[dns-operations] HTTP vs DNS load musings (was DNS at FOSDEM 2016)

[Shane Kerr]

Matt,

At 2016-02-03 10:41:27 -0500
Matthew Pounsett <matt at conundrum.com> wrote:

> > On Feb 3, 2016, at 09:27 , sthaug at nethelp.no wrote:
> >   
> >> DNS requests and HTTP request are two totally different beasts wrt 
> >> scaling, operation and cost. Also the current authoritative 
> >> infrastructure we have today would not scale to resolvers on all 
> >> clients.  
> > 
> > I don't believe there is agreement about the your last sentence here.
> > 
> > Personally I think the authoritative server infrastructure would
> > handle this just fine - but I shudder to think about the increase in
> > DNS-based reflection/amplification DDoS attack traffic which would be
> > expected given a several order of magnitude increase in the number of
> > resolvers.  
> 
> The existing infrastructure can probably handle it initially, sure ..
> but expect your domain registrations and DNS hosting to be an order
> of magnitude more expensive.   Much of the authoritative
> infrastructure has an overhead multiplier built into its capacity,
> where the multiplier is locally chosen based on the likelihood and
> impact of DDoS.  Some infrastructures are built to handle over 100x
> the “normal” traffic load.  
> 
> When the normal query rate sees an order (or two) magnitude jump, it
> eats away that extra capacity built into the system, and everyone has
> to scale up to get back their DDoS-eating overhead.

Since we've started down the rat-hole of DNS vs. HTTP, I would like to
point out that one of the reasons that DNS is built with 100x
over-capacity is because of the lack of protocol resistance to
unauthenticated packets.

If you could filter and/or rate limit based on the source IP address,
then mitigation systems could be a lot more straightforward.

Interestingly the latest DNS over TCP draft proposes a solution that
looks a lot like HTTP/2... :P

Cheers,

--
Shane