DNS Outages: The Challenges of Operating Critical Infrastructure

Recent attacks targeting enterprise websites have created greater awareness around how critical DNS is for the reliability of internet services and the potentially catastrophic impact of a DNS outage. The DNS, made up of a complex system of root and lower level name servers, translates user-friendly domain names to numerical IP addresses. With few exceptions, DNS lives in a grey area between IT and network operations. With the increasing occurrences of distributed denial of service (DDoS) attacks, advanced persistent threats (APTs) and exploitation of user errors through techniques such as typosquatting and phishing, enterprises can no longer take a passive role in managing their DNS internet infrastructure.

Implications of DNS Outages

With an average daily DNS query load of 82 billion at Verisign during the fourth quarter – and a fourth quarter 2013 peak of 100 billion – it is vital that internet services be operational continuously. Without a doubt, the cost and requirements of running critical internet infrastructure at these performance levels are high. However, if DNS operations were significantly interrupted for an extended time period, potential devastating results to businesses on the internet could include any of the following:

  • Revenue losses
  • Impact to cash flow
  • Productivity losses
  • Damage to reputation and goodwill
  • Compliance and/or reporting penalties
  • Penalties and loss of discounts
  • Impact to customers and strategic partners
  • Diminished competitive advantage
  • Employee morale and employee confidence in IT

Staying ahead of internet threats to avoid outages

With such detrimental results plaguing companies that experience DNS outages, it is more critical than ever to have a number of redundancies built into internet infrastructure designed to help prevent this from happening. For instance, DNSSEC was deployed in the .com and .net zones to help assure users that the data they receive from their internet request originated from the stated source and was not modified in transit by malicious actors. Additionally, Verisign has been instrumental in advancing DNS protocols for security and efficiency. For example, the company has worked to enhance the DNS-Based Authentication of Named Entities (DANE) protocol, which builds on the DNSSEC infrastructure to enable cryptographically secure communications. This technique can be used to exchange cryptographic credentials, such as for more generally enabling signed and encrypted email between internet users or connecting to internet websites with higher assurance that the destination they’re arriving at is authentic and their transactions are secure.

Requirements to operate a TLD

It is crucial that infrastructure is powerful and resilient enough to enable enterprises to stay ahead of internet attacks. Without a strong foundation to build off, enterprises cannot hope to effectively prevent future assaults as too much time is spent on damage control around existing hacks. Verisign recognized this necessity and designed a sophisticated infrastructure from the ground up to support .com and .net and address multiple complex, high-volume, real-time demands. This infrastructure includes commercial and modified diverse hardware, operating systems, middleware and custom applications, power provider and network provider diversity, and a number of other protections. Massive scale helps ensure global performance and data integrity at all times and supports real-time updates as new domain names are added at more than 75 authoritative name server sites around the world as well as the operation of the A and J roots, two of the 13 root servers supporting DNS operations for all domains on the internet.

Planning for the future

Looking forward, Verisign believes the focus must be on evolving to not only meet the demands of customers and partners, but to also address the many challenges associated with maintaining 24/7 availability of infrastructure. As discussed above, the combination of a reliable, secure platform and significant capability is intended to provide a foundation for a wave of new applications and services that are poised for growth in the near future with advancements in cloud computing, big data, mobility, and the ”Internet of Things.” Increasing adoption of these new applications and services will once again raise the bar on infrastructure requirements to deliver available and secure services.

To read the complete Domain Name Industry Brief, download the report at Verisign.com/DNIB


Danny McPherson

Danny McPherson leads Verisign’s technology and security organizations. He is responsible for Verisign's corporate and production infrastructure, platforms, services, engineering and operations, as well as information and corporate security. He has actively participated in internet operations, research and standardization since the early 1990s, including serving on the Internet Architecture Board and chairing an array of Internet Engineering Task Force and... Read More →