Anonymous or not – is a DNS root server attack really possible?

There’s been a lot of talk lately about an attack being launched against the Internet’s DNS Root Servers on March 31st.

There’s been a lot of talk lately about an attack being launched against the Internet’s DNS Root Servers on March 31st.

The Domain Name System (DNS) is what makes almost every IP carrier service provided to subscribers possible. A properly functioning DNS helps make advanced services like VOIP and video streaming to mobile devices as simple to operate as email. The starting point for every DNS query, both figuratively and literally, are the root DNS servers. Without these servers we can’t deliver any IP-based services.

As we all know root DNS servers answer questions about the root zone, known as “.” or “dot.” The zone itself is small and contains little more than how to get to other DNS servers that service the TLD’s (Top Level Domains) like “com.” and “net.” That being said, the root servers are critical for the operation of the DNS system and the Internet as a whole.

Although it appears from the name server record list for “.”, that there are 13 root DNS servers: through, looks can be deceiving.  The 13 IP addresses listed are not individual machines; they represent a collective infrastructure that is required to provide the root zone service.

In most cases, the root server IP addresses listed are anycast addresses.  Behind each one of those addresses are many machines. In some cases, the machines are actually load balancers and reverse caches which are backed by another level of machines that actually contain the root zone information.

During a normal 24 hour period a root server averages approximately 25,000 transactions per second. This number would be a much higher number if all queries were to reach the root servers, but they don’t. That’s because the root zone data contains fairly high time to live (TTL) values, and the data is cached by other DNS servers. As a result, queries to the root zone itself are infrequent.

So, back to our question… “Is a DNS Root Server Attack Really Possible?”  The answer, sadly, is yes.  However, such an attack would be extremely resource intensive and difficult to carry out. The attack would have to be launched from almost every region on the Internet (to enable anycast to spread their attack to all machines involved) and maintain extremely high volumes of traffic from every location.

In addition, every root server provider would need to be attacked simultaneously, their DOS methods all subverted, and their ability to increase processing capacity overwhelmed.

Fortunately, the Internet has several layers of natural defense mechanisms that would require an attack of this magnitude be maintained for a long period of time in order to have widespread effect. One of the reasons, mentioned earlier, is that the root zone is highly cached, so root servers are not queried for updates very often.

Although causing a minute long outage would be significant and extremely concerning, it wouldn’t take down the entire Internet.

There are a few measures that ISPs can take to make their footprint more resilient to an attack of this nature including:

  • Maintain a proactive security posture

  • Monitor for botnet traffic

  • Notify and quarantine infected customers

  • Provide remediation options for infected customers

The internet is the greatest social, cultural and economic engine of our time. We all need to do our part to protect it.

Rob Fleischman is CTO of Xerocole, a provider of carrier DNS management software. He holds several patents for Internet messaging technologies and is the Internet technology commentator for NPR in New Hampshire.