|
about SEDNS
SEDNS helps companies and individuals to offer IP-based services without suffering from DNS outages.
SEDNS helps to offer dependable services, to make communication with customers more secure, and protects customers from password harvesting attacks.
Current DNS threats
SEDNS is focussing all current threats that come along with the usage of DNS. First and foremost it addresses the following problems:
- Phishing attacks
Phishing is an attempt to acquire through deception sensitive personal information such as passwords and credit card details by masquerading in an official-looking email, web site, etc. as someone trustworthy with a real need for such information. Phishing is particularly sneaky if the real URL resp. DNS name of the trustworthy organisation is used. This is possible due to weaknesses in DNS.
- sporadic downtime of DNS due to denial-of-service attacks
The DNS-server-hierarchy is based on a small number of root servers. These are tempting targets for denial-of-service (DoS) attacks. If such attacks are successful, all Internet-based distributed application might suffer from it.
- insecurity of name resolving in DNS
The regular DNS protocol does not provide any cryptographic means to protect DNS transactions. For its own natures sakes DNS is a global system. DNS communication goes unencrypted and unauthenticated arround the globe. This fact virtually provokes frauds.
- Unavailability of DNS due to local or global service outages
Often local name servers show some problems during periods of high load. This can be caused by other services running on the same machine or bursts in DNS traffic. This lets the resolver's timeout expire. Only one robustness mechanism can help in this case: retries. We implement stub resolvers in a way that allows making better use of the retry mechanism.
Services of SEDNS
SEDNS- contains three services:
SC is
using a caching only server in the local network. This server can be queried with an extremely short time-out. It is only used for cache-hits. For cache-misses the resolver does not wait for answer. This allows a low variance for the response time. Hence, we are able to adjust the time-out dynamically.
PQ are used to mask outages of the local DNS servers. With slightly staggered parallel requests we can select the earliest answer. Hence, answer time should always be better than with regular DNS.
PTPR provides
naming services even during complete outages of DNS. Therefore a peer-to-peer infrastructure is used.
The SEDNS P2P infrastructure
The SEDNS infrastructure is composed of components connected via a reliable peer-to-peer overlay. There are three different types of components: customer-site proxies, DNS spiders, and zone store nodes.
The customer-site proxy servers are able to resolve names even if
DNS is not available. Therefore they are connected to the P2P system
and can query zone store nodes.
The DNS spiders are gathering DNS data. This data is stored
in zone store nodes. These nodes use a Hadoop cluster to store all transfered data.
To collect DNS data it gets information from the
proxies: Each customer can use the proxy to reports DNS zones she wants to have in the backup.
Furthermore they provide authority information about these zones
including addresses of name servers and whether zone transfer is
allowed or not.
With this information the backup service is able to schedule a job for DNS spiders to transfer DNS data of these zones into the database. After finishing this job the DNS spider re-schedules it depending on statistic information to keep this information up to date.
The use of the hadoop cluster allows us to do some datamining with the intention to find DNS configuration issues.
Usually DNS performance sufferes severely from configuration errors, e.g., if TTLs are chosen too long or too short or delegations are not valid.
We also try to estimate the influence of DNS-based content distribution networks.
| 
