“Best practice DNS resiliency means diverse facilities, networks and prefixes. This is most easily accomplished by choosing two separate managed DNS providers, while ensuring that they aren’t hosting your nameservers in the same facility”
Over 70 percent of the FTSE 100’s constituent companies rely on a single DNS nameserver, or provider, potentially exposing them to significant risk from a future DDoS attack like the one that crippled DNS provider Dyn in 2016, a new report by network intelligence specialists ThousandEyes warns.
The huge attack on Dyn in October 2016 took companies from GitHub to Netflix, via Paypal and Starbucks, offline for hours after approximately 100,000 malicious endpoints launched high-volume floods of TCP and UDP packets, both with destination port 53, at the company’s infrastructure.
Despite the lessons learned from this attack, the state of DNS resilience even among among top SaaS providers is poor, with 60 percent relying on a single source for their authoritative nameservers; at odds with industry best practice – while the FTSE 100 (the UK’s largest listed companies) appear to be even less robust, ThousandEyes said.
The San Francisco-headquartered company collected data from 170 cities over the course of 30 days — between August 19 and September 19, 2018 — generating over 15 million data points into DNS provision for the report.
What’s DNS Again?
The DNS is the system that maps human-friendly domain names like https://www.cbronline.com to IP addresses. A DNS resolver interacts with various tiers of DNS hierarchy, working to resolve queries on behalf of users.
When a user’s system requests a record of a domain, the resolver will immediately send a response to the user if the resolver has already cached the record. If the resolver does not have the record, it will iteratively interact with the DNS infrastructure to retrieve it.
As a domain name owner, a FTSE 100 company, for example, is responsible for defining where the records that point to its web properties will be stored.
As ThousandEyes notes, these may be self-hosted in a data center, or it may choose to use one or multiple managed DNS providers inplace of or in addition to self-hosting. If a brand has any online value, scalable and resilient DNS deployment is important.
DNS Provider Resilience: Redundant Connectivity Vital
ThousandEyes notes: “One point of confusion about DNS redundancy is that having two or more DNS nameservers doesn’t necessarily mean that you have sufficient resiliency. The reason is that those DNS servers are often hosted within a single network and often within a single IP prefix.
“If that network or prefix gets DDoS’d (e.g. Dyn attack), route hijacked (e.g. Route 53 exploit) or the network experiences a connectivity-related outage, then it doesn’t matter how many nameservers are configured—they will all be unavailable to service requests.”
The company added: “Best practice DNS resiliency means diverse facilities, networks and prefixes. This is most easily accomplished by choosing two separate managed DNS providers, while ensuring that they aren’t hosting your nameservers in the same facility (such as the Equinix Ashburn campus). To design that online presence without redundant and diverse hosting of their authoritative DNS records is to take on a very high degree of risk to revenue and brand reputation.”
DNS Attack: Amazon Implemented DNS Redundancy
Amazon is an example of a company that implemented DNS redundancy after Dyn. For its e-commerce site, Amazon.com, it uses two external providers—Dyn and UltraDNS.
“In addition to redundancy, it’s chosen not to use its own DNS service, Route 53—choosing instead architectural diversity in order to reduce its risk of getting taken offline. Ironically, many SaaS companies that host in AWS utilise Route 53 as a single authoritative provider, breaking both with best practice and with Amazon’s own example,” ThousandEyes noted.
While there have been no DDoS attacks on a DNS provider like Dyn of quite the scale of the October 2016 attack, they are on the rise. Akamai recently revealed that there was a 16 percent increase in the number of DDoS attacks recorded since last year, with the largest DDoS attack of the year setting a new record at 1.35 Tbps.
Akamai said in its State of the Internet report: “To understand the scale of such an attack, it helps to compare it to the intercontinental undersea cables in use today. The TAT-14 cable, one of many between the US and Europe, is capable of carrying 3.2 Tbps of traffic, while the Japan-Guam-Australia cable, currently under construction, will be capable of 36 Tbps. Neither of these hugely important cables would have been completely swamped by February’s attack, but an attack of that magnitude would have made a significant impact on intercontinental traffic, if targeted correctly.”
DDoS attacks which use the DNS protocol post a unique challenge in that it can be difficult to distinguish legitimate traffic from attack traffic. During the Dyn incident, for example, the impact of the attack generated a storm of legitimate retry activity as recursive servers attempted to refresh their caches, the company said at the time, creating 10-20X normal traffic volume across a large number of IP addresses.
DNS: Who’s Best?
Out of fifteen public DNS providers measured by ThousandEyes, newcomer Cloudflare was found to have overall fastest performance, followed by Google and OpenDNS, both of which improved over their performance in the 2017 ThousandEyes analysis.