[dns-operations] DNS at FOSDEM 2016

Matthew Pounsett matt at conundrum.com
Wed Feb 3 15:41:27 UTC 2016

> On Feb 3, 2016, at 09:27 , sthaug at nethelp.no wrote:
>> DNS requests and HTTP request are two totally different beasts wrt 
>> scaling, operation and cost. Also the current authoritative 
>> infrastructure we have today would not scale to resolvers on all 
>> clients.
> I don't believe there is agreement about the your last sentence here.
> Personally I think the authoritative server infrastructure would
> handle this just fine - but I shudder to think about the increase in
> DNS-based reflection/amplification DDoS attack traffic which would be
> expected given a several order of magnitude increase in the number of
> resolvers.

The existing infrastructure can probably handle it initially, sure .. but expect your domain registrations and DNS hosting to be an order of magnitude more expensive.   Much of the authoritative infrastructure has an overhead multiplier built into its capacity, where the multiplier is locally chosen based on the likelihood and impact of DDoS.  Some infrastructures are built to handle over 100x the “normal” traffic load.  

When the normal query rate sees an order (or two) magnitude jump, it eats away that extra capacity built into the system, and everyone has to scale up to get back their DDoS-eating overhead.

More information about the dns-operations mailing list