There has never been a better time to cripple the Internet by exploiting the vulnerabilities of DNS systems. The proliferation of mobile devices coupled with vulnerabilities of open source DNS systems is keeping a lot of organizations awake at night, amongst them, the large enterprises, financial services institutions and carrier service providers.

Existing firewalls were insufficient to protect DNS infrastructure from the fast-evolving attacks. To counter the attacks and to enhance security protections, proven solution architecture and comprehensive design considerations ought to be put in place for DNS infrastructure. Let’s discuss further on the solution design considerations for a more secured DNS infrastructure.

Performance vs. Traffic Analysis

There are generally two schools of thoughts on how we should counter the overwhelming DNS attacks – by increasing protection through traffic analysis and packet inspection or by increasing the DNS performance. Both approaches are resource intensive and require heavy investment. Prior to the massive growth of mobile devices, open source DNS systems such as BIND were able to cope with the DNS traffic and pockets of attacks. The recent upswing of mobility trend has multiplied the DNS traffic by tens-of-fold, leaving DNS systems extremely vulnerable to even small-scale attacks. For the camp who advocated for stronger security through packet inspection and analysis on DNS traffic, the process is resource intensive and ineffective as IP addresses for UDP traffic can be easily spoofed. The inspection process will also create higher latency for DNS responses. Despite implementation of resource intensive packet inspection mechanism, the low query response rate (~30K QPS per instance) of BIND - the open source DNS systems is deemed to be the Achilles heel of a well-protected DNS system. Based on various sharing from enterprises and carrier service providers, overwhelming DNS traffic with mixed and spoofed IP addresses can easily kill their DNS infrastructure.

Personally, I am more inclined to the latter approach. The latter approach of increasing DNS performance for better security argues that non-malicious DNS request should be responded regardless of their genuinity. Instead of utilizing computing resources for packet analysis, the resource can be put into better use by improving the DNS query response rate. With F5’s DNS Express patented technology, DNS records will be stored in memory (RAM) and queries are responded at higher speeds. This increases the DNS performance dramatically and allows F5 VIPRION to support up to 10 million queries per second on a single hardware platform. The high performance DNS platform hence serves as a deterrent and effective protection against DNS DoS and spam attacks. So, let’s rethink about the DNS operation team’s mission for a second, isn’t that to keep DNS alive at all times?

DNS express

Diagram 1: F5 DNS Express offloads the DNS servers from answering query responses, hiding Master DNS Servers from DoS and other attacks

Security attacks and its counter measures are ever-lasting battles which require innovation and proper solution design to stay ahead of the game. In my subsequent posts, I will share more about countering Cache Poisoning attacks and DNS Amplification/Reflection attacks. Stay tuned.