The DDoS Attack Against Dyn , DNS Best Practice And A Short List Of DNS Service Providers

DDoS Attack

Dyn’s DNS infrastructure is one of the most reliable infrastructures. Despite this — or perhaps precisely because of it — Dyn’s Domain Name Service has been attacked by a huge botnet.

What happened

A fortnight ago the Mirai botnet used the capacity of many Internet of Things (IoT) devices to perform a massive Distributed Denial of Service (DDoS) attack against the name service of Dynamic Network Services, also know as Dynect or simply Dyn. The Mirai botnet used several vulnerabilities of IoT devices in over 160 countries to attack the service. Routers, IP cameras and digital video records “bombed” the Dyn DNS services with countless DNS requests. This affected major websites, including Amazon, Netflix, Spotify, Github, Etsy and Twitter. Because Dyn uses a very good, worldwide infrastructure the attack affected only some regions. (Europe and America were more affeced than Asia.)

DNS best practice

There are some things you can do to avoid DNS problems and vulnerabilities:

1. Use at least two DNS servers. This is mandatory for most TLDs.
2. The DNS servers shoud be in different geographical regions (or at least in different IP networks from different providers).
3. You can use dedicated DNS service providers. Typically, they use many name servers all over the world and use Anycast to distribute the DNS requests.
4. Some DNS service providers use special techniques to mitigate DDoS attacks. (Cloudflare for example uses BGP-based routing instead of normal loadbalancers. Read this article for more details.)
5. The combination of two or more DNS service providers is also possible, at least for normal DNS services. But some prodivers offer additional features (alias records, loadbalancing, etc …) which can’t be used with a multi-vendor strategy.

DNS service providers

Many DNS service providers offer different service plans. Some are free, others are very expensive.

DNS providers I’ve used

The following list is based on my personal experience.

1. Hurricane Electric offers a free DNS service for up to 50 DNS zones. They support IPv6 and provide five fast name servers. You can edit all resource records (including NS records), except the SOA record.
2. Amazon Route53 is the name service of Amazon Web Services. They provider four name servers per zone with different top level domains. You can also use so-called delegationsets to get a fixed/predefined set of name servers. (I’ve written an article about that.) R53 also offers some special functionalities: Alias records, load balancing, etc…
3. Azure DNS is Microsoft’s name service. You get four name servers per zone and standard DNS features. (See this post.)
4. Cloudflare is my favorite service! Cloudflare is not just a name service — the service also includes a Content Delivery Network, very fast servers and you get a free SSL certificate as well. This is all included in the free basic plan. Take a look at this video to see what Cloudflare offers:

Cloudflare promo video: DDoS Protection, WAF, CDN and more from Cloudflare

Simple services from the domain registrars

Most registras offer a (free) name service with at least two servers too. But they usually don’t offer as many features as described above.

Gandi has a remarkable free DNS service: They provide three name servers and work with versioned zone files and templates. This is great for admins with many domains with identical resource records. They can use one zone file (template) and apply it to many domains.

The Internet Society published a very good blog post about how to survive a DNS DDoS attack. I recommand to read this article.