[dns-operations] DNS at FOSDEM 2016
dns at fl1ger.de
Wed Feb 3 18:11:34 UTC 2016
On 3 Feb 2016, at 15:27, sthaug at nethelp.no wrote:
>> DNS requests and HTTP request are two totally different beasts wrt
>> scaling, operation and cost. Also the current authoritative
>> infrastructure we have today would not scale to resolvers on all
> I don't believe there is agreement about the your last sentence here.
I think we can agree to disagree.
> Personally I think the authoritative server infrastructure would
> handle this just fine - but I shudder to think about the increase in
> DNS-based reflection/amplification DDoS attack traffic which would be
> expected given a several order of magnitude increase in the number of
Even normal traffic would increase way beyond what a lot of the
authoritative hosts are capable of at the moment. An CEO of a large
registrar that had a way underprovisoned DNS setup for normal traffic
once at ICANN said to me that he is in the domain business and not the
DNS business (he didn't know who Paul Mockapetris was either).
Also random subdomain attacks (or waterfall attacks as they call them in
Asia) are still very effective to take out domains using ISP resolvers
to kill the authoritative servers. If the authoritative server were well
or better scaled then the http server the attacker would be using
something else or?
ISP resolvers these days run with cache hit rates way greater than 90%,
so even if you take that number it would be 10x increase of traffic you
count it that way, but when you look deeper the increase would be even
more. I just did a quick count for www.amazon.com on an ISP dataset I am
working on at the moment. In 10 minutes clients (and these will be
future resolvers if we think that to the end) asked 151657 times for
this domain yet only 385 queries for this name where send to the
authoritative servers and that doesn't include delegations and side
lookups. This is a 400x increase and while Amazon and maybe some other
big players might be able to handle that it will it needs a significant
upgrade in machinery for that, especially at the low end or long tail of
the domain/DNS market.
And when you think about going to TCP that at least is another 10 times
increase, according to all the measurements I know so far.
Granted my view might be biased as I work for a software vendor that
does sell large recursive resolvers to ISPs and Telcos, but it's also
based at looking at a lot of DNS data and dealing with analysing these
The DNS Caching architecture as we have it currently still provides lots
of benefits leave alone the possibilities you have there to protect
users and authoritative servers from attacks. There also is a privacy
issue when you ask the authoritative server unencrypted directly from
the end device, and if you then add encryption that is yet another
increase in the infrastructure someone has to do.
More information about the dns-operations