As the administrator of .nl, SIDN is responsible for the functional stability and development of the Netherlands’ country-code top-level domain (TLD). Leaseweb recently became the first company to implement SIDN’s local anycast technology in its network. Marco Davids, Technical Advisor at SIDN, explains how local anycast differs from regular anycast.
At SIDN we operate an impressive DNS-infrastructure: available at all times, under all circumstances, and designed to reply to thousands of DNS-queries per second. The downside of such a powerful infrastructure is that it can function quite well as a reflector for amplifying DDoS-traffic. And thus, besides using open resolvers, the bad guys also abuse (our) powerful authoritative name servers to amplify their malicious DDoS-traffic.
Gaming-related DDoS-attacks are especially popular nowadays and we’ve had our share of participating in those. Luckily, by implementing ‘response rate limiting’, we have managed to reduce this kind of annoyance. As a result, we are no longer an unwilling accomplice in DNS-amplification attacks, targeted at others.
Accomplice or target?
Apart from being an accomplice in DNS-amplification attacks, there is also the chance of us being the target ourselves. This scenario would impose really different challenges, because ‘response rate limiting’ might not help. Until recently, our response was to add more DNS-capacity. Even though this approach still makes sense, the giant DDoS attack against Spamhaus in March 2013 made clear that adding more capacity is a rat race we ultimately cannot win. Therefore, we had to come up with another approach to mitigate this threat.
Our solution: local anycast
DNS-anycast as such, has proven to be very effective. It has long been in use for the root name servers at a global level. At ‘.nl’ we have also deployed a number of global DNS-anycast instances for quite some time. The reasoning behind anycast is as simple as it is effective. By leveraging the characteristics of the BGP-protocol and announcing the same IP-prefix from different places on the Internet, packets addressed to destination-addresses in this prefix are simply routed to the “nearest” point. Admittedly, in reality, it’s somewhat more sophisticated than that, but the basics are pretty straightforward. It’s like spreading the traffic over multiple instances of the same server in some clever way and that works really well, especially for UDP.
What makes our approach different from traditional anycast (used by many TLD-registries) is that we also deploy so called ‘local’ instances. Their BGP-peering is configured in such a way that the announced routes are not advertised globally. For those of you familiar with BGP: this is what a ‘community no-export’-setting would typically accomplish (although we use other methods as well).
As you can imagine, a local node has an advantage. Being local, it won’t– by definition – attract any traffic from outside the network. No matter how much DDoS-traffic globally, it won’t reach a local node. Just locally generated DDoS-traffic, should there be any, might get to it. But you are in much more control of that.
A local node on the other hand offers the advantage to you and your customers, of having reliable and fast access to at least one fully functional ‘.nl’ authoritative name server.
Deployment strategy
We will continue to improve the DNS infrastructure for ‘.nl’ and local nodes will help us to accomplish that. Typically, we place them in locations where they make the most sense. Think of major ISP’s and hosting companies. In short, in places where they will help you to better reach ‘.nl’. In theory, we can install as many as we like.
If you’d like to be one of our partner-organizations, there are a few demands you should meet. Firstly, we expect you to be responsible about abuse and to have an active policy against open resolvers. Naturally, we also expect you to support IPv6 fully. Leaseweb, for example, complied with all of these requirements.
Our local anycast nodes come in two flavours. Either a fully dedicated one, to be exclusively used by a partner-organization, or a node you share amongst other carefully selected partners. Depending on ‘relevance’ (in terms of number of DNS-queries and other considerations) you may or may not (yet) qualify for a dedicated node. As an alternative, there is the option for peering with a shared node.
Leaseweb shared our vision and qualified for a dedicated node at a very early stage. We appreciate the flexibility and efficiency they expressed in getting the first local node for ‘.nl’ up and running. It was a pleasure to work with them on this joint effort. Luckily, a considerable number of other well-known Dutch ISP’s followed soon after.
Should you be interested in learning more about our program, or like to know how you can help to improve the resilience of ‘.nl’ for you and you customers, please do not hesitate to get in touch.