DDoS Protection for DNS providers

Question

Zerigo, our DNS provider has reported to have been under heavy DDOS attack in the last 24 hours or so. Considering the distributed nature of DNS, and their architecture consisting of 5 main DNS servers we didn't experience a direct DNS resolution problem (That said, we also have our own secondary DNS outside zerigo). However, we couldn't issue any DNS change and have it propagate.

It's hard to complain to a DNS (or any other) provider, when they are being attacked and it's clearly not their fault. However, the end result is that we, as customers, are affected.

As things go these days, DDOS is probably a question of when, not if. And DNS is a major potential point-of-failure for almost any internet-based company.

What measures could be recommended to such providers to best deal with a DDOS? and how can we, as customers, evaluate whether measures were effectively adopted by the provider so we can make a more informed decision about our choice of a DNS provider?

Answer 1

What measures could be recommended to such providers

It's situational, it depends on the existing server and network infrastructure, and what magnitude of DDoS attack they're looking to protect against.

Existing DNS providers have publicized some of their solutions:

easyDNS suffered major DDoS attacks in 2005, and have since blogged about what they have done to become more resilient against DDoS. Their solution includes using Anycast'ed DNS clusters, and connectivity from providers like Prolexic who provide DDoS mitigation services. Their blog post is worth a read, and includes tips on how customers can help themselves.

Amazon Route 53 also uses Anycast, and serves DNS from 30+ locations world wide. The sheer size of their infrastructure helps.

Additionally, Amazon Route 53 is intentionally built with a large address space for their infrastructure. For example a name server lookup for a Route 53 customer might look like this:

ns-154.awsdns-19.com.
ns-997.awsdns-60.net.
ns-1334.awsdns-38.org.
ns-1660.awsdns-15.co.uk.

AFAIK each of the above name server names points to an Anycast'ed server cluster. This may help to contain simpler attacks to a subset of Amazon's customers, and gives Amazon more options to mitigate an attack.

evaluate whether measures were effectively adopted by the provider

That's a good question. Enterprise providers like UltraDNS (Neustar) are presumably willing to provide NDA's and then discuss specifics of their implementation. But realistically, most less expensive providers aren't going to spend lots of time explaining their infrastructure to you. You can read their blogs, and maybe ask them a few relevant pre-sales questions about DDoS mitigation via email, but that's about it.

For smaller Internet based companies, who don't have lots of resources for DNS, a reasonable plan might be:

• Given that pure DNS hosting can be had for a few bucks per month, use two DNS providers together to be resilient against a provider failure. (NB: If you need proprietary features like Route 53's latency based routing, then this isn't possible.)
• Prefer DNS providers who have publicly confirmed having DDoS mitigation planning, for example by blogging about it, or who answer reasonably to presales emails on the subject.

Answer 2

In keeping with the twin themes of multiple DNS providers and making Route53 more compatible in that sort of setup, we do have easyRoute53 (by we I mean over at easyDNS - I was the author of that earlier cited blog post on strategies for dealing with DDoS attacks)

So with our link layer to Amazon's Route53 you can keep the DNS in sync across their system and our system. Between the two that could put you on over 50 nameservers worldwide.