APNIC chief scientist Geoff Huston has warned that unless something is done to protect the DNS root servers from the “Internet of Stupid Things”, DDoS attacks targeting DNS threaten to overwhelm defenses and cause an Internet meltdown.
Down at the bottom of the Internet there are two things we are familiar with – IP addresses and DNS. APNIC (Asia-Pacific Network Information Centre) normally does not deal with domain names, but in this instance it has been supporting the hardening of the DNS system. But after years of work, instead of building a bigger wall, it is time to build a better system, Huston said during a presentation at APNIC44 in Taichung.
The current system is hierarchical. Every zone has its own set of servers and they are only authoritative for that zone. For example, the root servers cannot tell you the IP address of www.example.com but it knows that .com is in the root zone and it would tell you what the servers for .com are for. Similarly the .com does not know the IP address for www.example.com, but it does know the server that is authoritative for example.com – and so on. To resolve www.example.com it takes three queries, assuming that none of the names exist in the cache memory of local DNS servers.
There are currently 13 root server constellations. The question is then, what actually gets passed on to the root server? The answer is that the vast majority of queries that hit the root servers are for domains that do not exist.
This means that an attack on DNS root servers is incredibly easy and incredibly effective – all you have to do is simply ask a local DNS server for a non-existent domain name for the first time. Root servers are a point of vulnerability in the Internet – a highly public attack surface. Take them out and the Internet goes down, because everything starts at the DNS.
If you can ask 10,000 queries a second, or 100,000, things get bad. Last October, 1TB of questions hit the Dyn servers, and they melted. Famously, that attack was made possible by insecure IoT devices – webcams built to the cheapest standard possible. The attackers use millions of these machines.
Up until now, Huston said, the industry has been using 12th century thinking – building taller walls and adding servers. But they are losing the war.
Today there are two schools of thought on how to re-engineer DNS.
One is RFC 7706, where you take a copy of the root and run it as authoritative locally – a proposal that does not appeal to many.
The other is RFC 8198 – Aggressive Use of DNSSEC-Validated Cache. Normally, when a domain does not exist, it is somewhat tricky to prove this as the server cannot sign nothing. The RFC 8198 proposal takes the adjacent two domain names in alphabetical order and signs the response that basically says, “Here are these two domains, and nothing exists in between them.”
For example, if example.com does not exist, the DNS would respond saying that here is everbank.com and exchange.com and nothing exists in between the two. That also means example1.com does not exist, nor does exampleabc.com, etc.
The key point, says Huston, is that under RFC 8198, because the answers are cached locally, that answer can be served up locally without having to hit the root servers.
RFC 8198 will be enabled in BIND 9.12 by default, which effectively means it will never be turned off. The question now is whether equipment vendors will adopt it to save the Internet from destruction at the hands of the Internet of Stupid Things.