Defending against DNS attacks begins with building a modern DNS System Architecture

Today, the DNS system has already exceeded the originally set "Address Book" function. With the popularization of the Internet, more and more malicious intrusions and DDoS attacks have emerged. A modern DNS system should be designed to address these issues and provide end users with a fast and easy-to-use interface.
The entry point for the DNS system is for the webmaster to add and delete records. This part requires easy-to-use and quick effectiveness. Therefore, a powerful queue system is required to quickly distribute data and maintain synchronization between servers. The system egress is port 53 that provides the query service. On the one hand, we must meet the compatibility requirements of different recursive servers, and on the other hand, we must also prevent various intrusions and attacks. The core module in the middle is to provide basic parsing functions. It is necessary to be as compatible with various RFC protocols as much as possible while maximizing performance. For example, the DNSPodweb front-end uses the MySQL database to store user records, but the backend queue system does not use its master-slave synchronization function. Instead, it reads data from the MySQL database for distribution. This can take effect between servers within 10 seconds. Generally, when a user adds a record on the website, closes the webpage, and then requests the server, the data has been updated.

The DNS server has a black hole cluster protection device, which is mainly used to detect some common attack forms. It can also accept real-time back-end commands, block domain names in time, and modify policies. Implement intelligent attack protection. On the DNS server, attack detection and corresponding protection programs are run in kernel mode. The protection program checks the data traffic of the Local Machine in real time to ensure that the maximum load of the machine is not exceeded. The attack detection program detects packet characteristics and performs real-time analysis. When feature convergence is detected, it immediately notifies the black hole device in front of it to defend against attacks and reduce the pressure on normal services.

Standard DNS servers that finally provide services can use efficient network programming modes, memory databases, and other features to improve performance, while timely implementing the latest RFC protocol, ensure seamless connection with major recursive servers.

From this we can see that the architecture of the DNS system is no longer as simple as running specific server software, but as a chain and a large system, which requires close cooperation from various aspects.

[Author] Zhang Pu is a senior system development engineer at DNSPod, Inc. and is engaged in DNS system development. He is mainly engaged in Linux kernel, network, and database development.