The DNS was designed for diversity, but site admins aren't buying

Harvard bods warn: if you want to avoid a big outage, use more than one DNS provider


The world's top eight DNS providers now control 59 per cent of name resolution for the biggest Websites - and that puts the Web at risk, according to a group of Harvard University researchers.

The group was led by Harvard's Shane Greenstein, and warned that since 2011, the "entropy" of the DNS (referring to how widely distributed it is) has fallen, becoming concentrated in "a small number of dominant cloud services companies".

That state of affairs, the group's research paper (PDF) argued, creates fragility if attackers find a weakness in those DNS services.

The DNS (the databases that convert human-readable URLs like www.theregister.com into IP addresses) was always designed to be highly distributed, because if every request passed through every possible link to an authoritative server, the system wouldn't cope.

How many Internet of S**t devices knocked out Dyn? Fewer than you may expect

READ MORE

The DNS caches records all over the Internet to reduce the load (and the reliance on) the root and top-level domain (TLD) servers, but Greenstein's paper argues that diversity is falling - paradoxically, because the companies offering cloud services make things so easy for their customers: "Companies such as Amazon Web Services , Akamai , and Dyn offer scalable and often easily configurable external DNS hosting options alongside other cloud services, making it easier than ever to offload DNS management".

To measure that concentration, Greenstein's team sampled Alexa's top 1,000 domains in the .com, .net and .org TLDs, each month from November 2011 and May 2017, collecting the nameserver information for each domain.

That was fed into a statistical calculation to derive a measure of market concentration, the Herfindahl-Hirschman Index or HHI. This is a standard metric from the antitrust literature, and is used by America's Department of Justice and Federal Trade Commission.

A rising HHI is a bad sign, but that's exactly what the researchers found, as the image below shows.

Rising HHI in the domain name system

Rising concentration (HHI) in DNS is bad news in event of an attack. Image: Greenstein et al

The sample included names like Dyn, Neustar, AWS, Akamai, Ultra DNS, and CloudFlare.

For the namespaces they measured, the team found the top eight providers grew their market share from 24 per cent to 59 per cent from 2011 to 2017, and the top four went from 17 per cent to nearly 50 per cent.

"The top provider in the sample controlled 4.9 per cent of share in November 2011 and 17.3 per cent of share in May 2017", the paper said.

The other trend they found was that unsurprisingly, in a world awash with easy-to-use cloud services, external DNS hosting has overtaken in-house DNS servers.

For companies worried that this might leave them open to a Mirai-style botnet taking out their DNS provider, the solution is simple, the paper said.

Organisations should diversify their pool of nameservers by taking DNS management services from multiple providers, the paper said. Compared to the costs of a day's downtime, this is " a comparatively costless and therefore puzzlingly rare decision". ®

Similar topics

Broader topics


Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022