Fighting DDoS Attacks with Hybrid DNS

DNS security has been in the news again, with one of the largest DDoS attacks ever disrupting the Dyn cloud DNS service. At least 150,000 compromised devices (including IoT hardware) were used by the Mirai botnet to bombard cloud-hosted DNS servers with DNS requests, taking down access to many of the Internet’s most popular services. It’s not the only major service provider that’s had a DNS-based attack in the last few weeks, with Singapore’s StarHub reporting a similar incident.

What is important to note is that it wasn’t just cloud DNS services that were affected; the millions of users trying to access DNS addresses served by the service were also generating a massive number of retries, increasing normal service volume by 10 to 20 times. So, while the attackers were flooding their servers with a massive number of TCP and UDP packets targeted at port 53, its users were also having their normal load on the service magnified as they tried to get around the disruption.

Outsourcing DNS has been seen as good practice – it removes infrastructure that you may not have the resources to run. But these incidents show there is a downside: you’re increasing the risk of becoming collateral damage in a DDoS on someone else’s services. Sharing DNS resources with thousands of other users means an attack on one is an attack on all.

What’s clear from these recent incidents is that hackers see DNS as a weak link in the Internet security chain, one that can be quickly overwhelmed and used to take down not just the target site, but also to deliver a massive amount of collateral damage. While you may not be the target of such an attack, there’s a much higher probability that your users won’t be able to get to your sites and services.

It’s a definite problem, but there is an answer: building a hybrid DNS architecture.

One key part of the DNS specification is that it lets you use multiple servers to host DNS records, servers that can all be accessed at the same time. While it may be a little more work keeping in sync, having multiple DNS servers gives you the option of having a service that continues running for your users in the event of one of your DNS servers being inaccessible. Some DNS servers will handle the process of updating other DNS servers automatically, reducing the time needed to manage your DNS assets.

In a hybrid DNS architecture, your DNS servers are active all the time, so in the event of a major DNS DDoS, your users will continue using the unaffected server – giving them continued access to your servers, while at the same time preventing automatic retries multiplying the effects of the initial attack.

By using your own server as part of a hybrid DNS for your sites and services, you’re able to reduce the risk of becoming collateral damage, unlike many big Internet services, which were inaccessible for several hours while the effects of DNS DDoS dissipated. Using an alternate cloud DNS in conjunction with a local DNS-based service, will also allow you to stay online when your cloud provider is attacked, and by having a cloud DNS as an alternative to your own local service, you’re covered if your local server is overwhelmed by a direct attack.

These major DDoS on cloud service providers show just how important DNS is to the wider Internet. By building a hybrid DNS mixing DNS technologies, and using a mix of cloud and local DNS providers, you and your servers will reduce the risk of becoming collateral damage in the next big bot-powered disruption. If your business depends on connectivity, it’s well worth investing in a solution that gives you the best of both worlds, while reducing your exposure to risk.