May 2017 - Routing & Reachability | Networks | Economic Impact of Connectivity

Anycast: The State-of-the-Art Technology to Secure Your Online Presence

So you have done everything to protect your online presence: You have redundant web servers, firewalls, DDoS protection in a high security data center, and much more. But… have you also considered your domain name server? If not, this could be your single point of failure, Klaus Darilion from nic.at explains.

Unicast - © nic.at / Anna Rauchenberger

Nowadays, an enormous part of business success depends upon the availability of the Internet. All relevant services, such as web, email, FTP and media servers, are accessed via the Domain Name System (DNS) by people typing in the domain names of these servers. This is why the DNS has to be extremely robust and fail-proof and should be an essential part of a company’s security strategy.

Why single point of failure?

The classical – and still most common - addressing method in the Domain Name System is “unicast”. This means that a DNS server has a dedicated IP address. Queries to this IP address all lead to this one server no matter where in the world the client is located. This may cause delays and timeouts for remote clients. Furthermore, if the server is down or a victim of a DDoS attack, the whole service provided under this dedicated IP address is affected and not available anymore.

Anycast technology keeps services available around the globe

Anycast routing helps to avoid this “single point of failure”: Name servers distributed as a “cloud” in different locations all advertise the same IP address. If a user looks up a domain name, the nearest anycast instance will respond. The great advantage: DoS attacks affect only the anycast location nearest to the DoS source. Other anycast locations usually still answer the DNS queries from other regions in the world, which means that the service remains available.

Anycast - © nic.at / Anna Rauchenberger

Every anycast location increases the capacity and performance of services 

Due to several geographically distributed anycast nodes, this technology allows shorter response times and better traffic balance. The capacity and performance of the service increases with every anycast location. All locations appear as one global server with one IP address, keeping the size of the DNS responses small.

But… how expensive is anycast technology?

Setting up your own anycast infrastructure is expensive – and if it is to include DNSSEC technology as well, it requires specific technical know-how. This is why at first it was only used for the DNS root servers of the Internet, before Top Level Domain registries also built up anycast clouds to secure their zones. Some of these have started to make their service available to customers, and quite a few large ISPs have begun setting up their own anycast infrastructure as well. Which means that anycast technology is getting more and more wide-spread and affordable, also for small customers.

© nic.at / Anna Rauchenberger

RcodeZero DNS by nic.at

nic.at, the Austrian registry for .at, was one of the first registries which made its anycast infrastructure available for registrars and end customers – they can profit from the same quality of service which is used for .at and some other new gTLDs. It includes complete DNSSEC management for free and is thus a perfect product to enhance the stability and security of the DNS.

DNS services based on anycast ensure optimal load balancing, increase reliability, decrease latency, and are a highly effective response to DoS attacks.

More on domain-related topics can be found on eco's Names and Numbers Forum.

Klaus Darilion studied electrical engineering at the Technical University of Vienna, where he then worked three years as a research assistant at the Institute of Computer Technology. There he conducted research in the field of packetized voice communication and dealt in particular with SIP. Since August 2004, he is in the team of nic.at. Here he deals with current network design, network security, VoIP, VoIP security, DNSSEC and anycast DNS. Since end of October 2014, he is Head of nic.at Operations.


Please note: The opinions expressed in Industry Insights published by dotmagazine are the author’s own and do not reflect the view of the publisher, eco – Association of the Internet Industry.