Yesterday’s DDoS attack against DNSimple brought to light a longstanding need for DNS nameserver operators to have an ability to unilaterally repudiate domains from their nameservers.
The domains under attack started off on DNSMadeEasy, migrated off to DNSimple and took up residence there for about 12 hours, causing a lot of grief to DNSimple and their downstream customers. It could have been anybody, as we’ve long intimated: every DNS provider is a logical SPOF unto themselves. The only question is whether they’ll openly admit it.
A few years ago while at an ISOI conference in Washington, DC I sounded a few people out about the idea of having a registry protocol where nameserver operators could “disavow” or “repudiate” a domain – that is to unilaterally cause a given domain to have it’s root delegation to the target nameservers dropped at the nameserver operator’s dictum. The idea didn’t get a lot of traction.
Every time I see this happening (especially when it happens to us), I see the need for this as more pressing. Last night DNSimple made a request to the target domain’s registrar, Godaddy, to make an emergency change to the domain nameserver delegation and remove the DNSimple nameservers. While they had a sympathetic ear from some Godaddy backchannels, the hours dragged on and the outage persisted and the pain compounded until the domain finally hopped to yet another DNS provider (one I’ve never heard of based out of China), who (surprise!) is now offline as well.
These DDOS target domains are like Typhoon Typhoid Mary’s of the internet world, in many cases having operated if not a dodgy net presence of some sort, at least mired in a deep shade of grey; they hop from DNS provider to DNS provider hoping to leverage said provider’s built-in DDOS mitigation for their own purposes – leaving a trail of destruction across the internet.
DNS Providers, when they are not the registrar of the domain in question, have few tools to employ to deal with these scows of toxic waste when they come in to port:
A) find out who the DDOS targets are and block them from getting on your system in the first place, or
B) failing that, if they do come on they are often non-responsive or seem genuinely puzzled that a DNS provider is unwilling to actively firefight their 60Gig/sec DDoS for the $15 they paid to get on the system. That means you have to get their attention some other way: like wildcarding their DNS to localhost and setting the TTL out to a year – they finally realize they have nothing to gain by sticking around and they move on to some other hapless DNS host.
The pure-play DNS provider segment isn’t large in numbers. I’d be surprised if there were more than 100 of them, but they do end up doing DNS for fairly large, well traveled chunks of the internet. When you add to that the non-registrar web-hosting companies, who are in a similar boat, you start to get a chunk of the internet community that is large enough to warrant this type of mechanism.
I would pay money for this!
Of course I would. Let the root operators start optimizing their roots for carrier class DNS providers and attract nameserver records through value added abilities:
- Realtime rootzone updates.
- Ability to repudiate domains as described above.
- Ability to block all domains from specific registrars or registries.
- Callbacks – get notified when somebody delegates to your nameservers.
- Whatever else they can think up – ability to filter and key on whois record contents?
Some enterprising party could even create a new TLD specifically optimized toward hosting nameserver records. Now there’s a reason for a new TLD, nevermind all this vertical branding crap everybody else seems to be obsessed with.
Further Reading
- DNS and DDoS Attacks: How to Stay Up When Your DNS Provider is Down
- An Introduction to Proactive Nameservers: Failover at the Nameserver Level
Leave a Reply