Geoff Huston's recent post about the rise of DNS amplification attacks offers excellent perspective on the issue. Major incidents like the Spamhaus attack Geoff mentions at the beginning of his post make headlines, but even small attacks create noticeable floods of traffic. These attacks are easy to launch and effective even with relatively modest resources and we see evidence they're occurring regularly. Although DNS servers are not usually the target of these attacks the increase in traffic and larger response sizes typically stress DNS infrastructure and require attention from operation teams. more
In previous posts in this series, I've discussed a number of applications of cryptography to the DNS, many of them related to the Domain Name System Security Extensions (DNSSEC). In this final blog post, I'll turn attention to another application that may appear at first to be the most natural, though as it turns out, may not always be the most necessary: DNS encryption. (I've also written about DNS encryption as well as minimization in a separate post on DNS information protection.) more
A recent report by NS1 provides a comprehensive look at global DNS traffic trends. It reveals that public resolvers dominate the internet, accounting for nearly 60% of recursive DNS usage. Telecom giants represent nearly 9%, with Google the clear front-runner at a little over 30%, followed by Amazon Web Services at 16%. more
What is the responsibility of the DNS? Should the DNS be responsible for policing traffic across its infrastructure? Should the blocking and blacklisting of names or throttling of query packets be the responsibility of the DNS? From experience I know my opening paragraph has started passionate debates in more than one section of this globe. We at CommunityDNS have found ourselves right in the middle of such heated debates. "Oh YES you will!", "Oh NO you will not!" more
Internet Society recently announced the appointment of former chief technology officer of Motion Picture Association of America (MPAA). The decision has raised concerns within the Internet community as Paul Brigner had campaigned for SOPA while at MPAA as well as being on record opposing net neutrality while being an official at Verizon. more
The DNS root servers were reported by Verisign to be under unexpected attack from name servers across the Internet following ICANN's recent changes to their cryptographic master keys. more
Unlike most new IETF standards, DNS over HTTPS has been a magnet for controversy since the DoH working group was chartered on 2017. The proposed standard was intended to improve the performance of address resolutions while also improving their privacy and integrity, but it's unclear that it accomplishes these goals. On the performance front, testing indicates DoH is faster than one of the alternatives, DNS over TLS (DoT). more
The Internet Governance Project has unearthed a consultancy report to the U.S. Department of Homeland Security (DHS) that makes it clear that the issue of root signing and DNSSEC key management has been recognized as a political issue within the US government for long time. more
DNSSEC is being rolled out quickly in top-level domain registries around the world, but there's still some way to go to encourage other Internet stakeholders to adopt the new security technology. That was one of the key takeaways from a day-long, comprehensive session on Domain Name System Security Extensions implementation worldwide, held during ICANN's public meeting in Cartagena, Colombia, last week. more
OARC held a 2-day meeting in February, with presentations on various DNS topics. Here are some observations I picked up from the presentations in that meeting... In a world where every DNS name is DNSSEC-signed, and every DNS client validates all received DNS responses, we wouldn't necessarily have the problem of DNS spoofing. Even if we concede that universal use of DNSSEC is a long time off ... more
EFF's Senior Legislative Counsel, Ernesto Falcon, in a post on Monday has argued that major ISPs in the U.S. -- the likes of Comcast, AT&T;, and Verizon -- are aggressively influencing legislators to stop the deployment of DNS over HTTPS (DoH), "a technology that will give users one of the biggest upgrades to their Internet privacy and security since the proliferation of HTTPS." more
The deployment of Domain Name System Security Extensions (DNSSEC) for the root zone got an official start today with its public signing for the first time. DNSSEC for the root zone is a joint effort between ICANN and VeriSign, with support from the U.S. Department of Commerce to improve security of the Internet's naming infrastructure. Kim Davies, ICANN's Manager of Root Zone Services, says: "What happened today was the deliberately un-validatable root zone started being published on l.root-servers.net. It is anticipated this will be rolled out across the other root servers over the coming months. This phase is designed to identify any issues with the larger DNS response sizes associated with DNSSEC data." more
ICANN's last new gTLD application closed in 2012 with more than 600 brands applying for their dot brand. Dot brand domains associate a keyword or keyphrase and a brand name in a complete domain name... To understand better how the evolution of the dotBrand has been throughout these years, number of websites launched, redirects, registries etc, Dot Brand Observatory prepared a few visual graphics. more
When an outage affects a component of the internet infrastructure, there can often be downstream ripple effects affecting other components or services, either directly or indirectly. We would like to share our observations of this impact in the case of two recent such outages, measured at various levels of the DNS hierarchy, and discuss the resultant increase in query volume due to the behavior of recursive resolvers. more
Day two of Domain Pulse 2008 last Friday (see review of day one) focused on online security issues giving the techies amongst us details of security issues, and the more policy-orientated amongst us something to chew on in a few other presentations. Kieren McCarthy, these days of ICANN, also gave some insights into the drawn out sex.com drama with more twists and turns than the average soap opera has in a year! And Randy Bush outlined the problems with IPv6. Among other presentations... more
A World-Renowned Source for Internet Developments. Serving Since 2002.