iTnews

APNIC backs resilience feature for global domain name system

By Juha Saarinen on Aug 31, 2017 6:40AM
APNIC backs resilience feature for global domain name system

Any DNS resolver could step in as a root name server.

The Asia Pacific Network Information Centre (APNIC) is sponsoring the development of a feature to make the global domain name system (DNS) more resilient against attacks that could silence the web.

As the DNS is a hierarchical, tree-like system with just 13 root name servers at the top, an overwhelming attack would have a massive impact on the internet worldwide.

Denial of service attacks have previously been launched against the DNS root servers, seeking to overwhelm them with traffic floods and large amounts of junk queries for non-existent domains.

In order to defend against future expected attacks, APNIC - the regional internet address registry that Australia falls under - said it will sponsor the inclusion of a new feature in the open source Berkeley Internet Name Domain (BIND) DNS server.

BIND is developed by the Internet Systems Consortium (ISC) and runs on 11 of the 13 root servers.

ISC will implement the recently released internet standard for aggressive cacheing of DNS security extension next secure (NSEC) records in the next major version of BIND that is due out early 2018.

NSEC records are used to prove the non-existence of domains. Cacheing these on local servers instead of sending them up the hierarchical chain to root name servers makes the DNS more resilient to attacks.

It also makes for faster responses, improving the overall performance of the global DNS.

Traffic studies by the DNS Operations, Analysis and Research Centre show that around two-thirds of all queries sent by local resolvers to the root name servers are for domains that do not exist.

Cacheing NSEC records at local DNS servers obviates the needs to send such queries, effectively turning them into root name servers for that particular task.

APNIC's chief scientist Geoff Huston has provided full technical details behind the NSEC records cacheing.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
apnic dns dnssec domain name system isc nsec telco/isp
By Juha Saarinen
Aug 31 2017
6:40AM
0 Comments

Related Articles

  • Use DNS security extensions to foil ongoing attacks: ICANN
  • BGP Optimisers seem a good idea until they bring down the internet
  • US govt orders security measures for DNS hijack emergency
  • How NBN Co struck its bothersome business deals
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

ATO moves to break up $1bn Optus megadeal

ATO moves to break up $1bn Optus megadeal

NBN Co shows its top user now hits 26TB a month

NBN Co shows its top user now hits 26TB a month

Inside Infosys' complex Centrelink payments calculator overhaul

Inside Infosys' complex Centrelink payments calculator overhaul

Google co-founders step aside as Pichai takes helm of parent Alphabet

Google co-founders step aside as Pichai takes helm of parent Alphabet

You must be a registered member of iTnews to post a comment.
Log In | Register

Whitepapers from our sponsors

Are you getting profitable outcomes from your IT?
Are you getting profitable outcomes from your IT?
Your Microsoft Security journey starts here
Your Microsoft Security journey starts here
Is your AWS framework well-architected?
Is your AWS framework well-architected?
Why you should  reassess your cybersecurity posture
Why you should reassess your cybersecurity posture
How will you manage the cloud data deluge?
How will you manage the cloud data deluge?

Events

  • Gartner Data & Analytics Summit
  • 2nd Data Governance & Management Summit Melbourne
  • 3rd Intelligent Automation Sydney Summit
  • 7th University IT Service Strategy & Challenges
  • Cyber Security for Higher Education
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.