Sunday, January 30, 2005

ISPCP: No Comment yet on DNS Cloud Solution

In reviewing the .net applications, I was intrigued by something I found in the Afilias proposal -- a security implementation described as the "DNS Cloud". However, as this proposal indicates that connectivity to the Cloud is by invitation only to the largest ISPs and recursive DNS server operators, I wondered if anyone in the ISP Constituency had taken note of the proposal and had any thoughts on the topic. A review of the ISPCP discussion list shows that it's not yet on their radar... The Afilias proposal is reprinted below:

Since it is clear that even some of the world's largest DNS networks can be taken down by an array of botnets, a stronger, more resilient solution had to be created: the "DNS Cloud".

Since there is currently no commercially available or practical method of filtering or processing the "Perfect DNS DDoS" packet, the DNS Cloud solution provides a mechanism that meets the primary objective of an authoritative DNS system while under a crushing attack --enabling recursive servers to continue to resolve queries normally.

UltraDNS has achieved this by identifying the largest sources of legitimate DNS queries for the zones that UltraDNS is authoritative for, and then deploying complete authoritative UltraDNS Nodes onto local segments that contain the "Trusted Recursive Servers". These "Local Nodes" are then connected via point-to-point Ethernet circuits, and queries from the Trusted Recursive Servers for the UltraDNS zones are then asked, and answered, in a fully isolated and protected environment. This topology provides for unprecedented sub 5 millisecond query response times within the networks where Local Nodes are installed.

The Local Nodes are functionally identical to the normal Public Nodes, and include the use of the announced Anycast IP addresses via BGP as well as protected connectivity to the UltraDNS Replication System, to assure data consistency. The Local Nodes employ the same operational mechanisms as the Public Nodes so that anomalies are identified in the same way, and are handled accordingly. Should the Local Nodes within a Host ISP's network fail for any reason, the local routes would be withdrawn as a result, and the Trusted Recursive Servers will automatically follow the normal external announcements and paths to the UltraDNS Public Nodes. The Host ISPs (the ISPs controlling the Trusted Recursive Servers that are the sources of the queries) protect access to "their" UltraDNS Local Nodes, and are encouraged to permit their customers to also access the Local Nodes via their own recursive servers that are configured to forward queries for UltraDNS's zones to the Trusted Recursive Servers. However the Host ISP is responsible for making this decision and for managing it. The Host ISPs must confirm their understanding that if they have not maintained the integrity of the local isolated network, they will not experience the benefits of this system during a DDoS.

By inviting the largest service providers to connect directly and privately to the UltraDNS directory infrastructure via the DNS Cloud, the authoritative DNS information stored by UltraDNS can be assured as being valid and always available to these participating ISPs' end users. The DNS Cloud will provide DDoS resistant resolution to almost 100 million Internet users, and is anticipated to provide resolution for double that number by the end of the second quarter of 2005. As more Local Nodes are deployed into Host ISP networks, the effectiveness and viability of the Cloud increases proportionally with the number of end users now protected from the effects of DDoS within those networks. In addition, UltraDNS has begun to distribute this innovative solution around the world. The first of these was announced at the ICANN meeting in Cape Town, and is now deployed at the JINX exchange in Johannesburg, South Africa, to serve that region.

Connectivity to the Cloud is by invitation only to the largest ISPs and recursive DNS server operators. Smaller enterprises and lower usage recursive DNS server operators will not have direct access to the Local Node DNS Cloud. However, they can utilize their upstream service provider for this purpose. This forced hierarchy preserves the decentralized and public nature of the DNS, but introduces a now-required level of security, authentication and responsibility into the entire model in order to maintain the security and stability of the DNS.

Adoption of the DNS Cloud has occurred at the expected rate, and it is anticipated that upon award of the .NET contract, Afilias would expand the DNS Cloud to include an international base of regional ISPs in emerging Internet communities.


At 1:50 PM, Blogger Shock Carlos said...

Hey, quite the interesting blog you have here. You obviously put some thought into it.
I have a ISP blog/site you may find interesting.

If you get a chance, especially if you're looking for online-ISP services or
ISP, please come on by for a visit.


Post a Comment

Links to this post:

Create a Link

<< Home