The turning of the DNS from a distributed database query tool into a malicious weapon in the cyber warfare arena has had profound impacts on the thinking about the DNS.
I remember hearing the rallying cry some years back: “Lets all work together to find all these open resolvers and shut them down!”. These days I don’t hear that any more. It seems that, like SPAM in email, we’ve quietly given up on eradication, and are now focusing on how to preserve service in a toxic world.
I suppose that this is yet another clear case of markets in action – there is no money in eradication, but there is money in meeting a customer’s requirement to allow their service to work under any circumstances. We’ve changed our self-perception from being the public DNS police to private mercenaries who work diligently to protect the interests of our paying customers. We are being paid to care about the victim, not the attacker.
This means that we have changed our focus in the DNS. We are now interested in methods of improving throughput and capacity on certain authoritative name servers to simply absorb attacks. We are looking at UDP processing paths in kernels, ways we can efficiently sign on the fly, and ways we can perform advanced filtering in resolvers to reject attack packets as quickly and efficiently as possible. All this work is not intended to equip authoritative name servers for conventional traffic, but to allow them to continue to serve conventional traffic in the face of these attacks.
We are looking at the DNS protocol itself, and think about the differences between “no such domain” and “no such name” responses in order to push attack traffic out of the concentrated middle of the authoritative server back to the edge of the individual recursive resolvers. We are rethinking negative answers in more generic ways with similar intent to deflect traffic away from the authoritative servers.
One line of thought is that all this makes for a more robust DNS that is better for all. And that would be really great if that’s what happens.
But I can’t help thinking that the attacks have caused a slightly different response, and a worrisome one. Defence is expensive, and really good defence against these forms of attacks is really expensive. Defending your DNS is now a game that you only win if you can afford to win. I worry that by concentrating on the victim rather than the attacker, as we are being compelled to do, these attacks are creating a two-tier DNS system. One for those who can afford to pay for the highly advanced engineering that allows a service to operate in the most trying and difficult of circumstances, and what’s left, which is a third-rate, toxic DNS wasteland that we’ve simply given up on.
The DNS for the rest of us is vanishing in this toxic mire. And it won’t correct itself. The attacks are aimed at defended points, so they increase in intensity in line with the increases in defence levels of the highly defended. So everyone else is more and more vulnerable in the face of this increasing malevolence. Is there a way out of this loop of escalating badness? As good as all these attack deflection techniques are, wouldn’t it be good if we could just call up the DNS police? Can we shift our collective focus back to the common good, and shift our focus away from selected potential victims who can afford private protection and instead focus on the attacker and the attacks that they carry out?
Personally I think it would be good to see the tables turned and these DNS attackers exposed and prosecuted as the criminal vandals that they undoubtedly are, but I know I’m dreaming at this point. Contemplating such a response raises a massive set of slightly different questions about how to provide security and stability in an Internet not just dominated by competing private sector interests, but built almost entirely of these competing private sector interests. We need to think about the functions and capabilities of private sector markets, how to recognize when and why market failures occur, and the role of the national and regional public sector space. I think I’ve just invoked the magic term “Internet Governance”!
I don’t know about you, but at that point my head explodes, and I start to think about how to improve the filtering capability of authoritative name servers and how to signal domain non-existence in more efficient ways. Yes, I know that these are no more than stop gap measures, and they are more palliative in nature than curative, but, as they say, its not necessary to outrun the lion, its only necessary to run just that little bit faster than the person running alongside you. If that’s your aim too, then the DNS-OARC workshop this week had lots of fast running techniques to share!
My thanks to all the workshop presenters for sharing their knowledge and insights, and to DNS-OARC for organizing a really fun couple of DNS days. George Michaelson wrote up a short summary on the workshop, and you can read more about my thoughts on the workshop over at APNIC Labs.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.
Additional Tips on how to defend you DNS is
1) Monitor you resolver, keep it always on private and protected
2) configure it securely as possible
3) Manage your DNS servers securely
4) always monitor your name servers
5) user secure and hardened Operating System
lastly add two factor authentication, it could be mobile & email or two email to confirm