back to article In the two years since Dyn went dark, what have we learned? Not much, it appears

The majority (72 per cent) of FTSE 100 firms are vulnerable to DNS attacks, nearly two years after the major Dyn outage. head of 50s-style robot Today the web was broken by countless hacked devices – your 60-second summary READ MORE A similar three in five of the top 50 companies listed in the Fortune 500 are also ill- …

  1. GnuTzu

    Workstation, Server, and Router Options

    I've started using alternative DNS services. I stopped using my ISP a decade ago, and I recently stopped using Google. And, I set these in my router so that all clients using DHCP will get to the right DNS servers.

    But, I've always wanted to have options to round robin or other cycling among a larger number of DNS servers, not just three. And, I'd really like it if it could be made to compare responses from two or more different DNS services to get a majority rule, logging any suspicious results.

    Anyone know of an opensource project where they are pursuing such things. I'd like to encourage my router/firewall manufacturer to incorporate such features.

    1. wyatt

      Re: Workstation, Server, and Router Options

      Not easy is it, I use OpenDNS but am well aware that they sell their data and are owned by Cisco. Is there a better option? I don't know, but over my dead body will I use my ISP's service.

      1. GnuTzu

        Re: Workstation, Server, and Router Options

        I went with Quad9 (9.9.9.9) in the first two slots and OpenDNS in the third. That way, I get more redundancy without giving OpenDNS the full picture.

        Adding to my wish list, I would really love it if I could route DNS queries based upon the type of content being requested, but that would be really elaborate to configure, even with a good categorization service.

        It might also be nice if there were browsers that would do their own DNS queries to different DNS services depending on whether in privacy mode or not--rather than only using the O.S. resolver. It would be nice if Firefox would make it easy for someone to write an add-in for this.

        Supposedly, OpenDNS is slightly faster, but Quad9 is promises a higher level of privacy (with regard to your DNS queries. They both perform well though as they, like CDN's, are not actually geographically anchored.

        1. fronty

          Re: Workstation, Server, and Router Options

          They already are, Firefox has added it's own resolver so they can support DoH (DNS over HTTPS), Chrome also has it's own resolver (albeit it uses the DNS servers set by the O/S) apparently with support for DoH (but not enabled yet) - it's only a matter of time before they enable it and start sending all queries to 8.8.8.8.

          DoH is an absolute minefield, because now the browsers are controlling where your DNS traffic goes. Firefox has decided to use Cloudflare by default, you can change it but then you'll have to start managing browser configs. This is the thin end of a very fat wedge, imagine if every application decided to send DNS queries to it's own "preferred" DNS service? How do you manage all this? And DoH queries can be embedded "inside" normal HTML, so how do you block it?

          1. Spazturtle Silver badge

            Re: Workstation, Server, and Router Options

            "Firefox has decided to use Cloudflare by default, you can change it but then you'll have to start managing browser configs. "

            Not true, Firefox uses your system DNS, there is currently an opt in experiment to test Firefox's DNS over TLS (DoT) support that uses Cloudflare as the test DNS server but that is only a test.

            Since Firefox uses it's own crypto library and not your systems one it has to have it's own DoT support, most applications will not need to have their own support and can just pass the request to the OS. Once the test is over and DoT support is enabled in Firefox by default it will use your systems DNS provider (but send the request itself).

            Everyone is dropping DoH support and switching to DoT, DoH was merely a stopgap.

      2. sanmigueelbeer
        Thumb Up

        Re: Workstation, Server, and Router Options

        Not easy is it, I use OpenDNS but am well aware that they sell their data and are owned by Cisco. Is there a better option?

        1.1.1.1

      3. Steve the Cynic

        Re: Workstation, Server, and Router Options

        but over my dead body will I use my ISP's service.

        Good luck with that. If your ISP uses equipment *in their network* that can do the things my company's equipment can do, you have no hope of avoiding your ISP's service unless you direct all your traffic, including DNS, into a VPN. It would take me longer to describe how to set it up than it would take me to set up a redirection rule that would grab all DNS traffic and redirect it to a single server.

      4. Idle_Shell

        Re: Workstation, Server, and Router Options

        Please provide a source demonstrating OpenDNS sells customer data? Here's two primary sources that contradict your claim:

        https://support.opendns.com/hc/en-us/articles/227987107-Frequently-Asked-Questions-#faq4

        https://www.cisco.com/c/en/us/about/legal/privacy-full.html

      5. OpenDNSGuy

        Re: Workstation, Server, and Router Options

        OpenDNS/Cisco Umbrella does NOT SELL data. You have your facts incorrect.

        From the founder, David Ulevitch: "It’s important to let you know that we don’t share your personal data. We don’t sell it. We don’t trade it. We don’t do anything with it that isn’t in your best interests.

        https://umbrella.cisco.com/blog/2007/07/23/privacy-policy-update/

        This has never been the case then or now.

    2. batfastad

      Re: Workstation, Server, and Router Options

      You probably want to look at dnsdist for DNS load balancing. It's a great solution. I use it in a few different application environments, in front of small cluster of active-passive Stubby instances which provide DNS-over-HTTPS (multiplexed HTTP/2 connections if your upstream DoH resolver supports it).

      DNSdist - https://dnsdist.org

      Stubby - https://getdnsapi.net/blog/dns-privacy-daemon-stubby

      1. GnuTzu

        Re: Workstation, Server, and Router Options

        "You probably want to look at dnsdist for DNS load balancing."

        Thank you. I much appreciate it. Now I just need to figure out how to get it into a home router.

    3. Crazy Operations Guy

      I just built my own root dns server.

      I went with a simple OpenBSD box running nsd and a daily cron job that goes out and grabs "https://www.internic.net/domain/*.zone" and the *.arpa files, stuffs those files into /var/nsd/zones/, and restarts nsd. I have a pair of servers that are just recovered 1 Ghz P3 / 512m / 20g desktops with some extra NICs shoved in them. The two of them seem to handle around hundred users at a time (those are the only boxes on the network that allow port 53 traffic out to the internet and only machines that can listen on 53.

      I've dumped www.internic.net into my /etc/hosts file since its IP address hasn't changed from 192.0.32.9 since it went live back in the 1980s (the damn thing is older than the internet, what with it being the root of the internet / World Wide Web and all...). If the IP changes, then something is definitely going wrong.

      Between the IP being static and probably the most permanent thing on the internet, and the fact that they have their sig files posted and those too are static, I am very confident in the integrity of its data and then let DNSSEC take care of the rest. No need to trust any third parties, especially the likes of Google.

      1. Jamie Jones Silver badge

        Re: I just built my own root dns server.

        Very much this. I don't know why anyone who reads El Reg and decides not to use the ISP's servers does anything else.

        FreeBSD even works this way out of the box.

        "Public" DNS Severs are a concept that make dns purists barf.

  2. Maelstorm Bronze badge
    Coat

    Redesign

    What really needs to happen is a complete redesign of how networking works. Many of the protocols that we currently use were developed in the 1960's and 1970's. In that period, ARPANET as it was called back then, connected universities and military installations together. Because of the caliber of the users back then, security wasn't a forethought, or an afterthought, for that matter. Fast forward to today, and much of the security that is now in place is patch after patching patch of bolt-on fixes for newly discovered vulnerabilities. DNS is no different. So we need a redesign of networking protocols which implement security from the start. However, 40+ years of code will have to be scrapped for that to work, which I do not see happening any time soon.

    1. GnuTzu

      Re: Redesign -- Parallel Protocols

      I think the first step is to redesign the resolvers at the O.S. level to allow for an additional method on top of the existing one's (DNS and the hosts file). That way, DNS could co-exist with the new protocol until everyone manages to get cut over.

      1. Anonymous Coward
        Anonymous Coward

        Re: Redesign -- Parallel Protocols

        You mean like /etc/nsswitch.conf? It already exists.

    2. Nate Amsden

      Re: Redesign

      Just look to IPv6 to see how well that approach has worked?

      To me the issue the people are advocating for WRT DNS is the centralization of DNS services, so many customers concentrated with such few providers.

      I really don't see anything wrong with DNS as it is.

      Certainly doesn't have to be that way, nothing in DNS prevents people from running their own DNS, though bigger companies are probably best off with a Dyn or Neustar to be able to absorb those DDoS attacks better. Obviously pretty much any internet provider has a DNS service available, and in many cases they may not even charge for the service since for the most part it doesn't cost much to run unless you're needing very regular updates assuming they don't have a UI to manage DNS.

      I've run my own personal authoritative DNS since 1996 myself (still do today).

  3. GnuTzu

    "You mean like /etc/nsswitch.conf?"

    Great. Anyone know about Windows for this? Or rather, is it Microsoft we're waiting on or just the replacement protocol?

  4. Anonymous Coward
    Anonymous Coward

    DNS-Great Firewall-TTL

    And who can forget about the poisoning of DNS alleged to be from The Great Firewall?

    https://www.theregister.co.uk/2015/01/26/great_firewall_of_china_ddos_bug/

    There was a most informative article that showed how to use TTL and Tshark to test DNS that is still relavant today: "China's-Man-on-the-Side-Attack-on-GitHub"

    (Using similar techniques shows my traffic passing through some interesting hops.)

  5. Nate Amsden

    mutliple CDN as well

    As a dyn customer for about 9 years now(across 3 different companies) after the attack struck some providers tried to get me to go multi provider. To me does make sense but only really when it is also paired with a multi CDN deployment as well, and for whatever reason I don't see nearly as many people talking about that as multi DNS deployments.

    DNS also has made it easy to use multiple providers forever now with slaves and longer TTLs. Though if your all up in their APIs and stuff then that may make it more difficult.

    For the org I am with and probably many others this one outage was not nearly enough to switch off of Dyn(or to go dual provider). It's still the most reliable service I have ever used, and as a bonus their UI hasn't changed in as long as I can remember (probably in the 9 years as a customer). Which is refreshing for once to see something stable.

    If only other cloud providers could tout 1 outage in 9 years (certainly is possible dyn has had more than that though nothing that has registered on my monitors long enough to be detected). They seem to be very proactive about alerting customers with https://www.dynstatus.com/ -- one of the first public status pages I can recall coming across.

    All of the DDoS attacks that have affected me have always been collateral damage, either attacking Dyn in that one case, or in several other cases attacking upstream ISP (which in itself has probably 8 different load balanced proivders). CDN we currently use hasn't had an attack big enough for us to notice but they aren't a big name player either. I have seen more than one article in the past about big outages due to attacks or something at Cloudflare for example (don't recall anything recently though).

  6. DonL

    Bind/Named

    Personally I don't understand why anyone would use a DNS service instead of using Bind/Named on one or multiple cheap VPS servers (from different providers) for something this basic/simple.

    These days it seems like it even the basic stuff is getting to difficult for a lot of people, which is quite sad in my opinion. (I don't mean to offend anyone though.)

    1. Nate Amsden

      Re: Bind/Named

      One use case at last is geographical performance. One company I was at that switched to Dyn (2008/2009 time frame) had a high performance requirement. They were using F5 Global Traffic Manager prior to Dyn, and it was hosted active-active out of two data centers one on each coast of the U.S. Apparently their customers were complaining that DNS lookups were too slow, part of the (then, not sure if it still is true now) F5 DNS architecture when routing traffic to different geo locations was it required an additional DNS lookup (I forget why), so going to www.mydomain.com resolved to one CNAME which then resolved to a 2nd CNAME then you got the IP of the geo source from there.

      Dyn's setup removed one of those CNAME lookups and combined with more geo diverse locations allowed DNS query times to drop by maybe 20-30ms (maybe more I forget now). The lower responses made their customers happy. Though I thought it was stupid just because nobody can tell that difference in performance ("but it shows up in their monitoring" was the response). Whatever.

    2. Crazy Operations Guy

      Re: Bind/Named

      Don't even need a VPS, I'm using a pair of desktops I rescued from the dumpster almost 15 years ago (I grabbed a bunch and stockpiled spare parts and upgraded the machines as much as possible). I found a pair of Pentium-3 boxes with 512 megs of RAM and a pair of 20 GB disks is enough to server a hundred or so users comfortably. They sure knew how to make computers back then, very few failures in the 15 years since I first powered them up (and after the 3-4 years they survived under users' desks)

      .

      1. Jamie Jones Silver badge

        Re: Bind/Named

        [ Not directed to crazy ops guy ]

        A PI will comfortably run "unbound". Hell, if your router has ssh access, you could install it there.

        https://www.nlnetlabs.nl/projects/unbound/about/

  7. Anonymous Coward
    Windows

    Easy option

    For all the domains my company owns, I've moved the authoritative name servers to Azure DNS. When I add to domain to Office 365, it's all setup by automagic. Always best to work with MSFT!

    1. SImon Hobson Bronze badge

      Re: Easy option

      Was that the same Azure that's recently had a huge outage - where it was found that a failure in one datacentre had knock on effects across many services that shouldn't have been affected.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like