DNS Silently Powers the Internet

• This is the first in a series of blog posts highlighting how the Domain Name System (DNS) offers IT and security teams insights into how to build, secure, and deliver responsive networks and applications in today’s digital-first world. 

• It starts with a brief overview of DNS, and then explores use cases that illustrate its power, reach, and versatility. 

• This post concludes with best practices and thoughts about how to assess DNS servers and solutions. 

• Future posts in this series will explore the role the DNS plays in Zero Trust solutions, discuss how DNS servers can protect internet access services, and explain how to effectively deter DNS distributed denial-of-service (DDoS) attacks.
  

The DNS is an essential part of virtually every internet transaction. It enables a wide array of devices and applications to easily connect over IPv4 or IPv6 by translating a website’s URL from words into its numerical IP address, regardless of what web browser or operating system is being used. 

It’s a testament to the extraordinary insight of the original DNS developers that it has endured for more than 40 years with remarkably little change to the core protocol and architecture. Yet it has adapted and thrived as the internet scaled from a modest number of academic and government institutions to a life-altering global network serving billions of people and an estimated 18 billion smart connected “things.”

The simplicity of the DNS protocol belies its power. It’s powerful because it’s lightweight and ubiquitous. Almost everything with an internet protocol (IP) address — from super-fast servers to smart devices to your computer at home — has some form of DNS client. 

Every network that connects things uses permissions to control access to DNS resolvers and authoritative nameservers, ensuring everything always connects instantly. DNS servers pack a considerable punch, consistently delivering tangible value for a modest investment.

Enabling billions of devices to function efficiently requires a highly distributed system of DNS servers — specifically authoritative DNS servers (nameservers), root servers, and DNS resolvers (aka resolvers or caching servers). Millions of authoritative DNS servers, overseen by domain name owners, store DNS resource records (such as CNAMEs) with information about domain names like IP addresses or time to live (TTL). 

Resolvers respond to DNS queries from devices, most often with answers they’ve already learned from authoritative nameservers and stored in their caches.

The DNS is also incredibly versatile, enabling a mindboggling array of web browser apps and services. 

It’s used for every email transaction — and with the advent of DNSSEC, it’s become a major building block for identifying and authenticating mail servers and blocking malicious senders. It provides location-specific guidance to connect devices in cellular networks. 

For telecoms, it delivers the details to send SMS messages and make Voice over Internet Protocol (VoIP) calls. Standards are currently being formalized to use the DNS for simpler, more robust verification of domain ownership when issuing digital certificates. The objective is for all certificate providers to use these common, rigorously validated techniques.  

There’s lots of excitement about new services being designed to take advantage of new technologies like 5G. Underneath the sizzle surrounding new networking features, however, delivering fulfilling internet interactions and robust data exchanges will remain the benchmark.

Everything with an IP address — from sophisticated endpoints that enable virtual reality to basic Internet of Things (IoT) sensors that exchange telemetry — will rely on networks made better with smarter DNS. 

Maximizing the value that smarter DNS solutions can bring to web applications and services is becoming increasingly difficult. Web pages and internet services are more intricate and distributed, sending more DNS queries because they composite data from many different sources, each requiring one or more DNS lookups. 

Adding another level of scale and complexity are billions of intelligent “things,” some with highly specialized requirements, that are connected in homes, factories, cities, farms, mines, and more. Where aren’t things connected today? 

There are also more than 233 million fully qualified domain names (FQDNs) under the “.com” TLD nameserver alone, which point DNS servers to IP addresses, and that number keeps growing. In addition, there are more than one billion registered hostnames, also growing. 

More than 1,400 top-level domains (TLDs) reside below the DNS root nameservers and that namespace keeps expanding, too. There’s little doubt that we’ll continue to see tremendous proliferation in both — for legitimate and malicious purposes. And there’s been a trend to reduce time to live (TTL) durations to ensure clients connect to a resource’s best possible IP address at any given moment, in the shortest amount of time. 

DNS helps avoid referrals and iterative queries through the simple act of holding a record until it then expires and requires an update from the authoritative nameserver.

All of this means that more demands are being placed on DNS resolvers and authoritative nameservers — and the systems that support them. A DNS infrastructure that’s optimized for resilience and responsiveness can make important contributions to enhance the user experience, improve application efficiency, and accelerate the lookup process. 

Application development with a conscious focus on DNS can help ensure robust and timely rollouts, and a total cost of ownership that’s properly aligned with application value.

Another central element of the user experience is privacy and, again, DNS has risen to the occasion. Standards for DNS encryption to protect DNS transactions have existed for years. DNS privacy goes beyond DNS encryption by obscuring client IP addresses so that no one on a network path can associate internet users with their DNS queries or web transactions. 

Akamai worked with Apple to implement their iCloud Private Relay service with DNS privacy features. Google has announced plans for a similar service. As privacy expectations change, internet service providers (ISPs) and mobile network operators (MNOs) may have to consider privacy services when they face reduced visibility and control if users migrate to over-the-top public DNS privacy services.

Unfortunately, the simplicity, pervasive presence, and always-on availability of the DNS comes with a price. Since DNS systems are highly exposed from an open source intelligence (OSINT) perspective, they are constant targets. 

Malware developers also use the DNS, almost universally, because it’s easy, inexpensive, and accessible everywhere that they want their exploits to be; they just hope to stay one step ahead in the security sprints that occur every day. 

The good news is that DNS security solutions can be used to thwart them.

Equipping resolvers with rich policy frameworks and incorporating threat intelligence enables an effective DNS security layer (sometimes called a DNS firewall) with several desirable attributes:  

• Low-latency UX and efficient operation in the control plane 

• Coverage for every device, including IoT

• Lightweight, scalable, and inherently resilient

With upgrades to their resolvers, ISPs and MNOs are well-positioned to provide security services for consumers and smaller businesses, including DNS privacy services. 

But by digging a little deeper, we see that the story gets even better for IT security teams.

The DNS protocol is one of the few application protocols that freely crosses network boundaries by design, and everything happening on connected devices is evident somewhere in DNS query traffic. As a result, it’s well-suited to provide visibility into and control over application traffic. 

Better still, this visibility and control incurs far less overhead and cost without the huge burden of decrypting application traffic like HTTPS. This makes it a strong complement to the microsegmentation solutions that are being widely adopted as part of Zero Trust platforms.  

The DNS has also become a popular vector for volumetric DDoS attacks called DNS reflection or amplification attacks. Hackers can direct massive volumes of traffic anywhere by spoofing target IP addresses and querying domain names that return large answers. 

Another increasingly popular DNS DDoS attack vector overloads DNS authorities, and often recursive resolvers in their path, with queries that can’t be answered, causing them to fail or perceptibly slow down. These include pseudo-random subdomain (PRSD) attacks, NXDOMAIN, and DNS flood attacks.  

Different attack scenarios and targets typically require different defenses. With the right capabilities and capacity, volumetric DDoS defenses can protect apps and other targets anywhere from attacks of hundreds of gigabits (and sometimes terabits) per second. 

Properly designed and deployed authoritative DNS infrastructure offers built-in protections and other advantages like responsiveness and reachability. Highly distributed edge networks with thousands of DNS servers around the globe can provide scale, resilience, and capacity to support instant delivery of organizations’ DNS zones.

DNS solutions on Akamai’s platform have reduced exploitation risks thanks to decades of deployments with a heavy emphasis on security defenses. Cloud-based DNS reverse proxy services can shield any authoritative infrastructure — on-prem, cloud, or hybrid, including load balancers and firewalls — from DNS resource exhaustion attacks. 

Smart DNS resolvers with resilience designed into their software combined with dynamic threat intelligence can also deter volumetric and DNS flood attacks. 

Table 1: Akamai’s DNS products and technologies

In addition, Akamai embeds DNS technology in our platform services, which delivers privacy and responsiveness at internet scale for Apple (Table 2).

Table 2: Akamai’s DNS technology embedded in our platform services

Decades of deployment experience and continuous innovation have resulted in many  compelling advantages for customers who choose Akamai as a DNS provider.   

• Resilience: “Always-on” is a fundamental part of our products and services — from leading DNS infrastructure (DNSi) resolvers deployed by ISPs and MNOs that serve a billion subscribers to the CDN serving billions of internet users every day.  

• Performance: Superior system design maximizes the responsiveness of our products, supporting businesses in today’s connected world. 

• Security: Unmatched internet visibility drives adaptive, agile, and accurate threat intelligence, which works with embedded threat defenses to protect everything online. 

• Analytics: Mature facilities for data collection translate into policies and practices that drive better application security and awareness to ensure business success.   

• Deployment: Our global presence touches everything — from the massive Akamai Connected Cloud to large ISPs and MNOs to devices in homes. This yields unique insights that can help optimize product design, simplify installation, and minimize ongoing overhead. 

Akamai has a strong track record of delivering superior products that benefit hundreds of thousands of businesses of every size — across every market segment and around the world. We’re ready to show you why customers choose Akamai.