Have you checked your DNS servers lately? If not, you may be putting your company’s entire network at risk.
The Internet’s DNS is a global distributed database that matches domain names with corresponding IP addresses. The DNS is critical for every Internet application, from Web surfing and e-mail to VoIP and video streaming.
If DNS doesn’t work, the Internet doesn’t work. That’s why you need to make sure that your DNS systems are robust, scalable and secure.
The vulnerability of DNS was demonstrated this month by a distributed denial-of-service attack that affected three out of the 13 root servers that run the DNS. While that attack failed to take down the Internet’s DNS, it showed that DNS continues to be a target for hackers.
"DNS serving capacity is of increasing importance with the advent of increasingly deadly attacks of the distributed DoS variety," says Richard Kagan, vice president of marketing with Infoblox, which sells DNS appliances.
Whether you run your DNS systems yourself – using software or appliances – or you outsource the job to a service provider, you need to make sure that your DNS service is resilient enough to withstand today’s high-powered hacking attacks and capable enough to support new DNS-intensive applications.
Many companies, however, don’t pay enough attention to their DNS systems.
"For a lot of companies, DNS runs in a closet. It runs on old, underpowered computers and it runs on old software," says Albert Gouyet, vice president of marketing with Nominum, which sells carrier-class DNS software.
Kagan says few IT executives realize that their networks and all of their applications will cease to work if core networks services such as DNS aren’t operating.
"It’s surprising how often we go into environments with very experienced IT people who aren’t fully aware of the impact that these core services have on their applications," Kagan says. "Most organizations don’t have a disaster recovery plan for DNS."
Several trends are driving DNS traffic up dramatically for service providers and corporations:
* The amount of spam is up dramatically, which drives up e-mail volumes. Every e-mail requires a DNS look-up.
* Some types of antispam filters produce as much as 10 or 20 DNS queries for each message.
* The latest Web sites use distributed content, which requires more DNS look-ups.
* Microsoft Active Directory is dependent on DNS for many functions.
* The Session Initiation Protocol (SIP) used in most VoIP implementations is dependent on DNS.
"All of these things are contributing to the fact that DNS is growing much faster than anything else on your network," Gouyet says.
"The volume of DNS is traffic is going up, the amount of applications hitting DNS is going up and the dependencies of applications on DNS is going up," Kagan adds.
Few IT shops baseline their DNS traffic so they don’t understand how many DNS queries per second they are receiving or how fast that number is rising. Those that do benchmark DNS traffic are finding that they have to increase the performance of their DNS systems, Kagan says.
"We recently had one of the largest banks in the world tell us that they have 15 DNS look-ups for every transaction," Kagan says. "This is not a problem unless you have a failure of a DNS server and not a single transaction is going through."
DNS experts recommend that IT executives ask several questions about their DNS systems:
1. How much headroom do you have in case of an attack? Find out how much excess network and server capacity you have. The acceptable answer is 30%, so you can sustain an attack that doubles your traffic volume.
2. How fast is your DNS traffic growing? Once you know the answer to this question, you can do the math to figure out how many additional DNS servers or appliances you need to add. For example, if you are running at 15% capacity and your traffic is doubling every year, you’ll need to double your servers in a year to stay under 30% capacity.
3. Do you have enough geographically distributed DNS servers to weather an attack? For performance, availability and survivability, you don’t want all of your DNS services run out of your data center. That’s why more IT shops are using a technique called Anycast to allow a single IP address to have multiple, distributed DNS servers supporting it.
"We strongly recommend that organizations use Anycast for their external DNS," Kagan says, pointing out that all Infoblox appliances now support Anycast. "It’s relatively simple to configure. Once you have Anycast in place, you can broadcast your DNS information around the Internet."
Most of all, DNS experts recommend that companies take a hard look at core network services like DNS and make sure they have sufficient capacity and a disaster recovery plan.
"Think about the forgotten layers of your network," recommends Gouyet. "Don’t wait for an attack. What we’ve seen from DNS traffic trends, it’s not a question of if you’ll need to upgrade your DNS, it’s a question of when."