APNIC backs resilience feature for global domain name system

The Asia Pacific Network Information Centre (APNIC) is sponsoring the development of a feature to make the global domain name system (DNS) more resilient against attacks that could silence the web.

As the DNS is a hierarchical, tree-like system with just 13 root name servers at the top, an overwhelming attack would have a massive impact on the internet worldwide.

Denial of service attacks have previously been launched against the DNS root servers, seeking to overwhelm them with traffic floods and large amounts of junk queries for non-existent domains.

In order to defend against future expected attacks, APNIC - the regional internet address registry that Australia falls under - said it will sponsor the inclusion of a new feature in the open source Berkeley Internet Name Domain (BIND) DNS server.

BIND is developed by the Internet Systems Consortium (ISC) and runs on 11 of the 13 root servers.

ISC will implement the recently released internet standard for aggressive cacheing of DNS security extension next secure (NSEC) records in the next major version of BIND that is due out early 2018.

NSEC records are used to prove the non-existence of domains. Cacheing these on local servers instead of sending them up the hierarchical chain to root name servers makes the DNS more resilient to attacks.

It also makes for faster responses, improving the overall performance of the global DNS.

Traffic studies by the DNS Operations, Analysis and Research Centre show that around two-thirds of all queries sent by local resolvers to the root name servers are for domains that do not exist.

Cacheing NSEC records at local DNS servers obviates the needs to send such queries, effectively turning them into root name servers for that particular task.

APNIC's chief scientist Geoff Huston has provided full technical details behind the NSEC records cacheing.