LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

LWN.net Weekly Edition for August 28, 2008

Fedora, Red Hat, and distributor security

LWN.net Weekly Edition for August 21, 2008

Standards, the kernel, and Postfix

In defense of Ubuntu

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Protecting the domain name system

[Posted October 29, 2002 by corbet]

Worth a read: this article by ICANN board member Karl Auerbach on how to protect the domain name system against denial of service attacks. Mr, Auerbach's fundamental point is simple: the DNS is a uniquely vulnerable component of the Internet because it is centralized. The net as a whole has no center, but the DNS depends heavily on its root servers. Most of the suggestions for improving the security of DNS thus involve spreading things out, and making them diverse and redundant.

The suggestions are:

  • Make copies of the root DNS zone files available, and disperse them everywhere.

  • Create multiple roots for the DNS system.

  • Create an early warning system which raises the alarm when it detects the beginning of a denial of service attack.

  • Create a set of canned router filters which can be quickly applied to protect the root DNS servers in case of an attack.

  • Have a plan for moving a root server elsewhere on the Internet should that server come under attack.

  • Create alternative DNS server software, so that not everybody is running bind.

All of these suggestions make sense, of course, in many contexts other than the domain name system. It is important to replicate crucial data, spread your vital resources out, have fallback plans, and to have a diverse software base. We will see whether these ideas are actually heard by the DNS Powers That Be, however.

(Log in to post comments)

DNS Powers That Be

Posted Oct 31, 2002 21:14 UTC (Thu) by roelofs (subscriber, #2599) [Link]

We will see whether these ideas are actually heard by the DNS Powers That Be, however.

Let's hope, but don't hold your breath. ICANN has been remarkably unresponsive to the needs of many of its constituencies, preferring to operate in secrecy and apparently under the control of rich corporate interests. Aside from Karl's ouster, the most recent fuss involves the ccTLDs, who are getting sufficiently irritated at (among other things) its unilateral decisions to charge it with breach of contract in one case and threaten to secede altogether.

I wouldn't be surprised if things aren't quite as one-sided as ICANNWatch make them sound, but the fact that ICANN operates in near-total secrecy makes it difficult to give them the benefit of the doubt.

And in case you think the DNS root-server issue is purely technical and therefore not susceptible to politicking, keep in mind that centralization is a major prerequisite for control--and control is power, and power is what makes politics go.

Greg

Copyright © 2002, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds