DO

MA

INS

(and

the

Dom

ain

Nam

e Sy

stem

)

Why are we looking at this

The DNS is as old as WWW so why do we need to learn about it?

Because of this

Because of this

And because of thisSource: Arbor Networks Digital Attack Map (digitalattackmap.com)

First

A stark reality

94% of

Higher education websites

are

exposed to DNS outages

100% are candidates for DNS hijacking

WHO IS CIRA?

• The Canadian Internet Registration Authority (CIRA) manages a 100% up time service - the .CA domain name registry for over 2.4 million domains

• Provide DNS for .CA, answering 3 billion DNS queries per month

• CIRA is a non-profit member-driven organization of 75 employees and an elected 12-person board

• CIRA supports the growth of a strong and reliable Internet for all Canadians by investing in Internet projects, and helping to represent Canadian Internet interests around the world

The organization responsible for a critical part of the Internet infrastructure, is expanding its services to help organizations secure their DNS systems in Canada

In short

Manage the .CA domain

Provide infrastructure and services

Do good things for the Internet

Agenda

• Best practices for protecting your domain name

• Best practices for protecting your domain’s DNS

• What is happening with new gTLDs (and why it matters to your domain)

DomainName Protection

Owning a domain requires good parenting skills

Domain Hijacking

• Domain hijacking could be the act of a hacker using social engineering to trick the technical support workers at a registrar (like GoDaddy, Webnames, Domains at Cost, etc.) into making critical changes to the DNS.

• OR…It can be done by the malicious act of someone within your organization

It looks like this…

…or this

Recent Domain Name Hijackings

• The dancing banana appeared on the City of Ottawa website (apparently) in response to the arrest of a person who had been arrested for SWATting and other nuisance cyber crimes

• The smoking lizard appeared on Air Malaysia’s website just as it was trying to recover from two high profile crashes.

What is common with these? They are not traditional targets. They aren’t Microsoft, they aren’t e-commerce sites and they aren’t banks.

The responsibility for locking the domain rests with the IT Administrator

• Domain locking is a manual process in a cloud world because it provides the highest level of protection

– Not an application – Not a vendor

• Highest security Lock Flag placed on your domain that prevents any changes. Turned on and off by CIRA (or other Registries).

Registry Lock

• When Registry Lock is applied to a domain name, no attributes of the domain are changeable and no transfer or deletion transactions can be processed against the domain name, with the exception of renewals. .CA, .com, and others all offer this service.

• If the Registrant wishes to make any changes to their domain, the Registrant must first work with their Registrar, who will in turn work with the .CA Registry. 

• The .CA Registry will respond to any lock and unlock requests in under one hour (typically under 5 mins), on a 24x7 basis, so accessing your .CA domain name is not an administrative burden.

Registrant Requests unlocking

RegistrarKey contacts use admin protocols to authenticate with

CIRA

CIRAUnlocks the domain for the proscribed

period of time

Four top tips for managing your domain

1. Conduct a good domain name audit

2. Know your Registrar(s)

3. Keep your .CA contact information current

4. Don't lose control: Renew your domain name

We learn a lot by managing a technical support desk. These tips are based on the hundreds of calls we field every day.

Good domain hygiene Oops!

Other Tips and Tricks

1. Don’t let a supplier register your domains

2. Select the right Registrant and Administrative Contacts  

3. Avoid free email services 

4. Password selection and storage 

5. Use security tools provided by your Registrar  

6. Whitelist the domain names for your service providers (eg GoDaddy)

These sound simple, they are important, and they cause problems to somebody every single day

BES

T PR

AC

TIC

ES

FOR

TH

E D

NS

(the

Ach

illes

hee

l of t

he In

tern

et)

What does the DNS mean to an Education IT Administrator

DNS

website

emailcourses

schedules

accountingmaintenance

E-learningAssignment submissions

conferences

Researcher profiles

Coop programs

Faculty microsites Satellite

campuses

EXTERNAL DNS IS VULNERABLE

• Failures – equipment, network, power etc.

• DDoS attacks – 10% of all attacks are directed at the DNS– DNS resources can be flooded in any type of attack

• High latency – global lookups, local DNS servers

Authoritative external DNS infrastructure is vulnerable to failures, attack and performance issues

DNS IS MISSION CRITICAL

• During a DNS outage websites, web applications, and email are down

• DNS outages result in brand damage and/or lost revenue– Losses range from hundreds to millions of dollars per hour– Damage to reputation is another cost

• DNS lookups contribute to website performance– 40% of people abandon a website after only 3 seconds– Amazon calculated that a 1 second increase in page load time would

result in $1.6 billion in lost revenue per year– Google calculated 400ms delay in returning search results would

result in 8 million less searches per day

DNS is a mission critical service that requires 100% uptime and low latency

STRENGTHEN DNS WITH ANYCASTUnicast – Traditional DNS deployments• Nameservers are

implemented on single nodes, each with a unique IP address

Anycast – Adding resiliency to your DNS• Nameservers are

implemented on a multiple geographically distributed nodes that share a single IP address

• Layer 3 routing sends packets to the geographically nearest nameserver

• Built in redundancy, failover and load distribution

UNICAST

ANYCAST

CHALLENGES WITH ANYCAST

Anycast is expensive to setup and operate

• High capital expense, high operating expense, complex to manage

• Commercial offerings are available as a service

• CIRA saw that no commercial organizations were providing a solution for Canada’s Internet

A GLOBAL ANYCAST DNS SERVICE THAT PUTS CANADA AND CANADIAN TRAFFIC FIRST

Location Cloud

Miami, FL 1Los Angeles, CA 1London, UK 1Hong Kong, CN 1Calgary, AB 1Montreal, QC 1Toronto, ON 1Winnipeg, MB 1

Location Cloud

Vancouver, BC 2Montreal, QC 2Toronto, ON 2Halifax 2

University Customer Example

1000 Queries Per Minute40M Queries Per Month

60% Canadian20% US20% Europe

Summary on Anycast DNS

• If you aren’t currently using anycast, then it is worth an investigation

• CIRA delivers an anycast solution called D-Zone that several Canadian universities have added to their infrastructure

• We are on the show floor and interested in getting every institution in this room on board – it takes less than ten minutes to set up and if it saves one outage, “the service pays for itself many times over”

In summary

• Follow-the tips and tricks to avoid administrative headaches and mitigate the risk of bad actors bringing down your applications or embarrassing your institution

• Unicast is old. Get an anycast DNS solution to improve the performance, resilience, and DDoS protection for your site

Protecting your domains and websites requires the consistent application of best practices – like parenting

D-ZONE Anycast DNS

• Contact Mark Gaudet or Shawn Beaton for more information on participating in an enterprise trial of D-Zone Anycast DNS.

Mark GaudetManager, Business Development Canadian Internet Registration Authority ( CIRA )Tel: (613) 237-5335 x 223Cell: (613)-799-5789 www.cira.ca

CIRA is inviting CANHEIT participants to evaluate D-Zone

Sign up today and receive wireless Bluetooth headphones.(no commitment)