The DNS is a key part of the Internet and one that has been part of its trust framework since the beginning.
The DNS is a key part of the Internet and one that has been part of its trust framework since the beginning. It’s also a vulnerable part of the Internet. In part two of a three-part series we explore building a stronger Canadian Internet.
In part 1, we recognized that Canada is unique within the global Internet, even as we recognize that most countries face some of the same challenges. The goal of building a stronger Canadian Internet is to benefit Canadians and to do our part for the global Internet.
- It’s good for business
- It’s good for individuals
- It is good for data sovereignty and privacy
There is a fourth reason to build a stronger national Internet
4. Security and Stability
It’s a scary world out there. Individual DDoS attacks are often measured in the hundreds of gigabits per second and can last for days. At any given time, the Arbor networks Digital Attack Map shows, in full technicolor, hundreds of attacks. The sad part about this map is that, even if you try, you can’t really zoom in on Canada. You can click on it, get some data, but you can’t even read our poor country’s name due to the big giant funnel of bad actors hitting the United States. It is a metaphor about how “their” Internet looms large over “our” Internet.
This analysis is a little tongue-and-cheek to be sure, but the point is that on a global scale our nation’s activity is small and we are not thought of first by solution providers. Even though we’re a small country, we’re a western country and we still get more than our fair share of attacks. A strong local Internet can help protect us.
But how does a national DNS fit in?
Without the DNS you don’t have an Internet. But the DNS is a lot harder to understand than the hubs and wires of a typical home network. It’s probably the reason the Internet is always drawn as an amorphous cloud. As a result many organizations in Canada have been relatively slow to update their external DNS and are exposed to outages through technology malfunction or malicious attack.
A strong national DNS helps protect the national Internet because the name servers, like any other server, can be directly targeted, or recruited, in a DDoS attack. This has been an argument in favor of Anycast versus Unicast name servers for years and one that has been built into a profitable business by (mostly) American companies.
Anycast is part of a strong national backbone
An Anycast infrastructure replaces a unicast infrastructure with a geographically distributed cloud of servers that shares a single IP address. Layer 3 routing automatically routes queries to the closest name server and reduces latency. The other benefit of Anycast is that attacks on the DNS are routed to the geographically closest name server, and can get soaked-up there leaving the others free to do their job. So now you have part of the picture on creating a national DNS.
- Step 1 Build lots of name server nodes very close to your citizens at local IXPs. These nodes should exist in at least two distinct clouds to provide even further resilience. While DNS latency in general isn’t a huge factor in overall site load times, it is a contributor, and so being close to users helps to improve their experience.
- Step 2 Build high bandwidth nodes offshore to soak up offshore attacks over which you have no easy jurisdiction to enforce laws. That makes it more resilient and also serves global traffic. Ideally these nodes are in key Internet hubs.
- Step 3 Configure the in-country nodes as “local nodes”. Through BGP configuration, local nodes do not announce routes globally and only answer queries that originate on the local network. This helps to protect the Canadian DNS from offshore attacks because they can only answer queries from the local network. We have seen this approach used by other countries, such as the Netherlands.
By combining these three steps, what you have effectively done is put a geo-fence around the DNS (the authoritative servers anyway) while still having International nodes and bandwidth available to serve global queries and queries from local citizens who are not connected to the IXPs. This is, in fact, exactly what CIRA has done for the authoritative .CA servers.
How to make sure it all works
The authoritative DNS is an important part of getting a strong local Internet, but three more national actions can help to build a strong Internet.
Action 1 – Get Canadian ISPs to peer at local IXPs to leverage the benefits of a national backbone
Action 2 – All levels of government and local ISPs should peer at IXPs
Action 3 – Mid to large size businesses and hosting companies should peer at local IXPs
IXPs across Canada
Benefits of a national DNS
This DNS architecture provides resilience, fault tolerance and security on a national scale and can serve organizations that do a lot of business in your country. It takes what has traditionally been the responsibility of individual companies in deploying authoritative unicast servers and makes it part of the network-of-networks that is the global Internet. Finally, because it is delivered as a secondary DNS service based on zones and query volume it can be managed by IT departments just like other managed DNS services are today.
Why a secondary service? Because it can easily be added to whatever primary and secondary service organizations are already using to manage their DNS. When they add a national DNS service they are protecting the national interest (i.e. service quality and revenue) while still serving the world. Even small companies (i.e. the ones who don’t know what DNS stands for) can benefit if the service is implemented by local hosting providers into their bundles.
The role of D-Zone Anycast DNS
In addition to rolling out this infrastructure for the .CA top level domain (TLD), .CA has established a second footprint to help protect Canadians doing business over the Internet. Called D-Zone Anycast DNS, it combines Canadian local nodes with international global nodes to create a national DNS infrastructure. It is early in market development, but early feedback has been positive and could be a blueprint for other ccTLDs interested in supporting their local Internet.