UltraDNS Corp is offering a cloaked domain name system service to major ISPs, in an effort to make its customers’ DNS more resilient against denial-of-service attacks.
DNS Shield will be benefiting 100 million US internet users by the end of the year, company executives said. They expect the service will be affecting about 75% of the internet users in the world in the early part of next year.
We’ve had a waiting list of ISPs for the last five months, and we’ve been working through them based on how large they are, UltraDNS chief technology officer Rodney Joffe said. Named customers include AOL, EarthLink, Verio and Yahoo.
The service is designed to shield the ISPs’ DNS lookups not only from DDoS attacks, where compromised zombie computers pound its machines with packets, but also against the general errors and latency associated with internet traffic.
If a user can’t resolve domain names, it doesn’t matter whether they’re sitting right next to the web site they want to go to, they won’t be able to find it because they don’t know the IP address, Joffe said.
In DNS Shield, UltraDNS deploys its authoritative name servers within the ISP’s own network, connected to the ISP’s recursive name servers by an Ethernet cable and to the rest of UltraDNS’s name server network by a VPN.
This means UltraDNS’s server is essentially invisible to the rest of the internet, making it immune to DDoS attacks, according to the company. If the bad guys can’t find it, they can’t attack it.
I think it’s high time that somebody did something and, given the poor state of security in the internet core… that Ultra’s approach is a reasonable step forward, DNS expert Paul Vixie, who has written on the subject of DDoS attacks, said in an email.
A recursive name server is the DNS server that internet users hit first when they try to resolve a domain name, when sending email or visiting a web site for example. It either points the user directly to the IP address they need, or consults the DNS for an answer.
For ISPs using DNS Shield, instead of going out to the internet for a DNS lookup, these recursive servers will do the lookup, in a great many cases, from the UltraDNS server which is sitting just a few feet, and just one hop, away.
In this deployment, the UltraDNS server will not resolve every domain, however, only domains within zones for which it is already authoritative — namely .org, .info, .uk, .nz and about 16 other top-level domains (TLDs).
It will also handle lookups for names in other TLDs where the domain registrant is an UltraDNS managed DNS customer. While UltraDNS cannot be authoritative for .com, it can be authoritative for amazon.com, because Amazon pays it to be.
For domains where UltraDNS cannot be authoritative, the ISP will still have to leave its network to look up the associated IP address, if it’s not already cached on the local recursive server.
It’s believed to be the first such service on the market, and Joffe said it’s currently the only real solution to the DDoS problem, but he said he also expects competitors such as VeriSign Inc, which manages .com and .net, to follow suit.