DNS provider segment isn’t large in numbers. I’d be surprised if there were more than 100 of them, but they do end up doing DNS for fairly large, well traveled chunks of the internet. When you add to that the non-registrar web-hosting companies, who are in a similar boat, you start to get a chunk of the internet community that is large enough to warrant this type of mechanism.
I would pay money for this!
Of course I would. Let the root operators start optimizing their roots for carrier class DNS providers and attract nameserver records through value added abilities:
Some enterprising party could even create a new TLD specifically optimized toward hosting nameserver records. Now there’s a reason for a new TLD, nevermind all this vertical branding B.S everybody else seems to be obsessed with.
Sponsored byDNIB.com
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byRadix
Sponsored byCSC
Sponsored byVerisign
Sponsored byIPv4.Global
One method wouldn’t involve a new protocol at all: having the registrar “ping” each of the nameservers listed for the domain by querying the SOA record on a regular basis. If the registrar doesn’t get back an authoritative answer for the SOA record, it removes that nameserver from the list and updates things as if the domain owner had removed the nameserver. The registrar can do the same check when the domain owner tries to add nameservers, and refuse to add any nameserver that doesn’t say it’s authoritative for that domain. This shouldn’t be too controversial, since it doesn’t make sense to delegate a domain to any nameserver that can’t answer queries for that domain.
That’d let you re-frame the important part. Instead of having the DNS provider “disavow” or “repudiate” the domain, they only need to ask the registrar to re-verify the delegation of the domain. The standard SOA checks get scheduled for the earliest practical timeslot, and things proceed as usual from there. This can be used both to quickly drop a delegation the DNS provider’s no longer authoritative for, and to quickly fix a broken delegation caused by an error on the DNS provider’s end. It’ll probably get more traction avoiding phrasing it as the DNS provider giving orders to the registrar.
The problem here is the one time you really want to be able to do this is often the same time your DNS is down because your nameservers have been DDoS-ed. How can the registry know which domains you've intentionally stopped replying for and which ones you can't reply for? You wouldn't want the registry going ahead and dropping all your domains from the roots because you can't reply to their SOA queries. That's why you would need some explicit out-of-band method to tell the registry "yank the delegation for example.com"
I understand your proposal to be suggesting that if a service provider suddenly finds they don’t like the customer they have they should have the ability to repudiate that customer.
While I have some sympathy for that point of view it feels to me like better customer due diligence before on boarding the new customer would address the specific issue you’re experiencing.
I worry that creating the solution you suggest would create far more opportunities for abuse than would justify the solution. Even if the DNS provider would “never” be malicious, we have to worry about DNS providers becoming targets of nefarious actors who want to “break in” and gain access to this mechanism to forcibly take your customers offline.
It's unrealistic to expect an online merchant to conduct due diligence on every customer to the point where you can screen for this. (This is the same direction LEA are trying to push the entire domain registration process and Registrars are understandably protesting at how utterly unworkable it is) - You can do some automated stuff (which we already do, such as examining the domain name and even keyword analysis of their website) - but it's not like you can put up roadblocks and require human verification and dd on every transaction. The abuse concern is a red herring. Every DNS provider and registrar is already a target for malicious actors trying to do exactly what you describe. If you can break into the DNS host, you can take the customer offline (and worse) whether this exists or not. Adding this capability for nameserver operators doesn't change the math in this respect. There lso exists lower hanging fruit that can be used maliciously on new policies(such as spoofing the new ICANN whois accuracy report emailings).
I agree about the due diligence. The worst malicious actors are the ones most capable of using a front that looks clean, so the DNS provider may well not have any clue until the problems start occurring. The abuse concern, though, isn't a red herring. This wouldn't involve breaking into the DNS host, it'd be breaking into the new mechanism the DNS provider uses to drop delegations (taking those domains off-line without needing to compromise the DNS provider). It's already happened, see the use of social engineering to use Amazon's password-recovery channel to compromise the Apple and Google accounts of Mat Honan. That's one of the reasons I suggested the registry do an SOA record check. I'm not so worried about the DNS provider being malicious, they'd lose reputable customers too quickly once word got out and most domain owners would have a breach-of-contract claim to pursue against a target that can't just pull up stakes and vanish overnight.