How an Internet Building Block Became a Wall of Security
The Domain Name System (DNS) has been called the roadmap to the Internet. It was a core protocol developed to alleviate pain of having an unwieldly host file and became critical to internetworked systems that eventually became the Internet as we know it today. Like many other Internet protocols (e.g., HTTP, SMTP), DNS wasn’t designed with security or enormous scale in mind. The Internet, initially, was created as a way for engineers and academics to share information. The original architects of the Internet couldn’t envision a future with 250 billion emails per day or a billion-dollar cyber crime industry.
This year, Neustar is celebrating an important milestone in the history of the Internet: the 20th anniversary of UltraDNS. UltraDNS was created by Rodney Joffe in 1998 to address the need for a more resilient way to maintain and protect DNS. It was the first implementation of an Anycast DNS network, and there was a lot of contention at the time as to whether it was practical or even possible to use Anycast for routing DNS. Now, of course, Anycast is the standard for how a DNS platform operates. In a very real sense, UltraDNS transformed DNS from a server in the corner with a sticky note that read “Do not turn off” to a multimillion-dollar industry that essentially keeps the Internet online.
In 2006, Neustar acquired UltraDNS to complement its existing security and directory services. Joffe remains a leading force in the development of UltraDNS, serving as a Neustar Senior Vice President and Fellow. His participation at Neustar remains vital, because the work of UltraDNS is far from done. As an industry, we continue to see a rise in the scale and effectiveness of DNS-based attacks, and we anticipate even more attacks as the Internet of Things (IoT) expands.
Over the years, UltraDNS has evolved its security capabilities through a series of industry “firsts.” For example, UltraDNS was the first DNS product to feature a dedicated platform to mitigate distributed denial-of-service (DDoS) attacks. When a global DDoS attack was mounted against the root DNS servers that supported the Internet in 2002, UltraDNS servers were the only ones to withstand the attack, in effect keeping the Internet from going dark. Not long after that, organizations began asking UltraDNS to provide the same DDoS mitigation capabilities for their own networks, and the SiteProtect service was born.
Unlike most DNS hosting services, UltraDNS uses a specially developed code base instead of open-source code. While there’s nothing intrinsically wrong with open-source code, having a specialized code base gives us more flexibility to create unique services. An example of that service differentiation is DNS Shield. Most DNS hosting platforms are shared, which means that when one organization on the platform is attacked, everyone on the platform suffers a performance hit. DNS Shield delivers an isolated DNS network experience, similar to how the SS7 network operates in a telecommunications network by segregating the signaling and data traffic. Even if the entire Internet is under attack, DNS Shield maintains the same levels of performance for DNS queries because of its private DNS transactions. Surprisingly, the cost to deliver DNS Shield is only nominally more than a traditionally shared hosting service.
We believe that UltraDNS enhancements such as SiteProtect and DNS Shield will become even more important to organizations in the future as IoT becomes more prevalent. Like much of the original Internet technology, Internet-connected devices are not inherently secure and require security features to be added after the fact. Newer DDoS attacks are leveraging large networks of non-intelligent devices (known as IOT “botnets”) to flood DNS servers with data in excess of 1Tbps. These kinds of attacks require advanced mitigation and isolation techniques to protect DNS services.
DNS has a larger role to play in IoT security too. At Neustar, we’re working to develop new capabilities that will allow DNS servers to act as a secure entry point for IoT devices, in effect blocking botnets at the gate. The work we’re doing today is an extension of the original vision of UltraDNS, which was to take a fundamental building block of the Internet (DNS routing) and build better security and services on top of it.