Infosys delivers concept-to-market software engineering services across the engineering value chain. Our blog will discuss the latest trends in software product engineering, outsourcing, technologies, and address business challenges.

« Don’t think local, think locale | Main | Deciding Optimal Unicode Solution for Globalization Database »

Google Public DNS

A month ago, Google announced the release of Google Public DNS (Domain Name System), which is a free DNS resolution service. DNS is used to translate human friendly computer names into IP addresses. When a user types the name of a website, the Domain Name Servers convert this name into an IP address, and this IP address is used by your machine to send requests. A DNS network contains a set of servers which maintain a cache of domain name to IP address mappings. Usually these Domain Name Servers are maintained by your Internet Service Providers (ISP). With Public DNS service, Google wants to provide an alternative to your ISP’s service. Public DNS leverages the existing infrastructure used by Google’s search engine, which uses crawlers to scan through millions of websites. The DNS information cached by these web crawlers is used by Public DNS. Already a company by name Open DNS offers a similar popular DNS resolution service.

These DNS services claim to provide faster (by caching relevant DNS information and hence speeding up page retrieval) and safer (preventing spoofing and denial of service (DoS) attacks) service as compared to your ISPs.

Delay in loading a webpage could be caused by factors like geographical distance between the client and resolving servers (which could result in longer round trip time, or loss in packets due to network congestion etc.), cache misses (in this case, a resolving server does not have information about the requested domain name and needs to recursively query other servers to get the information) and heavy load on resolving servers due to under provisioning of servers or denial of service attacks (deliberate overloading of servers by malicious users, to deny service to genuine users). Public DNS claims to mitigate these delays with following approaches:

1.     Adequate provisioning of servers to handle both the genuine requests and denial of service attacks.

2.     Usually DNS lookup queries are load balanced amongst several name resolving servers. If there is over provisioning of resolving servers (as described in point 1, over provisioning is necessary to prevent DoS attacks) and if the load balancer randomly selects the servers, it could result in different servers having entirely different set of cached information (fragmented cache). This results in high percentage of cache misses and hence increased traffic between the servers, especially for popular domain names (remember that whenever a server cannot find the requested information in its cache, it has to query other servers). Public DNS handles this problem by splitting servers into 2 categories. One category of servers uses a global cache which contains popular domain names (e.g. Google.com). Since popular names are requested frequently, this global cache remains refreshed at all the times, resulting in quicker resolution. Other category of servers uses a local cache (i.e. each server maintains its own cache), which caches less popular domain names. Since these less popular domain names are requested infrequently, cache misses will not result in increased network traffic. But to service these less popular domain names as efficiently as popular domain names, Public DNS optimizes the request resolution by always forwarding requests for a domain name to the same server. For e.g. if the request is for www.indya.com, it is always forwarded to server A. If the request is for www.sify.com, it is always forwarded to server B. So, if user requests www.indya.com repeatedly, the cached information at server A would result in quicker resolution.

3.     To ensure faster resolution of domain names, Public DNS pre-fetches and periodically refreshes the names irrespective of whether user requests these names. This is implemented using an offline component which periodically selects and ranks the domain names based on factors like popularity and hit rate (number of times it is requested).  Another runtime component resolves these pre-fetched names and refreshes them based on their time to live value. This ensures that frequently requested domain names are served quickly (even if they are not universally popular domain names like www.google.com).

4.     Google hosts Public DNS in its data centers across the world and routes the requests to the geographically closer mirror sites (e.g. google.co.in for requests from India), thus resulting in faster browsing experience.

Another consideration for a DNS service is security. DNS servers could become targets of spoofing (redirect users to malicious sites) and denial of service (DoS) attacks. Public DNS has implemented following approaches to prevent above mentioned security threats:

1.     To prevent the DoS attacks:

a.     Public DNS enforces rate control over the amount of traffic that could be directed to other name servers. Thus it will not be possible for attackers to flood name servers with high volume of malicious traffic. The rate control is also enforced on the responses that are sent back.

b.     To prevent amplification attacks (amplification attacks exploit high response to request ratio of name servers. Attackers can inject large responses into name server’s cache, thus flooding the network with traffic), the response traffic is limited by applying “maximum average amplification factor” to each client IP.

If requests/responses exceed any of the above mentioned parameters, the error is returned. In some cases, no response is sent for such requests.

2.     To prevent cache poisoning, basic validity checks, like rejecting the malformed responses or responses which don’t match the attributes of the requests (e.g. source IP, port), are enforced.

3.     To make it difficult for the attackers to easily predict and match a combination of name servers, ports and query names, these attributes are randomized. For e.g. the requests are sent out on different port numbers and to different name servers (not to the nearest name server always) to add some unpredictability to the requests. Also, the cases in the queried domain names are changed to prevent forged responses. For e.g. wwW.gooGLE.com or WwW.gOoGlE.cOm.

4.     To prevent attackers from injecting multiple duplicate requests for the same name resolution, Public DNS does not allow more than one request with same query attributes (port number, destination IP).

If you want to try out Public DNS, follow the instructions mentioned at: http://code.google.com/speed/public-dns/docs/using.html

To try out free basic version of Open DNS, check http://www.opendns.com/start/.

Posted by Manjunath Ballur on December 30, 2009 1:37 PM |

TrackBack

TrackBack URL for this entry:
http://www.infosysblogs.com/apps/mt-tb.cgi/806

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Please key in the two words you see in the box to validate your identity as an authentic user and reduce spam.