When companies develop an online presence, the first marketing thought is often website design. But taking a look at the deeper infrastructure has enormous benefits for not only brand identity, but also for brand protection. Understanding the opportunities that the Domain Name System offers is central to a strong online brand. eco’s Lars Steffen spoke to DNS pioneer Sven-Holger Wabnitz on behalf of dotmagazine about findability, security and brands in the DNS.
DOTMAGAZINE: Can you explain the idea of the DNS in a few words?
SVEN-HOLGER WABNITZ: You can compare the DNS with a phonebook and yellow pages, in which names of people and companies are mapped to telephone numbers, resources and services. You usually know the name of a person, but perhaps not his mobile number, so you use your phonebook. The following example demonstrates this: if you want to visit the homepage of eco you just type into your browser www.eco.de instead of currently 220.127.116.11 or even much more complicated number-letter combinations with IPv6.
There are many more use cases out there for the DNS:
- When you send an email, the sending host needs the DNS to find the mail exchanger for the receiving domain.
- If you have a data centre and you have to change an IP number, you can just change it and the name stays (for example the host on which the http demon www.eco.de is operated has to be changed and thus the IP number: visitors still type in www.eco.de)
- The management of the IP numbers: the so-called reverse IP management, which is basically a mapping from IP numbers to hosts
- The DNS is also used in the context of VoIP, in supply chain management (RFID), especially in the Internet of Things (everything) area. Again: think of remembering of billions of IP numbers instead of simple names like: webcam.meetingroom1.cologne.eco.de.
DOT: That sounds like a quite complex infrastructure. Can you explain the technical background to us in layman’s terms?
WABNITZ: Yes, you are right Lars, the DNS is a complex infrastructure. Let me give you a basic explanation without going into too many details. The DNS is the backbone of the Internet; without it, the Internet would simply not function. The DNS is a hierarchical distributed database, the root level is called “the root” which is operated by ICANN, the Internet Corporation for Assigned Names and Numbers. Each level in that hierarchy has its own authority which was delegated by its parent (e.g. eco.de.). Each node in that tree is called “zone”. Usually each of the delegated zones is operated on different servers (the name servers) than its parent. In each zone, there are database entries: information about sub-delegations of an authority and the mapping from names to resources of a specific type, for example: the host's IP address of www.eco.de.
DOT: That makes sense. I have one last technical question before we come to the importance of the DNS for companies: How does a workstation / desktop computer know which database instance to ask? What is the background to this?
WABNITZ: That’s a very good question, Lars. The infrastructure I described is called the authoritative DNS. Each of the name servers is responsible for the database entries it holds for a delegated zone including sub-delegations. But how do you find them? A delegated zone does not have any information about its parent. If you want to resolve a host name you have to start from the root and you basically say: dear root name servers, which name servers operate your child label “de”? After getting this answer, those name servers are asked which name servers operate the delegated label “eco” (which is concatenated to eco.de.). At the end, these name servers are asked for the entry of www.eco.de. The answer will be an IP number. Your browser now can connect to that IP number and ask the http service for the webpages of www.eco.de. But how can you find the root? Well, these name servers are well known worldwide by their IP number.
This task is called name resolution and is done by so-called resolvers or caching resolvers (caching because they remember the answers for a specific length of time to save traffic and speed up the resolving process). The resolvers are configured in your computer and you find it via the IP configuration “resolver” or “DNS server”.
DOT: We have all heard about the new top-level domains which are on the level one of the DNS hierarchy and operated by registries. Do you have any statistical data about the domain names and why domain names are important for a company?
WABNITZ: In the end, it is all about brands and identification – no matter whether we speak about a private person, small and medium companies, large enterprises, organisations or governments. Especially large enterprises own usually many brands and trademarks worldwide. They protect their brands against phishing, brand breaching and brand squatting through so called defensive registrations: these companies register domains representing their brands and domains with typos under many country code top-level domains as well as new generic top-level domains. They have a portfolio of hundreds, thousands or sometimes tens of thousands of domains and thus they have to care about internal processes and data related to those domains as well as everything related to finance and cost centres.
The new top-level domains have been launched for several reasons. One was for sure that the space of available names became thin but the demand for new names was still there. Let us take a look at some statistics out of the industry: there are over 334 million domains registered worldwide (status 2016). Since the beginning of the launch of the new TLDs (which is still ongoing), we can see still an increasing growth rate. We still have a growth rate of over 12.9% per year. Assuming an average cost of $15 per domain per year, we are talking about a 5.01 billion dollar yearly revenue, growing at over 12% each year, not to speak of the reseller chain. These numbers do not take into account emerging markets in underserved regions, which will be the markets of tomorrow. And domains are only the basis for the higher value services.
DOT: This sounds like we should pay attention to the DNS. Are there any regulatory rules or data privacy topics we should speak about?
WABNITZ: Yes, definitely. This is a very sensitive topic. At a first glance, you could say: well, the data in the DNS can be queried by anybody so the data is commonly available and there is nothing to protect. But looking behind the scenes: the operator of authoritative name servers and operators of resolvers collect the data of queries and can zoom into the data. They have the possibility to know who queries a certain domain and, in case of resolvers, they can evaluate which sites and services are used by a company. Today we all know the value of user tracking and profiling. Right at that point carriers and the Internet industry have the responsibility to protect customer privacy by keeping that information inside the country or a region. This is often the reason for a regulator to keep DNS servers inside the country or a specific region with similar data privacy laws.
DOT: I learned that the DNS is important for the infrastructure. What can happen if the DNS fails?
WABNITZ: You are addressing a very important aspect, which is more important today than ever before. Think again about the range of Internet services: websites, email, voice, e-commerce, payment, smartphones, intelligent / smart devices: all of these services need an addressing infrastructure. If that fails, the service is still available but cannot be found and used anymore. Each company today relies somehow on the Internet and DNS, and thus the DNS is vital for business continuity. It must be highly available, authentic, and secure.
DOT: We hear a lot about denial of service attacks against websites etc. but very seldom about attacks against the DNS. Are there attacks possible and if so, what do they look like?
WABNITZ: An interesting question. It is very hard to attack the DNS because you need a lot of calculation power, bandwidth, and knowledge or a combination of these. There are basically diverse types of attacks, direct attacks and indirect attacks. We spoke earlier about the latter one: phishing, domain grabbing, and brand breaching.
The direct attacks can be divided into denial of service attacks and authenticity attacks. Let us speak first about the DDoS (distributed denial of service) attacks. As we already learned, the DNS is highly available thanks to the possibility of a distributed infrastructure. Anycast infrastructures make it even harder to attack the DNS in such a way. The side of the attacker needs either a massive bandwidth – which is nearly impossible to own because it is easy to find the source – or many devices with low bandwidth. And here we find the risk of the future. If somebody owns (here in the sense of a bot network) millions or tens of millions smart and small devices like cameras, routers, printers or any other – let’s call them IoT – devices, he can easily generate hundreds of millions of small / cheap queries to authoritative name servers. This will cause in an overload of the authoritative name server-infrastructure. As a result, zones hosted on those name servers will not be resolved any more (we exclude caching here). This happened a while ago with the name servers of the company Dyn (it was reported in media), which were attacked from tens of millions of IP addresses and as a result many more than 50 companies were not reachable anymore – including Amazon, Airbnb, CNN, Fox news, Netflix, Paypal, Twitter, and Spotify.
The other type of direct attacks, authenticity attacks, give the user wrong information. They are called DNS Spoofing and Cache Poisoning. One example: we all trust the so-called SSL secured data transfer via https. If we communicate via an https connection (we see the secure connections sign in the browser), we simply trust that connection and we think the data transfer is safe. But we cannot be sure who we are communicating with. The DNS resolver could have delivered a wrong IP number (remember: the web client needs the IP number of the webserver based on the DNS hostname) and our client connects to the wrong server which offers a SSL connection. You are simply redirected to another host / service. This can happen with ANY service. I believe I do not need to explain further consequences for the client and the company who offers the service. Such attacks are the mentioned and so-called “cache poisoning” attacks because the cache of a resolver is poisoned with false information. But there is solution in place which unfortunately is only used by the minority of companies / name servers / DNS hosters, and this solution is called DNSSEC. It increases security dramatically. DNSSEC ensures the integrity and authenticity of DNS queries. If done the authenticity is ensured up to the resolver of the provider (if you are a specialist up to the end of your own infrastructure). The connection between the provider running the resolver and the client is assumed to be secure. But it isn’t. There is a long way to go until an end-to-end authenticity is in place.
Each company should ask the questions: what is the cost per minute of Internet service failure or service redirection beside reputational damage.
DOT: Thank you for the exhaustive and very interesting information. Do you have a last personal statement for our audience?
WABNITZ: Thank you for the interview Lars and it was a pleasure to talk to you. Let my last statement be: The DNS is a fantastic infrastructure and a fantastic example of a distributed infrastructure. It is highly available and scalable. The DNS as it is used today is only a proof of concept for much larger use cases in future.
Sven-Holger is an Internet pioneer and the inventor of the domain & DNS management software DomiNIC. His passions in the DNS area are disruptive use cases, DNS in the context of IoT, structural analysis, online brand protection as well as risk and security strategies.
Please note: The opinions expressed in Industry Insights published by dotmagazine are the author’s own and do not reflect the view of the publisher, eco – Association of the Internet Industry.