At the beginning of 2017, we started working on a project of augmenting infrastructure of authoritative DNS servers that keep the .CZ domain running. Our main motivation was to increase the resiliency of the DNS infrastructure against DDoS attacks – the risk that is constantly growing. The basic building unit of the new DNS infrastructure is the so-called “DNS stack”.
ISP stacks and their deployment
In a previous episode of the series on bolstering up the DNS infrastructure, I mentioned the various configurations of DNS stacks and their planned use. A special kind is the ISP DNS stack, conceived as an add-on to large nodes in the Czech Republic, and thus presenting additional possibilities for expanding the DNS infrastructure. This solution has already been put in use, among others, by SIDN.NL, .nl domain registry.
How is the ISP DNS stack different from other kinds? The ISP DNS stack is located directly in the internal network of the Internet service provider (ISP) in the Czech Republic and routes the DNS anycast prefix(es) to that network. We reserve the right to define which anycast prefix is to be used and also to change it to another one over time. However, the ISP is not allowed to route this prefix further upstream or to its peers. The ISP DNS stack is primarily intended for entities that provide Internet services (or are content managers) to a larger number of customers and are therefore, from our point of view, important users of DNS traffic.
The advantage of running this DNS stack on the ISP network is full availability of the .CZ zone, even in the case of DDoS attacks on public authoritative DNS servers. The DNS anycast principle of placing the ISP DNS stack on the internal ISP network increases query throughput and speeds up responses.
We have designed 2 versions of ISP DNS stacks
Wiring diagram of the two versions
Sufficient for some ISPs is the ISP mini option, i.e. one server that is able to serve approximately 100 million DNS requests per day. If the ISP operates its network in multiple datacenters, we recommend placing this DNS instance in each of them. In case of higher volume of DNS requests, we offer the version with five servers that is able to serve three times more DNS traffic. This version is basically a Small DNS stack, but with just one 10Gb port.
How does it work in practice? CZ.NIC manage ISP DNS stack of the ISP DNS stack in terms of running the operating system and all services, including monitoring. The ISP is responsible for the purchase, operation and location of HW on its own network, providing Internet connectivity including the necessary IP ranges and configuration of BGP sessions. In addition to the DNS node traffic requirements, we recommend a specific server model as well as a complete HW configuration. Of course, we encrypt hard drives to prevent data leakage by physical access or during the disk exchange.
We implement NBD SLA for solving problems with running the operating system and providing DNS services. We understand this service as an additional service for a given ISP and therefore a node outage does not in any way imply an outage of the DNS services. DNS requests will be automatically routed to our DNS anycast servers. With regard to the above, we consider this model of support sufficient.
The first companies to host the ISP DNS Stack were Seznam.cz and Vodafone. The amoutnt of DNS requests per second in the past month is shown in the attached chart.
In the following episodes you can look forward to practical experience with the implementation of the first Large DNS stack in the Czech Republic.
Part 3: First Large Stack – Tender, Hardware Purchase and Logistics
Part 4: First Large Stack – Facility Preparation
Part 5: First Large Stack – Installation, Testing, and Deployment
Part 6: First Large Stack – Conclusion and Operation Experience