on 11-Nov-2012 08:07
Imagine a situation in which you are unable to look up a person’s phone number because the address book on your phone is not working, and do not have access to an old fashioned phone directory. Most people do not memorize all of their contacts’ ten digit phone numbers. You no longer have the ability call anyone that you want to. That smartphone is not very smart anymore.
What if you are attempting to access a website such as,’www.f5.com’? Your device uses a phone directory of sorts to map the name you provided to an IP address that resides somewhere on the Internet - hosting the content or application you are looking for. The Domain Name System (DNS) protocol is the standard developed to provide this service on the Internet. The DNS protocol was first defined in 1982 with RFC 882 and RFC 883.
Internet outages due to problems with DNS infrastructure or DNS attacks are common. A large proportion of the outages we hear about on the Internet are due to DNS malfunctions. DNS is a mission critical service for the Internet that is required for almost all other applications to function properly. It is a core component of any network infrastructure. It is required for users and applications to locate resources on the network by resolving common names to IPv4 and IPv6 addresses that these resources use. If DNS becomes unavailable, there might as well be no Internet. One will not be able to connect to resources on the Internet. The cloud fails. Websites become inaccessible. People cannot stream their YouTube videos. No one can update their Facebook status. People might as well go back to watching television and listening to the radios. That is, as long as they are not watching video streamed via the Internet through Netflix or Hulu or music via Pandora or Napster. When DNS goes down, people are unhappy.
The communications service providers (CSP) have a vested interest in the DNS protocol. They provide the infrastructure that allows their subscribers to make DNS queries to connect to sites and services on the Internet. They also provide DNS services for their business customers and content providers who host applications through the CSP. CSPs provide DNS services for various customers as well as use it to provide access to their own resources. They deploy these DNS services in different parts of their network depending on the role the service is providing.
First, the CSP is making DNS services available for their subscribers. These are called local DNS servers (LDNS) because they are local to and support the end device making the DNS query. The LDNS servers receive the DNS request from the customer and on their behalf, and recursively makes a series of queries through the global DNS infrastructure to obtain the proper IP address answer for the DNS request. The LDNS servers need to be robust, handling requests from millions of subscribers and subsequently making tens of millions requests to obtain the answer. They need to always be available. When they fail, the CSP’s customers cannot access their Internet content and services. Everyone is unhappy.
Many of these LDNS servers cache responses to improve their performance and ability to deliver an answer to a DNS query in a timely manner. It is possible for malicious users to take advantage of security weaknesses in the DNS protocol to manipulate the answers stored in the cache in such a way that a subscriber is no longer directed to the proper website, but to a website designed by the malicious user to do ‘bad things’. This type of Internet attack is called DNS cache poisoning. People affected by this type of attack often become stolen identity victims or their device becomes compromised and becomes the newest member of a botnet. These people become very unhappy.
The CSP also maintains the address book for the names that they own and if they are a managed service provider (MSP) they could own a business’s names on their behalf. The DNS servers that manage this role are considered to be authoritative name servers. These servers are the authority for what IP addresses are mapped to these names. Without these authoritative DNS servers, people cannot access the CSP’s brand or their business customer’s content. A loss of a business’s Internet presence or having the CSP’s content become unavailable causes a major business disruption, loss of revenues and a tarnishing of the company’s brand. Once again, there are many unhappy people.
CSPs have another case managing authoritative DNS servers that deserves its own category. Almost all of the internal infrastructure that makes their network run and provide access for their customers use DNS. These DNS names and IP addresses are not exposed to the public. For many applications that a customer uses, there are communications occurring behind the scenes either validating the use of that application by the customer (are they allowed to access Netflix streaming content?) or assisting in the management of a subscriber’s connections (establishment of a VoIP SIP call to another subscriber). If these DNS services become unavailable, subscribers cannot connect to their wireless networks, many applications fail to work and, of course, the CSP’s brand gets a black eye. People are not very happy.
It becomes apparent that there is a need to ensure that all of these DNS services are available. This is achieved through scalability, availability and security. Scalability means support for the high volumes of DNS requests from subscribers during peak times. Availability is the need ensure that DNS servers are always accessible and functioning. Security is the protection of the DNS infrastructure from various attacks and assuring that the DNS records have not been compromised.
I will discuss what it means to provide scalability, availability and security to the CSP DNS infrastructure in detail in future blog posts. When a CSP is able to apply these aspects to their DNS infrastructure, resources and applications on the Internet are always reachable. People are not angry that access is down, brands are not tarnished and identities have been stolen. The universe of the Internet becomes a little happier.