Recently, there has been a lot of things in the news about DNS services being a weakness of one sort or another. Comcast customers in the American Midwest experienced downtime just within the last week due to DNS servers not being available – which happened previously on the American East Coast. Wikileaks.com became unavailable when its DNS supplier, EveryDNS, cut them off. Many sites found their domains seized by the US government without warning and without legal warrants.
What can one do to prevent these sorts of downtime and unavailability of DNS services? One person is already considering this: the founder of PirateBay is attempting to create a distributed DNS as a result of the US government’s seizure of numerous domains.
Others have noted related projects – projects which hoped to be alternate root servers. One such project, Telecomix DNS, has been reinvigorated by the recent domain seizures – and even has a page for those who own seized domains. In the history of the Internet, alternate domain root servers have sprung up – such as AlterNIC and Open Root Server Network and OpenNIC – but most have shut down (OpenNIC continues to operate).
However, most of those projects suffer from the same availability problems that others do: if the service shuts down, the domains become unavailable. If the owner is forced or convinced to seize domains, then the domain is gone. With a truly distributed service, this becomes impossible, and availability increases.
What has Wikileaks done to solve this problem (aside from moving to a Canadian DNS provider named EasyDNS) is to add multiple DNS providers beyond just EasyDNS. PCWorld has a nice article detailing all of what Wikileaks does to stay online – which provides a good lesson for the rest of us. EasyDNS also has an excellent article on how to keep DNS up and running in the face of a denial of service attack, written in fantastic detail by the service provider.
Have you considered what would happen if your primary DNS resolver went offline? Even if you have your own DNS server in-house, there is an upstream server that could potentially go away. Maybe there are even two or three different servers that your servers send requests to – but are they the same provider? There are several services that provide free DNS – including:
- Google DNS at 220.127.116.11 and 18.104.22.168
- OpenDNS at 22.214.171.124 and 126.96.36.199
- Scrubit at 188.8.131.52 and 184.108.40.206
- DnsAdvantage at 220.127.116.11 and 18.104.22.168
Make DNS a part of your disaster recovery plan and prevent it from taking your services down – do it today.
Update: ITWorld has a nice article that explains several projects that have sprung up to make DNS resistant to censorship by a central entity.