PowerDNS and Dovecot joined the Open-Xchange family at WorldWostingDay 2015 in Rust
Invented in the early 1980s, the Domain Name System (DNS) has been one of the most stable parts of the Internet. DNS is involved whenever you visit a webpage, for every email you send, for every photo you upload. Without exception, DNS is used for everything on the internet. So what does it do?
Human beings think in terms of names (‘www.open-xchange.com’), but computers can’t be reached by names, only by numbers, in this case IPv4 or IPv6 addresses. DNS is the part of the Internet that converts those names into numbers and, as crucial as that is, it does even more. No service would exist without converting a name into an IP address.
Slow DNS = Slow Internet
Since nothing happens on the Internet without DNS, if anything goes wrong with it the customer experience is immediately affected: slow DNS means slow Internet. Broken DNS means broken images, broken Internet, broken email, in short: broken DNS is broken Internet.
Over the past decades, most protocols have seen great upheavals. The original web browsers can’t connect to the modern Internet anymore (not even over IPv4). And even IPv4 is busy being phased out and replaced by IPv6. But DNS! The original name servers from 1982 would still be serviceable today. Computers from that era can still reliably talk to current age name servers.
For two whole decades, DNS has functioned without special attention – only at the latter half of the 2000s did something change. Fundamentally, DNS was written in a time when the Internet was friendly. Everyone knew everyone. And if you did something bad on the net, you would rapidly lose access to it. DNS did not need protection, and does not have it built into its protocol.
Sharks in the water
Today, however, the waters of the Internet are not so safe. Design choices made in the 1980s, which made sense at the time, have come to haunt us. DNS is now frequently both the target and the source of denial of service attacks. Botnets send out small questions to nameservers which are known to generate huge amounts of traffic, and with careful work, they make sure those huge amounts of traffic flow to the targets of their attacks.
These attacks, plus the relentless growth of DNS traffic (around 20% year-on-year growth per subscriber), mean that DNS is now a top priority for the customer experience. While a DDoS attack is happening, your customer has no hope of using your service.
And even low-grade denial of service attacks fundamentally and noticeably degrade the customer experience.
Knowing the quality of DNS
Since DNS worked so well ‘out of the box’ for decades, it is not common for operators to monitor its performance, and in fact this is quite difficult to do effectively. DNS performance consists of two important parts: 1) how rapidly do questions get answered 2) how many packets do not get answered.
AtPowerDNS, we believe that all organizations should be monitoring both numbers, and we identify them as ‘key performance indicators’. The good news is that our software makes measuring DNS performance simple, both within our DNS products and from examining network packets.
Whenever we measure DNS performance, we find issues and room for improvement. Hardware that was sufficient 3 years ago did not grow with the 20% year-on-year increase in DNS traffic. The provisioning of IPv6 is stressing out the kernel’s routing cache and security devices are choking on the amount of packets generated by millions of users accessing the DNS.
The good news is that DNS can be made ‘perfect’ with a limited investment. Unlike other network components, where large capital expenditures are required to make measurable changes, a focused investment in DNS brings immediate rewards. Because every transaction on the Internet moves at the pace of the Domain Name System, we think this is well worth it!
Want to learn more on how to improve the Internet experience for your customers? Contact me at bert.hubert AT powerdns DOT com