By Moritz Müller
A starting point for operators interested in the KINDNS framework
Authors: Olivier van der Toorn, Moritz Müller, Sara Dickinson, Cristian Hesselman, Anna Sperotto, Roland van Rijswijk-Deij
Earlier this year, our tutorial paper ‘Addressing the challenges of modern DNS: A comprehensive tutorial‘ was published. The paper was co-authored with colleagues at the University of Twente and sinodun. It describes the Domain Name System (DNS) from two perspectives: what the modern DNS actually looks like in practice, and what security challenges currently face the DNS. The paper is aimed at technical personnel who want to know more about the DNS, and at DNS specialists looking for somewhere to get started on a more detailed exploration of the subject – and thus perfect for everyone who wants to prepare for the KINDNS framework.
Why a(nother) DNS tutorial?
Finding out about the current state of the DNS and its extensions can be quite an undertaking. This is probably also a realization that everyone that wants to apply the best practices formulated by the KINDNS framework will find out sooner or later.
Numerous DNS tutorials can be found online, but most explain only the basics of how the system works. And only a few of them cover recent developments such as DNS-over-HTTPS or DNS centralisation. Another problem is that the formal documentation on the DNS is very extensive. In the early days of the DNS, the RFCs defining the system ran to maybe a hundred pages. Now, there are more than two hundred documents numbering a total of more than 3,500 pages. Anyone who wants to get to grips with the subject therefore needs to get hold of and read a huge number of documents, and then consider which parts of them actually apply in the modern world.
Our paper is intended to help people get past those problems. We explain what the DNS looks like in practice, and we help (budding) DNS specialists to understand the most important aspects of modern DNS deployments. The paper draws on our own DNS research, our operational experience and our familiarity with the DNS RFCs and academic literature.
We hope that this paper can also lay the foundation for operators who want to apply the best practices from the KINDNS framework.
Applying the best practices requires a good understanding of the DNS protocol itself. In our paper we describe, with many examples, how the DNS protocol is structured, and how the different components of the DNS interact with each other. Operators already familiar with the DNS can consider skipping this section and jump directly to the topics they find most relevant.
The KINDNS framework has a strong focus on DNS security. This also includes DNSSEC, which is explained in our paper as well.
DNSSEC can look complicated at first sight, especially when compared to the basic DNS protocol. We believe, however, that operators who understand how DNSSEC interacts with the different DNS components can safely deploy DNSSEC at their domain names and resolvers as well. In our paper, we provide operators who want to know more about the whys and hows with relevant information on DNSSEC and its deployment, but without overwhelming them with unnecessary details.
The DNS is crucial for the availability of almost any service on the Internet, and also the KINDNS framework spends some time on this topic. We help operators to run a resilient DNS service, by helping them estimate the needed bandwidth, explain them how to distribute their zone across multiple name servers, and discuss how to deploy anycast DNS. Also, monitoring is an important aspect of the KINDNS framework and of our paper.
Additionally, we explain other knobs and handles to make your DNS setup more resilient, but which are not part of the framework. For example, caching can have a great influence, and we describe how operators can find the right balance between agility and availability.
A hot topic in the DNS community and one “Bonus Practices” of the KINDNS framework is support of encrypted DNS transport. We give an overview of the different protocols, their commonalities, and their differences. Also, we describe how QNAME minimization works.
Furthermore, running a DNS service that protects the privacy of its users not only touches technological, but also of policy aspects. We give the reader pointers to how they can protect their user’s privacy while keeping enough information to run a reliable service.
Not part of the framework but probably something every operator faces at some point, is the detection and prevention of abuse. We show in our paper how bad actors on the Internet can misuse the DNS to facilitate, coordinate, or even amplify attacks on the Internet. Luckily, operators also have many tools and different software settings at their disposal that help to mitigate these attacks at least partially. Again, we explain them in more detail in our paper.
Finally, every DNS operator knows: the DNS is still not the perfect protocol. In our paper we also list open challenges which the DNS faces today. We invite operators to share their experience with researchers and the broader DNS community to help to improve the DNS further.
Want to know more?
Following publication in the Elsevier Computer Science Review, access to our paper is now open. The tutorial is available to download from our website in PDF form, or to read online. We hope that our paper will help you to understand and implement the KINDNS best practices, and maybe even to follow and contribute to more complex DNS community debates, such as those that take place within the IETF.
This is a modified version of an article previous published at sidnlabs.nl.