Hover experienced a DDoS recently, rendering my services unavailable. What steps can I take to mitigate this risk in the future?

Question

I've been doing some research on how DNS records can be managed but I'm a little overwhelmed. I'm looking for a low-cost (brainpower, time, money) solution to mitigate the risk that my domain registrar - also hosting my DNS records - will buckle under a DDoS again, costing me business. Options I've read about include:

• Google Public DNS
• Amazon Route 53

What questions should I be asking as I evaluate these (and other) options?

Answer 1

Google Public DNS

As Gaurav Kansal said Google public DNS is a caching(recursive) DNS and wouldn't be much of your help.

Amazon Route 53

You can go for it and many others, But I would like to point some things which you should be looking for when you choose your DNS provider.

• Choose more than one: If possible, Have a Master Name Server placed at one of the provider and slave of it at some other provider. If at different geo-locations then even better. So that in case of any attacks to one provider other provider is still available to server your records.
• Anycasting: Providers should run more than one instances of your Name server at geographically different locations. This can be done using doing anycasting which uses the same IP address at different geo-locations in order to provide higher availability in case of attacks at one location.
• Multiple Slaves: Have multiple slave servers so that your records can be served in case multiple NS go down(Master or Slave).

• TTL: Yes TTL maybe important, if you don't change your records that often and the provider can provide them for longer than 15 minutes.

• Remain in touch with gTLD managers and keep your zone file at hand: In case of an emergency its good to have contingency plans ready.

Hope this helps!

Answer 2

As the customer you can't really do anything to prevent outages of a supplier, although as long as you're not the actual target of the DDOS you can mitigate some of the effect of outages from a single supplier either by having multiple suppliers (at the risk that such additional complexity will increase the risk of operator error by you/your team), or by switching to better supplier with fewer outages.

Pure for DNS a zero cost mitigating measure you can easily take is to simply increase the TTL value of your DNS records.
A TTL of 5 minutes means that an outage of all authoritative DNS servers (at the same time) with a duration longer than 5 minutes will probably effect 100% of your users, while with a TTL of 1 week an outage of 24 hours will still roughly effect only 1/7 or 15% of your users.

Answer 3

Assuming your domain registrar only host your dns servers, you can find secondary dns services at many places. Also keep in mind that you are not usually forced to use the dns servers of your domain registrar.

For those secondary dns services to work efficiently, the management interface of your (primary) dns service provider should allow you to:

1. add, change and remove dns servers, and
2. add, change and remove authorized secondary servers.

Secondary dns servers will periodically download a copy of your dns records from the primary servers.

Often you'll hear master for primary server and slave for secondary server.

A quick google search for 'dns secondary service' return a few companies providing that service.

Remember that having resilient dns servers don't help at all if the target of the DDoS is your web servers and your web servers are hosted at a single provider.

Answer 4

So, this is a tricky question. Most people answering this are giving technically excellent answers - distribute your zones across multiple nameservers, use high TTLs, invest in anycast, etc. - but I want to give you a contrarian viewpoint.

DNS is critical to the functioning of the internet. Everyone is on edge right now because of the recent DDoS against Dyn but this fear will fade.

I would like to point out that:

1. This is the first major DNS outage (that lasted more than ~15 minutes) that I'm aware of in decades
2. It was not a total outage (DYN faced the largest loss of service on the east coast, but was not globally down)

And also point out that every DNS provider on earth is focused on hardening themselves to DDoS right now.

Here's a funny but relevant tangent: in ~2004 some tiny site (fido.net?) with its own ASN broadcast a bad BGP prefix that cascaded to take down most of the internet core routing. Cisco and the major players fixed the bug, and we've never seen an internet wide outage due to a bad BGP prefix being broadcast again.

What I'm trying to say is - the entire internet relies on DNS. This DDoS against Dyn last week was extraordinary - in its magnitude, severity, and improbability.

This is not cheap or easy to mitigate from your end without owning your own infrastructure (which I can assure you is not cheap if Dyn's didn't stand up). The point of the DNS system is it is just supposed to work.

Which is my long way of saying you have an extremely valid fear that's so improbable and unlikely to ever happen again that you should just move on and not worry about it. Not because you're not right to worry and there's a 0% chance of this ever happening again (it might!), but because you have far more real and salient things that will affect your business in the near future that are better uses of your time, money, and effort than attempting to mitigate this.

¯\_(ツ)_/¯