DNS Outage on the 31st March ?

According to various reports, a bunch of malicious protesters (Anonymous) have announced plans to attach the global root DNS servers on the 31st March 2012. Another part of the same groups has distanced itself from the attack.

Is this really going to happen ? And if it does, what effect will it have ?

Well the only answer to the first question is to wait until the 1st April to find out. After all it is perfectly possible that this is merely a publicity stunt.

And the quick answer to the second question is that nobody really knows. But the likelihood is that any impact will be minimal, and not be noticeable to anyone using the Internet. In the worst case scenario, it is likely that some random top-level domains (com, uk, etc.) will “disappear” for possibly a short duration, although it is impossible to predict which such domains will disappear.

The worst case scenario is quite unlikely – this is not the first time that the root nameservers have been attacked in this way.

It should be noted that it will have no effect within the port.ac.uk domain – every name within that domain remains resolvable to our network without the root nameservers.

The Detail

Despite the claims by Anonymous, the DNS infrastructure is very well protected – most of the root nameservers are in fact clusters of a number of real servers hiding behind a single network address. But if a distributed denial of service attack is big enough and goes on for long enough, it could have a negative effect on the root nameservers. In fact this is not the first denial of service attack against the root name servers – one occurred as far back as 2002, and during that attack no user services were significantly impacted (a report on the incident is still available and Wikipedia also has an article).

The root nameservers provide answers that tell other nameservers where master nameservers for the top-level domains are – .com, .org, .uk, etc. If all of the root nameservers are inoperative for long enough, all of the names on the Internet will effectively disappear, but this doesn’t happen immediately.

What happens when you visit google.com (or any other place), is that your machine asks a nameserver to look up that name. This in turn looks up com (and caches the result), and in turn looks up google.com on the nameserver that is returns from the com lookup.

The caching is controlled by the DNS TTL parameter on the answers that come back from nameservers. That value is usually set to about a day … or longer for such important domains; which means that if the denial of service attack occurred at just the right time and all nameservers were synchronised so their cache timeouts on each record started at exactly the same time, then even if the root nameservers were disabled by the attack, the caching would eliminate any issues.

In practice the “random” nature of caching means that a number of cache entries will expire during the hypothetical outage, so disruption will occur for random ISPs and for random top-level domains. If the root nameservers are so severely disrupted that no answers can be obtained.

This worst case scenario is dependant on some quite unlikely things occurring, so although it is a possibility, it is a very unlikely possibility. And this all assumes that the root nameserver administrators are all on a month long conference with no Internet access – they’ll be “doing stuff” on this.


This entry was posted in Uncategorised. Bookmark the permalink.