About DNS security
Created#More Posted time:Jan 23, 2017 14:14 PM
Alibaba Cloud DNS is a trustworthy parsing service. It is a cloud product that translates a domain name into an IP address, centering around obtaining the IP address and completing access via the IP address.
Alibaba Cloud DNS
In the entire system architecture of DNS, there are three major roles, namely the recursive DNS, authoritative DNS and end users. Alibaba Cloud DNS assumes the role as the authoritative DNS.
Alibaba Cloud DNS is a product of the domain name parsing process. Its importance far exceeds that of domain name registration as the domain name parsing relates to whether the website will be attacked during operation and whether it can resume services after the attack.
Alibaba Cloud DNS, by relying on Alibaba Cloud's server room infrastructure around the world and its technical power of innovation, helps with the platform-based authoritative domain name parsing services. As a result, the authoritative domain name parsing service will enable accesses, from network to website, to be safer, more stable and more intelligent. It becomes a reliable access infrastructure and entrance, and a real network service technological platform for shared benefits, so as to secure perfect user access.
Advantages of Alibaba Cloud DNS
Alibaba Cloud DNS has four major features: stability and reliability, security guarantee, intelligent parsing and global deployment.
With the fast development of internet, personal data and enterprise businesses are moving online. Domain name parsing, as the source and entrance of network access, relates to the stability, security and efficiency of network access.
When handling enterprise business and personal data, you will encounter many headaches related with cloud parsing, such as:
1) Network attack
2) Parsing service failure
3) Parsing record change
4) Parsing data inconsistency
5) Access hijacking
To solve these problems requires a high professional threshold and investment, which is demanding for most individuals and businesses, but they have to face it.
Overall technical architecture
The overall architecture of the authoritative domain name parsing system is shown in the figure. Current network programs all adopt separated layers between management & control and parsing, and the entire system has an efficient and stable data layer + a flexible and powerful control layer. The data layer is composed of many parsing servers around the world. The exit of the parsing servers is the SecurityDNS system that we develop on our own. The SecurityDNS system will clean the traffic to and from the DNS server clusters.
Two sets of ADNS servers are deployed in South China. The disaster switchover of the entire DNS system is divided into two major parts: one is the disaster switchover of the DNS system itself, which is accomplished by Alibaba Cloud DNS through the hot standby mechanism; the other is the A record corresponding to the domain name. If the server that the A records point to goes down, the IP address of the A record server can be switched to another server. Alibaba Cloud provides some interfaces for users to call and embed into the automatic disaster recovery procedures.
Authoritative domain name parsing system
ADNS is based on the DPDK framework and optimizes the entire hardware protocol stack. Through optimized x86 servers, combined with the self-developed ADNS application and a cleverly-designed memory data structure, ADNS can accurately adjust the access efficiency of every kernel to the memory or CPU cache, serving as a perfect solution to the C10M problem that has nagged the industry. ADNS is a high-performance and scalable authoritative DNS server.
ADNS+ADMS are a wholly self-developed authoritative DNS server system. The system can achieve the following:
• 100 times of standalone performance and capacity of open-source BIND;
• Over 10 million QPS in performance (up to 40 million QPS after software and hardware optimization);
• A storage capacity of more than 20 million domain names (linearly scalable with the increase of memory);
• 99.9999% of designed availability. Since the system was launched online, the actual unavailability time has been 0;
• Provides user-friendly APIs while encapsulating complicated intelligent parsing logic inside.
Security protection system
DNS attacks are quite common and feature a low threshold. DNS security incidents in and out of China that have generated major impacts in the recent eight years are listed below:
• On May 19, 2009, internet access in six provinces of South China was cut off. The open fights between private gaming server factions ignited the hacking to DNSPod, which impacted the domain name parsing of CorePlayer and further brought disaster to local DNS servers of Telecom operators, thus the outbreak of the internet access cut-off in six provinces in South China.
• On January 12, 2010, Baidu domain name was hijacked. The NS record of baidu.com was hijacked by Iranian Cyber Army, leading to unavailability of www.baidu.com. The incident lasted for eight hours.
• On September 5, 2011, numerous well-known websites including Microsoft, Acer, Vodafone and UPS all suffered DNS hijacking.
• On February 16, 2012, the hacker union Anonymous declared that it would attack 13 DNS root servers on March 31 in order to cripple the global internet.
• On August 25, 2013, the CN domain was attacked. The DNS of cn domain suffered DDoS attacks and all the .cn domain names could not be parsed as a result.
• On January 21, 2014, the DNS suffered a fault nationwide. This is so far the most serious DNS fault in the Chinese mainland. All the generic top-level domains (.com/.net/.org) suffered DNS cache poisoning.
• On December 10, 2014, DNS networks of operators suffered DDoS attacks. The network access in 16 provinces saw exceptions.
• On November 30, 2015, the DNS root servers suffered attacks. Most of the 13 root servers were under attack. Attackers initiated several billion invalid query requests to two specific domain names of the root server.
• On December 14, 2015, Turkey's national domain was attacked. The hacker union Anonymous declared it was responsible for the 40Gbps DDoS attacks, and said the attack was related to anti-ISIS actions.
• On September 21, 2016, the world's largest server hosting service provider OVH was under attacks amounting to 1Tbps with the peak single-attack traffic hitting nearly 800 Gbps.
• On October 21, 2016, the parsing operator DynDNS was attacked, leading to access problems of a number of websites using the DNS in Europe and America, including Twitter among other well-known websites.
The entire architecture is formed by Alibaba's cleaning centers distributed around the world. Leveraging Alibaba's global cleaning strength, we will clean the traffic into the DNS server rooms and identify attacking and normal requests through a set of internal algorithms.
The predecessor of Alibaba Cloud DNS is the time-honored HiChina which has earned the trust of many customers through years of development. Till today, Alibaba Cloud DNS has seized more than 30% of domestic market share, hosting 10,000,000-plus domain names to support 1,000,000,000-plus QPS of requests. We have also deployed seven BGP server rooms around the world and opened more than 40 APIs.
Advanced features of Alibaba Cloud DNS
The basic parsing service supports overseas IP address parsing of domain names, supports A, AAAA, MX, CNAME, TXT, NS, URL forwarding, and all mainstream SRV types, and supports 1 second of TTL value at the minimum. It supports up to ten sub domain levels, and load balancing for a maximum of 90 A records.
Intelligent parsing supports the lines of various major operators in China; supports lines of major overseas countries/regions; and supports search engine lines.
The API and the corresponding SDK support add, delete, modify, and query operations on all information about the domain name, encouraging users of other cloud parsing service providers to transfer to our services. The SDK supports Java/Python/PHP/C# development languages.
The security architecture is shown in the figure below. Alibaba Cloud DNS provides the most basic functions such as DNS protection against DDoS attacks, Anti-DDoS Pro, server security and web application firewalls to offer a one-stop security solution package for customers.