Reliability: How to choose a DNS Service that Shrugs off a Denial of Service Attack

Published: September 2nd, 2014

DNS is a cornerstone of the Internet.  It is the “phonebook” that translates all those domain names, like “luxsci.com” and “google.com” into the addresses of the actual computers that you need to talk to (more details).  Unfortunately, if there is an issue with the DNS for your company’s domain name, then your web site can go offline, your email can stop flowing or bounce, and other bad things can happen.

In addition to having a rock solid email and web hosting service, the reliability of your corporate email and web site depends on your DNS service being always available.  However, for this very reason, attacks on DNS services by hackers are more and more common … we see them or hear about them at least once every few months these days.  How do you prevent these attacks on DNS from crippling your business services?

1. Use AnyCAST

The first thing to do is to use a DNS service that incorporates AnyCast.

Anycast strands” provide high reliability and a fast response.  With “Anycast” one DNS name server is actually represented by many different servers in different locations all over the world.  When someone requests DNS information for your domain, they are automatically directed to the nearest DNS server.

Anycast has another very good side effect — anyone who is attacking the DNS servers (i.e. via a Denial of Service Attack) will only be able to attack those servers close to them … all other servers would be invisible to the attacker, unaffected, and would serve your DNS quite normally.

Note that DNS services that use Anycast are rare and are usually quite expensive.

2. Use TWO DNS Services

Even with solid Anycast-supporting DNS, a Denial of Service attack can still knock your company offline, at least in some locations.  E.g., locations near to where the attacks are happening.  Depending on the size of the attack, that could mean “the entire East Coast of the United States, or in Western Europe only, etc.  Its great that the scope of the damage is limited — but no damage is always preferable.

The nest thing you want is to actually sign up for DNS with two separate and independent DNS providers (at least one of them supporting Anycast).  Put identical copies of your DNS in each one.  And then update your domain registration WHOIS … the place where you buy your domain name … to specify that your “DNS servers” are 2 of the ones from provider A and 2 of the ones from provider B.

In this way, if there is a DOS attack on provider A, provider B will still be up and running and the DNS for your domain will still be working just fine because half of the DNS servers for your domain are unaffected.  (DNS is redundant in that way … requests are sent to the set of specified DNS servers and the first response is used.  If some servers do not respond because they are down, that is Ok … as long as some of the others can respond).

3. Use and Email and Web Provider that also does #1 and #2

If your domain is all DNS bullet-proof via Anycast and two providers, but the company providing your email and/or web hosting is not, then you can still have downtime and issues if that company’s domain and services are taken offline by a denial of service attack on their DNS.  Such an attach can affect the servers and services that they provider to you in unexpected ways … and can result in tangential issues and/or downtime for you as a result.

The best defense is to be sure that your providers are being as proactive in their defense against DNS DOS as you are.

LuxSci to the Rescue

LuxSci makes it easy for your to protect yourself against DNS DOS.  Here is how to do it:

1. Make sure that LuxSci handles your DNS services

Don’t use Godaddy or network solutions or someone else for your DNS.  Make sure you have LuxSci do it.  Your first DNS is included free with all Email and Web Hosting accounts  and can be added for $1/month/DNS to most accounts as an upgrade option.   LuxSci’s DNS service includes AnyCast locations all over the world, including:  San Jose CA, Chicago IL, Miami FL, Ashburn VA,  Phoenix AZ, Amsterdam, Tokyo,  London, and others.

In addition to normal Anycast strands, easyDNS uses Prolexic Technologies for some of its name servers.  This technology is designed to protect the services using it from distributed denial of service attacks (DDoS).

Ask LuxSci to give you a username and password so you can view and edit your DNS settings as needed.

2. Sign up for Amazon Route53 DNS

Add a 2nd DNS provider by signing up for Amazon’s Route53 DNS service (its FREE or very cheap).

You don’t have to copy your DNS there by hand — just sign up for it.

3. Sync Amazon Route53 and your LuxSci DNS

LuxSci’s DNS service, provided through our long-time partnership with easyDNS, allows you to have your LuxSci DNS automatically synchronized with Amazon Route 53.  This way, you can update your LuxSci DNS whenever needed and those changes automatically are copied to Amazon … so you can essentially forget about Amazon after that.

Follow this tutorial for setting up automatic synchronization between LuxSci DNS and Amazon Route 53.

With these changes in place, you now have DNS services with Anycast and Prolexic, as well as redundant DNS providers. LuxSci uses this same technique for its domains (e.g. luxsci.com) so the services that it provides through these domains and communications between its servers are similarly insulated from DNS DDOS attacks.

Obviously, there is never a way to protect against every contingency. But with a configuration like this, you can relax and feel that you have done just about everything you can to protect your DNS services.  This solution is also very inexpensive … you can use the money you save via these methods to shore up other weaknesses in your infrastructure … maybe by getting secure email, a good firewall, making sure that you have excellent backups, considering if it is time to start archiving email, etc.

Leave a Comment


You must be connected or logged in to post a comment. This is to reduce spam comments.

If you have not previously commented, you can connect using existing social media account, or register with a new username and password.