DNS servers prove resilient

Computerworld - In the year since last October's high-profile attacks on the Internet's root Domain Name System servers, improvements in load distribution and processing capacity have made the Internet's core addressing system more resilient.

But the lack of security at lower levels of the DNS stack remains worrisome, according to security experts. And progress on a critical security enhancement designed to add data authentication and integrity services to the DNS protocol remains disappointingly slow, they added.

"The state of it all is somewhat uneven," said Paul Mockapetris, inventor of the DNS and chairman of the board at IP address management vendor Nominum Inc. in Redwood City, Calif.

"The root server operators have created more replicated copies of the root servers. So they are certainly less vulnerable to denial-of-service attacks and the like," he said.

Some of the operators have also strengthened their systems by adding more processing capacity, said Stephen Crocker, head of the security committee at the Internet Corporation for Assigned Names and Numbers in Marina Del Rey, Calif.

But there are some persistent problems that make the security situation "about the same or maybe a little bit worse as you move down the DNS tree," Mockapetris said.

All 13 of the Internet's root DNS servers—three of which are located outside the U.S.—were victims of a massive distributed denial-of-service attack on Oct. 21, 2002 (see story).

The attacks did little damage apart from slowing down service in some parts of the world. But they were the first to target root DNS servers—on which everything else on the Internet operates—and raised concerns that future attacks could bring down large swaths of the Internet.

Last year's attacks helped raise awareness of the need to bolster defenses, said Suzanne Woolf, senior program manager at the Internet Software Consortium (ISC) in Redwood City, Calif. Like other root server operators, the ISC has over the past year been using a technology approach called anycasting, which is similar to mirroring, to set up multiple copies of existing servers, each with the same IP address.

Anycasting is designed to route DNS queries to the nearest available server in order to mitigate the effects of denial-of-service attacks, explained Crocker.

"It lets us spread out our vulnerabilities and isolate areas as problems arise," Woolf said.

VeriSign Inc., which operates a root server and top-level domains such as .com and .net, has gone a step further.

This summer, the company moved its DNS infrastructure from the widely used Berkeley Internet Name Domain DNS server platform to a proprietary system developed by VeriSign called Atlas. The move was driven by the need to improve the scalabilty, performance and security of VeriSign's DNS services, said Ken Silva, vice president of network and information security at VeriSign in Mountain View, Calif. Atlas is designed to handle more than 100 billion DNS lookups daily and to eliminate single points of failure.