SoylentNews is people
SoylentNews
Arthur T Knackerbracket has found the following story:
The world's top eight DNS providers now control 59 per cent of name resolution for the biggest Websites - and that puts the Web at risk, according to a group of Harvard University researchers.
The group was led by Harvard's Shane Greenstein, and warned that since 2011, the "entropy" of the DNS (referring to how widely distributed it is) has fallen, becoming concentrated in "a small number of dominant cloud services companies".
That state of affairs, the group's research paper (PDF) argued, creates fragility if attackers find a weakness in those DNS services.
[...] For the namespaces they measured, the team found the top eight providers grew their market share from 24 per cent to 59 per cent from 2011 to 2017, and the top four went from 17 per cent to nearly 50 per cent.
[...] The other trend they found was that unsurprisingly, in a world awash with easy-to-use cloud services, external DNS hosting has overtaken in-house DNS servers.
For companies worried that this might leave them open to a Mirai-style botnet taking out their DNS provider, the solution is simple, the paper said.
Organisations should diversify their pool of nameservers by taking DNS management services from multiple providers, the paper said. Compared to the costs of a day's downtime, this is " a comparatively costless and therefore puzzlingly rare decision".
(Score: 3, Interesting) by NotSanguine on Sunday March 04 2018, @12:57AM (5 children)
There are a number of reasons for this consolidation:
1. Many folks with domains don't have the technical expertise to manage their own DNS servers;
2. Other folks don't have the geographically distributed internet links to support *resilient* authoritative name resolution;
3. Still others have outsourced their network connectivity/Internet presence to third-parties who, to save money, don't have their own infrastructures
Case in point: At my last job, we used one of our ISPs to host our authoritative primary *external* DNS and used a couple of other ISPs to host authoritative secondaries for us. That worked okay, except the ISP hosting our authoritative primary DNS zones didn't perform updates often (~24-48 hours) and required us to file change requests rather than give us access to our zones.
We decided that was unacceptable (which it was, and I'd bitched about it for a while too -- especially since it was part of my job) and it was decided to move the authoritative primary DNS to one of our registrars who provided DNS services, while keeping our other authoritative secondaries.
I vehemently argued against this, as it was simple enough for us (read: me) to maintain primary DNS servers onsite (we had multiple sites on multiple continents) and still configure it so that the authoritative secondaries were responding to all the query traffic. Given that the organization was not an ISP and did not provide hosting for other domains, external DNS changes were relatively infrequent.
I was overruled and told that the organization didn't want to host DNS internally. Which also (eventually) became true for our Internet-facing web presence, except for some DropBox-style sharing platforms (we exchanged a lot of confidential data with our clients).
On a personal note, I run my own primary authoritative DNS for the multiple domains which I own. I used to use my ISP's DNS servers as secondaries (this was a free service for their customers), but when my ISP was gobbled up by a larger one, they killed that off (along with shell access to an external server and a bunch of other customer-friendly services), forcing me to move secondary name resolution to a couple of different (free) DNS hosting providers.
TL;DR: Hosting authoritative DNS *should* be geographically distributed. However, doing so is often a problem for individuals and organizations with an internet presence, either because they don't have geographically distributed locations, or they don't have the infrastructure/technical knowledge to support them.
As long as we maintain this producer/consumer model for the Internet (which was never its purpose), we're going to continue seeing such consolidation and reductions in choice and flexibility. And that's a shame, IMHO.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 1, Interesting) by Anonymous Coward on Sunday March 04 2018, @07:47AM (4 children)
I think the top 3 should include residential server persecution. If ordinary 'internet' users were free to download FOSS bind or alternatives and operate their own DNS servers, without being in violation of their internet service provider's contract and terms of service, then we would see an exponential increase in the number of DNS servers. Anyone who doesn't see this bit of longstanding network non-neutrality as one of the top reasons for the current lack of DNS diversity isn't being intellectually honest. It's pretty simple.
(Score: 2) by maxwell demon on Sunday March 04 2018, @09:47AM (3 children)
So anyone who isn't well-informed is automatically intellectually dishonest?
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Sunday March 04 2018, @09:55AM (2 children)
I don't understand the DNS system well enough to comment on the AC's point, but IF he is correct, then anyone who argues against him is either knowledgeable enough that they are intellectually dishonest for disagreeing, or intellectually dishonest enough to argue on a subject they are uninformed about.
(Score: 2) by maxwell demon on Sunday March 04 2018, @11:49AM
Just because you are uninformed does not mean you know that you are uninformed. That is, you may think you know enough about a subject because you don't know how much you don't know.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by NotSanguine on Sunday March 04 2018, @12:38PM
I do understand DNS well enough to comment on both AC's and Maxwell Demon's points.
I'd say that the AC was being somewhat hyperbolic, although abusive TOS by ISPs really chaps my ass too. Running a DNS *server* on the Internet isn't really necessary unless you have network resources that you wish to share with the world. Given those self same abusive TOS' (not to mention dynamic, and sometimes even RFC 1918 [ietf.org]-style, IP addressing forced on users by ISPs) that restrict much more than just DNS servers, I'm not sure what resources they might be able to share, and as such, why someone would need a DNS server.
Maxwell demon makes a valid point. It's ridiculous to expect someone who doesn't understand DNS, let alone have need for a DNS zone [wikipedia.org] to have any sort of informed opinion about that.
That said, If I ignore the "intellectual dishonesty" portion of AC's comment as hyperbole, I mostly agree with his assessment. Where I disagree is that if one needs to publish a DNS zone, a single server on a single residential network link is insufficient.
Even if all the network resources referenced in such a zone are hosted on systems attached to the Internet only through that same link, not having multiple, preferably geographically distributed, authoritative DNS servers can still cause significant name resolution problems after a link outage, due to timeouts on caching DNS servers around the 'net.
The reality is a bit more complex than the above, but the above covers most of the salient points, IMHO.
No, no, you're not thinking; you're just being logical. --Niels Bohr