The DNS was designed for diversity, but site admins aren't buying

Harvard bods warn: if you want to avoid a big outage, use more than one DNS provider

17 Reg comments Got Tips?

The world's top eight DNS providers now control 59 per cent of name resolution for the biggest Websites - and that puts the Web at risk, according to a group of Harvard University researchers.

The group was led by Harvard's Shane Greenstein, and warned that since 2011, the "entropy" of the DNS (referring to how widely distributed it is) has fallen, becoming concentrated in "a small number of dominant cloud services companies".

That state of affairs, the group's research paper (PDF) argued, creates fragility if attackers find a weakness in those DNS services.

The DNS (the databases that convert human-readable URLs like into IP addresses) was always designed to be highly distributed, because if every request passed through every possible link to an authoritative server, the system wouldn't cope.

How many Internet of S**t devices knocked out Dyn? Fewer than you may expect


The DNS caches records all over the Internet to reduce the load (and the reliance on) the root and top-level domain (TLD) servers, but Greenstein's paper argues that diversity is falling - paradoxically, because the companies offering cloud services make things so easy for their customers: "Companies such as Amazon Web Services , Akamai , and Dyn offer scalable and often easily configurable external DNS hosting options alongside other cloud services, making it easier than ever to offload DNS management".

To measure that concentration, Greenstein's team sampled Alexa's top 1,000 domains in the .com, .net and .org TLDs, each month from November 2011 and May 2017, collecting the nameserver information for each domain.

That was fed into a statistical calculation to derive a measure of market concentration, the Herfindahl-Hirschman Index or HHI. This is a standard metric from the antitrust literature, and is used by America's Department of Justice and Federal Trade Commission.

A rising HHI is a bad sign, but that's exactly what the researchers found, as the image below shows.

Rising HHI in the domain name system

Rising concentration (HHI) in DNS is bad news in event of an attack. Image: Greenstein et al

The sample included names like Dyn, Neustar, AWS, Akamai, Ultra DNS, and CloudFlare.

For the namespaces they measured, the team found the top eight providers grew their market share from 24 per cent to 59 per cent from 2011 to 2017, and the top four went from 17 per cent to nearly 50 per cent.

"The top provider in the sample controlled 4.9 per cent of share in November 2011 and 17.3 per cent of share in May 2017", the paper said.

The other trend they found was that unsurprisingly, in a world awash with easy-to-use cloud services, external DNS hosting has overtaken in-house DNS servers.

For companies worried that this might leave them open to a Mirai-style botnet taking out their DNS provider, the solution is simple, the paper said.

Organisations should diversify their pool of nameservers by taking DNS management services from multiple providers, the paper said. Compared to the costs of a day's downtime, this is " a comparatively costless and therefore puzzlingly rare decision". ®


Biting the hand that feeds IT © 1998–2020