[dns-operations] HTTP vs DNS load musings (was DNS at FOSDEM 2016)
shane at time-travellers.org
Wed Feb 3 16:11:32 UTC 2016
At 2016-02-03 10:41:27 -0500
Matthew Pounsett <matt at conundrum.com> wrote:
> > On Feb 3, 2016, at 09:27 , sthaug at nethelp.no wrote:
> >> DNS requests and HTTP request are two totally different beasts wrt
> >> scaling, operation and cost. Also the current authoritative
> >> infrastructure we have today would not scale to resolvers on all
> >> clients.
> > I don't believe there is agreement about the your last sentence here.
> > Personally I think the authoritative server infrastructure would
> > handle this just fine - but I shudder to think about the increase in
> > DNS-based reflection/amplification DDoS attack traffic which would be
> > expected given a several order of magnitude increase in the number of
> > resolvers.
> The existing infrastructure can probably handle it initially, sure ..
> but expect your domain registrations and DNS hosting to be an order
> of magnitude more expensive. Much of the authoritative
> infrastructure has an overhead multiplier built into its capacity,
> where the multiplier is locally chosen based on the likelihood and
> impact of DDoS. Some infrastructures are built to handle over 100x
> the “normal” traffic load.
> When the normal query rate sees an order (or two) magnitude jump, it
> eats away that extra capacity built into the system, and everyone has
> to scale up to get back their DDoS-eating overhead.
Since we've started down the rat-hole of DNS vs. HTTP, I would like to
point out that one of the reasons that DNS is built with 100x
over-capacity is because of the lack of protocol resistance to
If you could filter and/or rate limit based on the source IP address,
then mitigation systems could be a lot more straightforward.
Interestingly the latest DNS over TCP draft proposes a solution that
looks a lot like HTTP/2... :P
More information about the dns-operations