DNS servers prove resilient

But the core system is still weak at lower levels

In the year since last October's high-profile attacks on the Internet's root Domain Name System servers, improvements in load distribution and processing capacity have made the Internet's core addressing system more resilient.

But the lack of security at lower levels of the DNS stack remains worrisome, according to security experts. And progress on a critical security enhancement designed to add data authentication and integrity services to the DNS protocol remains disappointingly slow, they added.

"The state of it all is somewhat uneven," said Paul Mockapetris, inventor of the DNS and chairman of the board at IP address management vendor Nominum Inc. in Redwood City, Calif.

"The root server operators have created more replicated copies of the root servers. So they are certainly less vulnerable to denial-of-service attacks and the like," he said.

Some of the operators have also strengthened their systems by adding more processing capacity, said Stephen Crocker, head of the security committee at the Internet Corporation for Assigned Names and Numbers in Marina Del Rey, Calif.

But there are some persistent problems that make the security situation "about the same or maybe a little bit worse as you move down the DNS tree," Mockapetris said.

All 13 of the Internet's root DNS servers—three of which are located outside the U.S.—were victims of a massive distributed denial-of-service attack on Oct. 21, 2002 (see story).

The attacks did little damage apart from slowing down service in some parts of the world. But they were the first to target root DNS servers—on which everything else on the Internet operates—and raised concerns that future attacks could bring down large swaths of the Internet.

Last year's attacks helped raise awareness of the need to bolster defenses, said Suzanne Woolf, senior program manager at the Internet Software Consortium (ISC) in Redwood City, Calif. Like other root server operators, the ISC has over the past year been using a technology approach called anycasting, which is similar to mirroring, to set up multiple copies of existing servers, each with the same IP address.

Anycasting is designed to route DNS queries to the nearest available server in order to mitigate the effects of denial-of-service attacks, explained Crocker.

"It lets us spread out our vulnerabilities and isolate areas as problems arise," Woolf said.

VeriSign Inc., which operates a root server and top-level domains such as .com and .net, has gone a step further.

This summer, the company moved its DNS infrastructure from the widely used Berkeley Internet Name Domain DNS server platform to a proprietary system developed by VeriSign called Atlas. The move was driven by the need to improve the scalabilty, performance and security of VeriSign's DNS services, said Ken Silva, vice president of network and information security at VeriSign in Mountain View, Calif. Atlas is designed to handle more than 100 billion DNS lookups daily and to eliminate single points of failure.

In the past year, DNS operators and others responsible for Internet safety have also made more of an effort to share attack and vulnerability information, Woolf said.

Just last week, for instance, the ISC opened a new Internet crisis coordination center called the Operations, Analysis and Research Center. Several top-level domains have also begun running multiple versions of their software to ensure that vulnerabilities in one version won't bring down service, Mockapetris said.

But more work remains to be done, he added. Because of the large number of systems involved, top-level domain servers aren't as easy to replicate using anycasting—and therefore remain vulnerable, Mockapetris said. Misconfigured and poorly protected systems among top-level domain operators also pose a threat, he said.

The Internet Engineering Task Force's work on a formal standard and specification for the DNS Security protocol has also been slow. The extension is intended to make it "impossible to supply inaccurate data on the DNS system," thereby eliminating the threat of spoofing attacks, Crocker said.

Olafur Gudmundsson, chairman of the IETF working group in charge of the effort, said it will take another 12 to 18 months for a draft standard to become available.

1by1.gif

Taking Root

DNS root server operators have increased resiliency by:

blue_square.gif
Adding more locations.

blue_square.gif
Adding more processing capacity to their servers.

blue_square.gif
Sharing information and coordinating response strategies with other operators.

Related:

Copyright © 2003 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon