December 10, 2013

What Causes DNS Outages?

Ever gone to a website and gotten an error message that said, “DNS host not resolved” or “host not resolvable”?

This is because your DNS host is not reachable. It could be they’re suffering an outage, or network error, not reliable, a network admin accidentally deleted a record… or a DDoS attack.

Pretty much what’s happening is the incoming traffic is so congested, it slows to a crawl. Or in some cases, the site will be knocked completely offline.

Often times it’s the result of a DDoS attack (distributed denial of service attack), which is the disruption or abolition of services of a host connected to the Internet. It’s a mouthful, but let’s break it down a little more with a relatable example. Think of these connections between the internet and your site like highways. 

Say your site is connected to the World Wide Web via a two-lane highway. Now what if your site goes viral and you get millions of people speeding towards your website? The more popular you get, the more eyeballs you have on your site. This can attract both potential customers and attackers. The most cunning attacks use DDoS attacks which basically send floods of traffic at your site, but makes it appear as if many different computers are sending the traffic. This makes identifying an attack even harder, because it can appear to be normal visitors. 

If you think of it like a highway, basically a DDoS attack mimics what rush hour would look like, inevitably bringing your site to a gridlock. These kinds of attacks are orchestrated floods of packets (which you’ll remember from earlier are like the queries you send to a DNS server to access a website’s IP address). 

Your site’s name servers can only handle a finite amount of DNS requests or PPS (packets per second) before they fail. A DNS hosting provider, like DNS Made Easy, solves this problem by setting up hundreds of name servers worldwide on an Anycast network. It’s pretty much like having a major interstate highway system that consists of many different highway networks spread across a large area. 

DNS Made Easy’s Anycast + network serves DNS traffic across hundreds of name servers, allowing the network to manage exponentially more requests than an in-house network (also known as a Unicast network, because it only hosts DNS from one location). 

There are many different ways to prevent DDoS attacks, but some of these methods can be very costly and not practical for small businesses. Some enterprise organizations use in-house DNS infrastructures (unicast networks), however these can cost thousands to set up, and even more to maintain. Not to mention, expensive firewalls to protect these servers. 

What these in-house DNS users don’t realize is no matter how large the firewall is, if their incoming connections into their network aren’t large enough, then it’s game over.

DDoS Attack

Back to our highway analogy, if they don’t increase the number of lanes in their highway, it doesn’t matter how many shields they have up to fend off attackers. The attack will actually break the system before the packets even reach the firewalls. Even if the attack does reach the firewalls, DDoS attackers are notorious for bypassing them, because they are sending tiny packets that don’t normally raise red flags for most security systems. 

Our experts have actually developed a much larger list of ways to prepare, based off of years of fighting DDoS attacks that we’ve mitigated on a weekly (sometimes daily) basis. See what our engineers have to say about protecting your domains from in-house implementations to even outsourcing all of your networking needs to a cloud-friendly DNS provider. You can read a whole white paper on it! Read it here for free.