What is a DDoS attack?

DDoS attack stands for Distributed Denial-of-Service attack and represents a cyber-attack that aims to disrupt normal traffic and make the target (website, server, network) unavailable for regular users. There are few different types, but in general, a DDoS attack is an attempt to overwhelm the target (a computer, few connected computers or a whole DNS network) with high traffic from multiple sources.

The cybercriminals can generate this strong wave of traffic by:

• Using a network of pre-infected devices (computers, mobiles, IoT devices, etc.)  called a botnet
• Amplify attack that uses other servers to resend the traffic to a target after significantly increasing the size of the packets
• Occupy the existing connection and not allow new ones
• Exploit the vulnerabilities of a protocol, such as the UDP or another. 

There are many DDoS threats, this is why you want to a DDoS defense too. DDoS attack protection could keep your business safe and notify you of problems.

How does it work?

There are different types of DDoS attacks (volume-based attacks, protocol-based attacks, and application-layer attacks), but in general, they all have the same stages:

1. Pre-production of the attack. At this moment, the cybercriminals will create a network of botnets (infected devices) that later they will use for attacks. For example, hackers can bypass the security of IoT devices, or they can send phishing emails to users, and when the users open the emails, they can get infected with malicious code. 
2. Launching of the attack. Now it is time to use the botnet. Time for choosing a victim and sending the traffic towards the targeted server. There are different reasons for the attacks, but the goal is to saturate the target with traffic and take it out of service. 
3. The success of the attack. After a while, if the target does not have DDoS attack protection, or it is not strong enough, eventually it won’t be able to function correctly. There is a limit to how many active connections a server can have, even if it is very powerful. It will start to deny service and stop working. Normal users will not be able to use the server until the traffic drops again and the server can begin responding to normal queries. 
4. Final result. The bad actors could have achieved different goals, and now they get their reward. It could be money or just satisfaction with the success of the attack.

Signs of DDoS attacks 

DDoS attacks are extremely harmful and could lead to large reputational and financial losses. That is why it is crucial to be mindful and observe for any early signs of an appearing attack. There are specific characteristics of each DDoS attack type, but in general, what you can expect during an attack is: 

• Strange traffic, coming from one IP address or various but similar IP addresses (same range of addresses). 
• Traffic coming from devices with a similar profile (the type of devices, OS, etc.) and same patterns. 
• Out-of-ordinary traffic spikes like a huge spike, in the middle of the night without any sense or repeatable traffic, with a particular interval. 
• Traffic only to a single page, and no further exploration of your website.  

DDoS vs. DoS 

Let’s first briefly define a Denial of Service (DoS) attack. In this type of online attack, a source is maliciously infected in order to send big amounts of traffic to a target. The purpose is to saturate the system, to make it crash by exhausting its technical resources (CPU, RAM, etc.), or by exploiting a specific vulnerability and injecting a proper, harmful input. Then the service for users will be denied.

Now, let’s jump to the differences between DDoS vs. DoS attacks:

• Sources for attacking. In DoS attacks, the perpetrator only needs one Internet-connected device (source) to flood its victim with lots of forged requests or exploit a specific vulnerability within its software. DDoS attacks are executed from multiple sources, thousands, even millions of devices connected to the Internet.
• Way of execution. Generally, DoS weapons are apps like Low Orbit Ion Cannon or homemade codes. DDoS perpetrators use botnet armies, massive groups of malware-infected devices like PCs, routers, mobiles, Internet of Things (IoT) connected to the Internet. The traffic a DDoS attack can produce is heavy, much bigger than a DoS attack can.
• Damage scope. Both attacks can be very aggressive. But still, modern technology makes it easier to defend and even track the malicious source of a DoS attack, increasing the chances of identifying it and defeating it. It becomes a one-to-one fight (DoS). During a DDoS attack, you are fighting against multiple devices, possibly located in different countries or continents. You would have to track and stop all of them simultaneously. This is more like a war, and it definitely will demand so much more time and resources for the victim to defend and try stopping the attack. Thus, the damage scope of a DDoS is wider than the DoS one.

DDoS attacks Protection

There is a solution that can stop most of the DDoS attacks, even a strong attack involving heavy traffic, called DDoS Protection. It is an additional service to a regular managed DNS plan. 

To successfully mitigate a DDoS attack, you need to have the following 3 elements:

1. Active monitoring. You need a Monitoring solution system that checks for signs of attacks like increased traffic, suspicious traffic from particular IP addresses, and strange patterns of requests. 
2. Reactive service. One thing is to see the danger. Another is to take action. Good DDoS protection service must have auto triggers that will take action. This may include load balancing, traffic filtering, and an alarm system. 
3. Traffic load balancing. When we talk about heavy traffic, you need to direct the traffic to more servers. That way, you will balance the hit on one and disperse it to more. The more DNS servers your plan includes, the better possibility you have to resist the DDoS attack. 

You need to have an intelligent DDoS attack protection service that can distinguish between heavy traffic because of your excellent promotion or real danger. You don’t want to block your real users at any moment.

Discover Web monitoring from CloUDNS

What is the motivation of DDoS attackers?

Cybercriminals can have multiple reasons to use a DDoS attack, and the most common are:

• Extortion. The attacks can send waves of traffic towards the target and disturb the functionality of its services, causing technical problems, downtime, and miss of sales, demanding money for stopping the DDoS attack.
• DDoS-for-hire to attack the competition. On the Dark Web, people can hire hackers for DDoS attacks. Some people pay for such an attack to be directed towards their competitors. It is especially popular during important sales moments like Christmas, Black Friday, Cyber Monday, or Easter promotions. If the competitor is down, it won’t receive visitors on its site, and they will go to another place. The one who paid the attack hopes a part of these visitors directs to its site.
• Cyberwarfare. The governments of some countries use DDoS attacks to target the opposition’s news sites, their communication, or other crucial services. The goal is to control the narrative and not allow free speech in their country. These attacks could be especially strong because countries have a lot of money for sponsoring them.
• Gamers’ conflicts. You could be surprised, but the gaming industry has already reached almost 200 billion dollars in revenues per year, so the stakes are high. Rival gamers use DDoS attacks to bother their competitors and try to lower their scores. Sometimes, they use DDoS to stop a competition game they are losing and demand a re-match.
• Hacktivism. Hackers also have an opinion. They might have a problem with the government, with a particular organization or event. Modern activism has many new ways to protest and express a point that includes cyberattacks.

Types of DDoS attacks

Over time, cyber criminals managed to create multiple technical approaches for taking out their victims through DDoS. Each of the techniques falls into one of the three general types of DDoS attacks, which are the following: 

Volume-Based or Volumetric Attacks

These are the most classic type of DDoS attacks. They use different methods for generating massive volumes of traffic to overwhelm the capacity of the victim’s resources. As a result, servers are overwhelmed with requests, networks are overwhelmed with traffic, and databases are overwhelmed with calls. Additionally, they saturate bandwidth and produce large traffic, which results in it being impossible for legitimate user traffic to flow into the targeted website.

Protocol Attacks

Protocol attacks, also known as state-exhaustion attacks, abuse protocols to overwhelm a particular resource, most commonly a server but occasionally firewalls or load balancers. They are designed in a way that allows them to consume the processing capacity of network infrastructure resources. Their target is usually Layer 3 and Layer 4 protocol communications and, more precisely, their weaknesses. These attacks are often measured in packets per second.

Application-Layer Attacks

These DDoS attacks target weaknesses in applications in order to force the application itself to fail. In contrast to other attacks that mainly concentrate on disrupting infrastructure, these attacks are initiated on Layer 7 (the Application layer) by opening connections and starting processes and transaction requests that consume limited resources, such as disk space and available memory. Yet, it can even result in overloaded CPUs or exhausted memory, which impacts the server and other applications. Layer 7 attacks are well-known that are difficult to prevent since it can be challenging to distinguish malicious traffic from regular traffic. Application DDoS attacks are usually measured in requests per second.

In real-world cases, criminals can actually use a combination of these types of DDoS in order to increase the intensity of the attack.

Popular DDoS attacks used by hackers

Let’s talk a little bit more about the most popular types of DDoS attacks initiated by cybercriminals!

Smurf Attack

The Smurf attack is performed over the ping tool (ICMP echo request). The ping tool is used to check the reachability of connected devices.  When you send a ping request to the destination address, you should receive a confirmation. In this DDoS attack, the ping is sent to a device but from a masked IP. The return confirmation doesn’t go to the original source, but it is redirected to the target of the attack. All the infected devices will do the same, and they will send the traffic to the victim.

Teardrop Attack

A Teardrop attack works by sending modified, oversized data packets to the victim’s device to make them inaccessible. Frequently, perpetrators use a specific bug for destabilizing the fragmentation codes or the reassembly feature of the TCP/IP protocol. This opens the door for the teardrop attack to happen.
Reassembling the maliciously modified data packets won’t be possible. This will produce repeated attempts to complete the task. And the constant cycle of these repetitions will cause the overlapping of the packets. Finally, to increase the strain, big traffic loads will be sent to the target for a definitive crash.

Ping Of Death

The Ping Of Death (POD) attacks using a common and valid tool with malicious objectives – the Ping command. Altered or oversized data packets are sent to the target through the ping command.
Consider that a correct IPv4 data packet (IP header included) must be 65,535 bytes. This is the standard allowed by the Internet protocol (IP). Perpetrators violate it and make the target struggle while trying to reassemble altered packets repeatedly. Target’s resources like memory will be exhausted, causing different problems, crashing included.
POD became popular because attackers don’t need deep knowledge about its victim, only its IP address.

Slowloris

A highly dangerous attack executed a single computer vs. a server. A sophisticated technique that takes down a server without disrupting the rest of the network’s ports and services. Slowloris operates by sending many partial requests to the server. It keeps sending more and more HTTP headers continuously but without completing those requests. These forged requests keep many connections open to the server for a longer time than usual to overwhelm the maximum concurrent connection pool. As a result, the system will slow down, additional connections from legit users will be denied.

Zero-day DDoS attack

A Zero-day, also called a zero-minute attack, is one that takes advantage of new vulnerabilities. People are not yet aware of them. Usually, those vulnerabilities appear on new updates or patches, but they can also exist since the software is launched. The name of the attack refers to the fact it is happening before the vulnerability perpetrators used is publicly known.

This attack can have a positive purpose when software companies pay people in exchange for reporting vulnerabilities of new products before their official release. But it also points to the reality that attacks are far from disappearing.

Preparing a DDoS attack

To launch a DDoS attack, first, the criminals need to “recruit” enough connected devices that later will generate the traffic. To do so, they infect those machines with different malicious software (from emails, visiting unprotected sites and more) and create so-called botnets – hijacked devices ready to be used when it is time for the attack. There are even markets for botnets, where you can buy an attack on a website of your choice.

The Consequences of DDoS attack

Experiencing such a harmful threat is highly unpleasant and can have a huge negative impact. Some of the possible outcomes of a successful attack include:

• Operational Disruption: One of the immediate consequences of a successful DDoS attack is the disruption of normal operations. Websites become sluggish or entirely inaccessible, leading to frustrated users, decreased productivity, and financial losses. E-commerce platforms, financial institutions, and online services are especially vulnerable, as downtime translates directly into revenue loss and damage to customer trust.
• Financial Loss: DDoS attacks can cause severe financial harm. Businesses may face not only the direct costs of mitigating the attack and restoring services but also indirect costs associated with reputational damage and lost customers. The financial damage can lead to legal consequences, especially if sensitive client information is compromised during the attack.
• Reputational Damage: Trust is a delicate matter in the digital space, and a DDoS attack can destroy it instantly. When customers cannot access services or experience disruptions, they may lose confidence in the affected organization and its ability to protect their interests. Rebuilding a reputation can be a long and difficult process.

How long does a DDoS attack last?

The duration of a DDoS attack can vary significantly based on the resources available to the attackers and the defensive measures of the target. DDoS attacks can last from a few minutes to several weeks. On average, however, most DDoS attacks last for around 24 hours, though some intense attacks can go on for days or even weeks.

Short-duration attacks can be a part of a coordinated strategy where attackers test a target’s vulnerabilities with brief bursts, estimating the response and preparedness of the target’s systems. These “hit-and-run” style attacks can cause considerable disruption in a short time, particularly if they target time-sensitive operations like financial transactions or sales events.

Prolonged DDoS attacks typically aim to exhaust the target’s resources or force them to pay a ransom in exchange for stopping the attack. Long-term attacks can be devastating as they may prevent an organization from functioning entirely, leading to major operational and financial issues.

Preparedness and robust DDoS protection are essential to mitigate the effects of both short and prolonged attacks.

Which industries are being targeted and why?

Certain industries are more frequently targeted by DDoS attacks due to their high online activity, competitive nature, and dependence on continuous uptime. Here are some of the industries most affected and why they are popular targets:

• Financial Services and Banking: Financial institutions are high-value targets due to their critical role in managing and securing funds and customer data. Attackers may aim to disrupt operations, damage reputation, or extort these institutions for ransom. A successful attack on a bank can lead to significant financial loss, operational chaos, and damage to customer trust.
• E-commerce and Retail: Online retail is another major target, especially during peak shopping seasons like Black Friday and holidays. Attacks during these times can severely impact sales revenue, as website downtime directly translates to lost customers and sales.
• Government and Public Sector: Government websites, especially those related to public communication, law enforcement, and emergency services, are frequent targets. These attacks may be politically motivated, intending to disrupt public access to information. Governments are also targeted to disrupt official communication channels.
• Gaming and Entertainment: The gaming industry is particularly vulnerable, as users expect real-time access and responsiveness. Gamers often participate in competitive or time-sensitive events where even short downtimes can lead to significant frustration and financial loss for companies. DDoS attacks are frequently employed to disrupt gaming servers.
• Media and News Websites: News outlets and media websites are also prime targets. Hacktivists may use DDoS attacks to silence certain news outlets or delay the publication of specific content. Attacks on these sites can reduce public access to information, potentially affecting the narrative on important topics.

How to prevent a DDoS attack and stay safe?

The cyber-criminals can make a vast network of botnets, but it doesn’t mean you can’t be protected. ClouDNS provides you two options to stay away from DDoS troubles.

You can choose and subscribe for a DDoS protected DNS.

All plans provide unlimited Layer 3-7 DDoS Protection. Whichever you pick from them, you will be able to use 4 DDoS protected DNS servers, 50+ Anycast locations and unlimited DNS queries. For big companies, we recommend our DDoS Protection L subscription with 400 DNS zones that you can manage.

DDoS Protected Plans

Or you can use a Secondary DNS as a backup DNS, so you always have a backup copy of your DNS records.

It adds resilience, reduce the outage periods by answering requests even if the Master is down.

Conclusion

The more extensive your DNS network is, the better. The massive traffic from the attackers can be distributed between your servers in the different locations, and it will ease the load. Don’t forget that modern DDoS attacks target different communication layers, so you will need intelligent DDoS protection to respond fast and accurately. 

To be safe, always choose quality DNS service provider like ClouDNS.

The post DDoS attacks and how to protect ourselves appeared first on ClouDNS Blog.

DNS outage (DNS downtime) – what does it mean? 

The DNS outage (a.k.a. DNS downtime or DNS failure) is a period of time when the domain name can’t be resolved to its IP address. The clients will send a DNS query for a domain name, but the DNS recursive will either answer with the old IP address from its cache, which will not respond, or it will try to query the DNS authoritative name server of the domain name won’t get an answer. 

What causes DNS outages? 

DDoS attacks

DDoS or a denial of service attack, is a type of cyber-attack that involves multiple devices that work together, targeting a victim’s computer, with a large amount of traffic intending to make it unable to answer any more queries. To prevent any problems that a DDoS attack can cause, you will need a load balancing that can share the traffic between your servers, even if it is very strong. And also, you will need DDoS-protected servers. 

Maintainance of the authoritative name server

If you are using only one authoritative name server, whatever happens to it, can affect your DNS. If it needs updates and reboot, the time that it takes, the server won’t be able to respond to DNS queries. Updates and maintenance are needed, so you better have a Secondary DNS that can answer the queries meanwhile. 

A problem in the data center, where the authoritative name server is

The cloud equipment does not magically hover over the Earth. Instead, it resides in multiple data centers. These places can have problems like long-lasting electricity outages, natural disasters affecting the area, fire, or other problems. If you are using a cloud service, these issues are out of your hands, but you can use multiple servers in multiple data centers. If one is down, still, there will be more to answer the queries. 

Bad configuration

Errors in DNS configuration can cause DNS downtime. It can be a human mistake, like badly addressing caused by misspelling the IP address or domain name, script error, wrong firewall configuration, etc. 

If it is a misspelled problem, you can try to query the domain name and the IP address to see which does respond and which does not. 

If it is the firewall, you can check the ports if they were allowed. 

DNS propagation delay

When you add or remove DNS records (like A or AAAA records), the changes are not always instant. You are editing the zone file inside the Primary DNS server, and you can propagate to your Secondary DNS servers, but there are many DNS recursive servers that you don’t control. They can keep your old IP address and provide it to clients, even after you published a new one. 

What you can do about the DNS propagation is to push the zone transfer to your Secondary servers and to keep lower TTL values for your DNS records. 

It is not technically a DNS outage because it will affect only those with the older cached IP address of the domain name, but it was worth mentioning it.

How to avoid DNS downtime (outage)

The best way to avoid DNS outages is to have a robust DNS network that provides redundancy and can withstand strong traffic. The more servers you have, the better you are going to be prepared. Additional features might also facilitate the DNS administration and automate the process of handling problems. 

Use Secondary DNS services

A secondary DNS service provides you with the opportunity to use multiple Secondary DNS servers, which can be set as Secondary authoritative nameservers. They will have a copy of the zone file with the DNS records. They can answer queries for your domain, just like the Primary one. The big advantage is that they will keep answering even if the Primary is experience downtime. Having Secondary DNS is your DNS backup solution. 

You can learn more about it in this article, “What is backup DNS?”, and you can try our Secondary DNS plans with a 30-day free trial. 

Use DNS load balancing

DNS load balancing is also another nifty way to lower the chance of DNS outages. It is a mechanism for administrating the DNS traffic between the DNS server, based on criteria like the number of active connections, specific algorithm, time of connection, etc. 

It will reduce the stress on a particular DNS server and spread it between the network. 

It can help in case of a DDoS attack but also in a natural spike in traffic caused by increased clients’ queries. It can help you during a promotional period when you are experiencing higher traffic.

Be prepared with DNS Failover

DNS Failover is a trigger that will activate in case of a nameserver’s failure. It can automatically redirect the traffic without any human interaction, based on the information it gets from DNS monitors like ICMP ping, UDP requests, HTTP checks, etc. It is an easy way to keep your clients’ happy and provide DNS resolution, even if some of your DNS servers are experiencing some problems. We offer DNS Failover service with all of our paid plans.

Also, we recommend you to check our Brand new Monitoring service!

How to diagnose DNS outages?

When facing a DNS outage, quick diagnosis is essential to restore functionality. Follow these steps to pinpoint the problem:

• Ping the Domain

Use ping to check if the domain resolves and the server responds.

ping example.com

If it doesn’t resolve, it’s likely a DNS issue.

• Test DNS Resolution with nslookup

Verify if DNS is working by querying your DNS server with nslookup.

nslookup example.com

If it returns an IP address, DNS is working for that domain. But if it fails, the DNS server may be down or misconfigured.

• Run dig for detailed queries

Use dig for detailed DNS resolution data, including specific DNS record types.

dig example.com

Add +trace to follow the query path through name servers and find where it fails.

• Test with Alternate DNS Servers

Query public DNS servers (like Google’s 8.8.8.8) to rule out provider-specific issues.

nslookup example.com 8.8.8.8

If the domain resolves with a different DNS server, it suggests the problem is with your original DNS provider.

• Check DNS Propagation Delays

If you’ve recently made DNS changes (such as updating A or MX records), delays in DNS propagation could be the culprit. Use online tools like ClouDNS Free DNS tool to check whether your DNS records have propagated across global DNS servers.

• Check for DDoS attacks or high traffic loads

DNS outages can be caused by Distributed Denial of Service (DDoS) attacks or heavy traffic loads. Tools like TCPdump can help capture and analyze DNS traffic to detect abnormal patterns, such as a flood of queries or unusual IP activity.

Example:

sudo tcpdump -i eth0 port 53

This command captures DNS traffic, allowing you to inspect for signs of an attack. For real-time detection, combine TCPdump with network monitoring tools and DDoS mitigation services.

Troubleshooting 

What can you do when your domain is not reachable? 

As DNS administrator of the domain name, you can: 

• Suppose you have recently finished a DNS delegation. You might need to way up to 24 hours, so the changes are well propagated. 
• Check if you have paid for your domain name. If you have forgotten to pay your domain name, it won’t answer queries anymore when it expires. Set reminders for domain renovation and don’t miss the time. 
• Use the ping command to ping the DNS server from different locations to see if it is responding to any DNS requests. It is possible that you haven’t set up your nameservers correctly, and they are working but not answering queries for the domain name. 
• Try to reach the DNS server by using its IP address. If you can reach it, there might be a badly configured A or AAAA record that does not link well the domain name and its IP address. 
• Check your DNS monitor and see how the traffic is going. If you can’t see the monitor’s log, check if there were any unusual activities before the server stopped working. For example, it could have been a DDoS attack. If it is still happening, you can redirect the traffic and stop it. 

As a client who can’t reach a site: 

• You can have problems with the DNS cache of your device. You can flush the DNS of your device and your browser. This action will remove the previous DNS records that you have, and your device will search again for the A or AAAA record of the site you want to visit. If you had an older IP address, this could fix it. 
• Maybe your router is the problem. The router has a recursive DNS server that may need to be restarted. Pull its plug, then wait around a minute and connect it again. It should reboot and start working well again. 

Monitor your DNS server

Monitor your DNS for any strange pattern in traffic. There are different automatic monitors that you can set to see the traffic behavior. If something strange happens, you can see in almost real-time any changes and use the information to take action. 

You can monitor the DNS from different locations. That way, you can see if the problem is very local, is it regional, continental, or global. It will be easy to spot the problem.
DNS monitoring works best in combination with DNS Failover. You can set the monitor with the parameters that you prefer, and it will notify you and show you the data. But when you also have DNS Failover, you can connect this data and trigger automatic even in case of a down server. It can deactivate DNS records and replace them with working. It can also react in case the server gets up and add it to the list again. 

ClouDNS offers DNS Failover service for all of its paid customers. You can set it up and activate it for your domain fast and easily.

What are the consequences of a DNS outage?

If a DNS outage occurs, it could have a negative impact on your entire organization and community of customers. When DNS (Domain Name System) is down, websites, applications, and online services related to the domain name, such as emails, won’t function correctly. Unfortunately, that has the potential to damage operations, revenue, and brand reputation. In addition, you should act fast and quickly get it up and running again to regain all the temporarily lost functionality.

Yet, let’s assume the functionality of the DNS operations was seriously interrupted for a prolonged period of time. In that case, a DNS outage can potentially cause devastating consequences to the companies with an online presence. Here are some of the most common effects during this time: 

• Miss potential visitors
• Lose potential sales
• Have issues with services like email, FTP, VoIP, etc.
• Productivity losses
• Damage to reputation
• Impact on customers and strategic partners
• Diminished competitive advantage

It is crucial to implement all precautionary measures to avoid DNS outage’s negative influence on your business.

The biggest DNS outages in the history

• 2016 Dyn DNS Interruption: A significant disturbance shook the internet when Dyn, a leading DNS service provider, fell victim to an attack. Websites with heavy traffic, such as Twitter, Spotify, and Reddit, experienced outages. This event underscored the vulnerabilities tied to unsecured IoT devices.
• 2019 Cloudflare Outage: A misconfigured web application firewall rule caused a major disruption in Cloudflare’s services, impacting millions of websites.
• 2019 Google Cloud Outage: In June 2019, Google Cloud Platform experienced a significant outage that affected multiple services, including Gmail, YouTube, and Google Cloud Storage. A configuration change intended for a small number of servers in a single region was mistakenly applied to a larger number of servers across several neighboring regions.
• 2020 AWS Outage: In November 2020, Amazon Web Services (AWS) faced a significant outage that affected several services reliant on AWS’s infrastructure. This incident disrupted many online services and platforms, highlighting the vulnerabilities in centralized cloud infrastructures.
• 2021 Fastly Global Outage: In June 2021, a major global internet outage occurred, affecting numerous high-traffic websites including Reddit, Twitch, and even the UK government’s official website. This was traced back to a software bug in the Fastly CDN network, a critical infrastructure provider for many internet services.
• 2022 Microsoft Azure DNS Outage: In mid-2022, Microsoft’s cloud service, Azure, experienced a DNS outage. It impacted a wide range of services, from basic operations in Azure to third-party applications relying on Azure’s infrastructure. The outage underscored the need for robust failover systems and redundancy in cloud services.

Conclusion

A huge DDoS attack can lead to a DNS outage even if you have excellent infrastructure. But applying all the measurements can lower the time and the frequency of the DNS outages. Be prepared and intelligently manage your DNS traffic to be able to provide excellent service for your clients. Keep your business up!

The post What is a DNS outage (DNS downtime), and how to avoid it? appeared first on ClouDNS Blog.

DNS spoofing a.k.a. DNS poisoning is so popular that you can find plenty of DNS spoofing tutorials using Kali distribution of Linux, but we are on the good side, and we won’t show you that. We will explain to you why there is such a threat and how you can protect yourself.

DNS Spoofing – Definition

In 2008, security researcher Dan Kaminsky unveiled a severe flaw in the DNS protocol that left many Internet domains susceptible to poisoning attacks. This disclosure shook the internet community, prompting immediate action and leading to widespread deployment of security patches. Recognizing past vulnerabilities allows us to be vigilant and learn from historical mistakes.

DNS Spoofing appears when the IP address (IPv4 or IPv6) of a domain name is masked and falsified. The information is replaced with a faked one, from a host that has no authority to give it. It occurs and disturbs the normal process of DNS resolution. As a result, the user’s device is connecting with a bogus IP address, and all of the traffic is directed to a malicious website. Additionally, the victim is not able to notice the forgery because the DNS resolution is a process that happens behind the scenes. 

The fake DNS data (DNS records) takes place in the Recursive DNS server cache, which results in the name server answering with a false IP address. Such attacks take advantage of vulnerabilities in name servers and shift the traffic towards fake web pages. Those fake websites are visually very similar to the real ones, and people don’t even understand the difference. In this process, personal data can be stolen.

As we mention above, the Recursive DNS server has an essential role in the DNS resolution process. Let’s explain a little bit more about it. Here are two functions that you should be familiar with:

DNS caching

To save time and better divide the load, in the DNS there are recursive DNS servers. They have a cache, local saved information about the domains that temporarily stays in them.

Forwarding

Even a caching name server does not necessarily perform the complete recursive lookup itself. Instead, it can forward some or all of the queries that are not satisfied from its cache to another caching name server, commonly referred to as a forwarder.

Methods of DNS Spoofing

There are various different methods of DNS Spoofing. Here are some of the most popular ones:

Spoofing the DNS responses

This method is a form of a Man-in-the-Middle (MITM) attack. In this one, the attacker is guessing the manner in which the DNS generates its query ID and sends a fake response with the IP address he/she wants.

In the majority of cases, the cybercriminal pretends to be the victim’s DNS server and sends malicious responses. The chance for initiating such a type of attack is based on the fact that DNS traffic operates with the User Datagram Protocol (UDP). That way, it is not possible for the victim to confirm the authenticity of the DNS response. 

DNS cache poisoning

DNS cache poisoning or also known just “cache poisoning,” is another cyber attack that cybercriminals commonly initiate. It involves placing a bogus IP address in the cache memory of the devices of the users. That way, the target victim device is going to lead the user to that bogus IP address automatically. It includes sending to the DNS servers wrong mapping information with high TTL. The information is saved for a long time so the server can give the fake answer for a long time.

Learn everything about the DNS Cache!

Moreover, each further DNS request to the DNS servers with this cached, malicious information is going to direct to the bogus IP address. Such a threat is going to remain until the entry is pulled from the DNS cache. However, there is a security mechanism called DNSSEC which can be implemented to improve the protection of your DNS.

DNS Hijacking

DNS Hijacking is one of the most complex DNS attacks out there. The cybercriminal hijacks a legitimate DNS server and takes control of it. Then, he or she makes some modifications to the DNS information (DNS records). That way, the fake DNS data pushes every user who reaches that website’s IP address to get sent to the falsified website. That is why encryption is especially important for the overall protection of your information.

Example of DNS Spoofing

Most commonly, attackers utilize premade tools to complete a DNS Spoofing attack. Typically, it is performed in any location with connected devices, yet the main targets are locations with free public Wi-Fi. They are usually poorly secured and misconfigured. That gives the cybercriminal a great opportunity to complete the malicious attempt. Therefore, it is best if you consider using only secure Wi-Fi networks.

Here is an example of DNS Spoofing and the basic steps that the cybercriminal completes:

1. The attacker uses arpspoof to trick the target device of the user and point it to the attacker’s machine. So, when the user writes the domain name into the browser, it is going to be misguided. As a result, the cache of the user device is poisoned with forged data.
2. The attacker creates a DNS server on a device under his or her control. That way, the attack proceeds by rewriting the DNS records for the target domains.
3. The cybercriminal established a website that imitates a legitimate one on a local malicious device. Despite the fact it looks and feels legit, such a website is created for phishing purposes.
4. When the victim tries to establish a connection and open such a website, it receives the IP address provided by the attacker’s DNS server. As a result, the victim opens the phishing website instead of the legitimate one.
5. Lastly, the threat actors steal information from their victims on the network by tricking them. Commonly, that is performed by them entering their sensitive information into the fake website pages.

Suggested article: Linux Host command, troubleshot your DNS

The Impact of DNS Spoofing: Consequences and Risks

• Misdirection to malicious websites: Users are directed to fraudulent sites designed to steal sensitive information, often indistinguishable from genuine ones.
• Data theft and privacy breaches: Attackers can capture personal details and login credentials, leading to identity theft and potential financial repercussions.
• Spread of malware: Victims are at risk of malware infections when they’re redirected to malicious sites, compromising their devices.
• Phishing attacks: By mimicking genuine domains, attackers craft convincing phishing attempts, duping victims into sharing confidential data.
• Loss of trust and reputation damage: For businesses, a DNS spoofing incident can result in significant reputational harm and a decline in customer trust.
• Financial consequences: Both individuals and businesses might face direct financial losses, coupled with the costs of damage control and cybersecurity enhancements post-incident.

Common Vulnerabilities that Lead to DNS Spoofing Attacks

DNS spoofing attacks often exploit various vulnerabilities within the DNS infrastructure. One primary weakness is unsecured DNS servers, which become easy targets for attackers when left with default settings. The absence of DNSSEC (Domain Name System Security Extensions) is another critical vulnerability. Without it, DNS responses cannot be verified for authenticity, leaving them open to manipulation.

Weak or misconfigured DNS cache settings also pose significant risks, as they can be poisoned with malicious records, redirecting users to fraudulent websites. Insecure network configurations, especially on public Wi-Fi, further expose systems to man-in-the-middle attacks. Outdated software on DNS servers and related devices makes it easier for attackers to exploit known vulnerabilities.

The lack of monitoring allows spoofing attacks to go unnoticed, causing prolonged damage. Poorly configured firewalls, access controls, and insecure DNS forwarding also contribute to the risk. Finally, human errors and social engineering tactics often play a role in successful DNS spoofing attacks.

Addressing these vulnerabilities through regular updates, security audits, and robust configurations is essential to prevent DNS spoofing and secure DNS operations.

How to protect from DNS spoofing?

There are few different things that you can do to protect from those attacks:

• DNS over HTTPS (DoH) and DNS over TLS (DoT): These protocols encrypt your DNS requests, ensuring that attackers can’t view or modify them.
  Understanding DoT and DoH
• Use DNSSEC – Domain Name System Security Extensions checks the data authenticity with digitally signed DNS records.
• Internal DNS Servers: Establishing a secure internal DNS server setup can add an extra layer of protection. Ensure regular security audits to keep it foolproof.
• Implement DNS filtering. It will block malicious IPs or domains from connecting to your system.
• Use IPSec – IPSec uses encryption to secure communication over IP networks, enhancing data flow between hosts and networks.
• Detection mechanisms. You can use monitoring software to detect it. Using such a program, you can be sure that it will alert you if it detects some suspicious traffic which can be DNS spoofing.
• Always use a secure connection. Use encryption via SSL or TLS to verify the certificate of the website you want to visit.
  What is an SSL certificate?
• Employee Training: Periodic training sessions can help employees recognize and report potential cyber threats, reducing the chance of a successful attack.

Conclusion

We should be cautious where we go on the internet and what emails we are opening. Even the slightest difference, like the missing of the SSL certificate, should immediately trigger us to double check the website we want to visit.

The post DNS Spoofing (DNS poisoning) appeared first on ClouDNS Blog.

Why do we need load balancing?

With the massive increase of the internet traffic each year, it is getting harder to provide a sustainable service for all the millions of clients without having some downtime. For this purpose, you need to apply a model of load balancing, that will reduce the load caused by the countless users trying to reach your website or use your application.

Another reason why you need to use load balancing is the rising number of DDoS attacks. To evade them you will need to spread the traffic to as many as possible servers that you have. That way, their combined efforts can resist the wave of high traffic.

DNS load balancing explained

DNS load balancing is a technique that distributes incoming web traffic across several DNS servers by associating a single domain name with multiple IP addresses (IPv4 and IPv6). When users request the domain, DNS servers provide different IP addresses in a DNS Round-Robin fashion or based on other algorithms that help effectively spread the load. That way, traffic is distributed across multiple servers, preventing any single server from becoming overwhelmed and maintaining overall service availability.

Pros of DNS load balancing

Some of the main benefits of DNS load balancing include the following:

• Easy to Implement: It doesn’t require specialized hardware and can be implemented by only configuring DNS records. That makes it an excellent choice for businesses of all sizes.
• Geographic Distribution: It can also be utilized to direct users to servers in different geographic locations. As a result, it improves performance by reducing latency for users located at different points all over the world.
• Scalability: Adding or removing servers from the load balancing pool is a relatively easy and simple process. That makes it suitable for applications that experience changing levels of traffic.

Cons of DNS load balancing

Here are several things you should consider before implementing this technique:

• TTL Impact: DNS records have a Time-to-Live (TTL) value, which determines how long a DNS response is cached. Changing load balancing configurations might take time to propagate due to the caching mechanism.
• Limited Monitoring: It lacks real-time awareness of server health. If a server becomes unavailable, DNS will still route traffic to it until the DNS cache expires. To avoid that, you can implement a Monitoring service to help identify potential issues quickly.

Hardware load balancer (HLB)

HLBs are the first to appear sometime in the late 90s. They are hardware, which means you need to purchase the device and connect it to your network. Hardware load balancing (HLB) distributes traffic across multiple servers depending on the servers’ process power, the connections, usage of resources or randomly.

The hardware load balancers are implemented on Layer4 (Transport layer) and Layer7 (Application layer). On Layer4 it makes use of TCP, UDP and SCTP transport layer protocol details to make decision on which server the data is to be sent.

Suggested article: Comprehensive Guide on TCP Monitoring vs. UDP Monitoring

On Layer7, the hardware forms an ADN (Application delivery network) and passes on requests to the servers as per the type of the content.

Pros of Hardware load balancing

Here are the primary benefits of Hardware load balancing:

• Advanced Features: Hardware load balancers can perform complex traffic distribution algorithms, considering factors like server health, response times, and content-based routing, leading to more efficient traffic distribution.
• Real-Time Monitoring: These devices continuously monitor server health and network conditions, enabling immediate traffic redirection in case of server failures or high loads.
• Enhanced Scalability: Hardware load balancers can handle large amounts of traffic and provide seamless scalability for growing services.

Cons of Hardware load balancing

Some of the drawbacks or things you should have in mind when choosing this method for load balancing are the following:

• Cost and Complexity: Implementing hardware load balancing requires a significant investment in specialized hardware devices and ongoing maintenance, which might be a barrier for small to medium-sized businesses. Configuration and management can be complex, especially for organizations without specialized networking experts.
• Single Point of Failure: While hardware load balancers enhance server availability, they themselves can become single points of failure. Proper advanced configuration is often necessary to mitigate this risk.

DNS load balancing vs. Hardware load balancing

We will compare them in two conditions, with a single data center, and with cross data center load balancing.

In the first scenario, both are very competitive. The main difference is in price. The DNS load balancer can be more accessible because usually it is offered as a subscription. In the case of HLB you must buy it and if you need extra power in the future, the upgrades can come very costly. The DNS service can be scaled easier, just by updating to another plan.

In the second scenario with cross data center, things are similar. It is getting very expensive to create a global server load balancing with the HLB because you need to properly equip every of your data center.

With global in mind, the DNS load balancing has a clear advantage over the HLB with scalability and price. The DNS option has a better failover and easy recovery.
Another advantage of the DNS load balancing is the cost to maintain. The DNS services are mostly offered as Managed DNS, so it requires less maintenance.

Which One to Choose?

Choosing between DNS load balancing and hardware load balancing largely depends on the specific needs and resources of your business.

DNS load balancing is generally more cost-effective and easier to implement, making it ideal for small to medium-sized businesses or those with inconsistent traffic levels. Its scalability and ability to direct traffic based on geographic location provide a significant advantage for globally distributed user bases. However, it’s important to consider the limitations, such as the impact of TTL on configuration changes and the lack of real-time server health monitoring, which can actually be compensated by implementing ClouDNS’s monitoring service. Despite these drawbacks, DNS load balancing offers a flexible and affordable solution for many online services.

On the other hand, hardware load balancing is better suited for enterprises requiring advanced features and robust real-time monitoring capabilities. The hardware solution offers more sophisticated traffic distribution algorithms, taking into account server health and network conditions to optimize performance. Although the initial investment and complexity in setup and maintenance are higher, hardware load balancers provide enhanced scalability and reliability for handling large volumes of traffic. They are particularly beneficial for applications requiring high availability and minimal latency.

Finally, your decision should consider the cost, desired level of control, and specific performance requirements to ensure a seamless and efficient online experience for your users.

Conclusion

Both DNS load balancing and hardware load balancing offer a good solution for distributing traffic. Which one to choose depends on the needs of your company. How tight control you would like to have? How much can you invest? Do you like a subscription model with small monthly fees or do you prefer to put a lot of money every few years to have top of the notch performance?

We recommend you to try a DNS cloud-based load balancing, like our GeoDNS.
It is cost-effective, easily scalable; you can use multiple geolocation target options and have protection from DDoS attacks.

Later you can combine it with your own hardware load balancing and create a hybrid for your specific needs.

The post DNS load balancing vs. Hardware load balancing appeared first on ClouDNS Blog.

It helps determine if the transferred data is reaching its target destination on time. For that reason, ICMP is an essential element when it comes to the error reporting process and testing. However, it often gets utilized in DDoS (Distributed Denial-of-Service) attacks.

History of ICMP

The ICMP protocol was conceived as a vital component of the Internet Protocol Suite, introduced in 1981 with RFC 792. Its origins can be traced back to the early days of the internet when the need for a diagnostic and error-reporting tool was identified. Over the years, ICMP has experienced several refinements, with additional message types being introduced. Its fundamental purpose of providing feedback about issues related to datagram processing has remained consistent throughout, making it an indispensable tool for network diagnostics.

What is ICMP protocol used for?

The ICMP protocol could be used in several different ways. They are the following:

The main purpose of ICMP is to report errors

Let’s say we have two different devices that connect via the Internet. Yet, an unexpected issue appeared, and the data from the sending device did not arrive correctly at the receiving device. In such types of unpleasant situations, ICMP is able to help. For instance, the problem is occurring because the packets of data are too large, and the router is not capable of handling them. Therefore, the router is going to discard the data packets and send an ICMP message to the sender. That way, it informs the sending device of the issue.

ICMP is commonly used as a diagnostic tool

It is used to help determine the performance of a network. The two popular utilities, Traceroute and Ping, operate and use it. They both send messages regarding whether data was successfully transmitted.

• The Traceroute command is helpful for displaying and making it easy to understand the routing path between two different Internet devices. It shows the actual physical path of connected routers that handle and pass the request until it reaches its target destination. Each travel from one router to another is called a “hop.” The Traceroute command also reveals to you how much time it took for each hop along the way. Such information is extremely useful for figuring out which network points along the route are causing delays.
• The Ping command is similar, yet a little bit more simple. It tests the speed of the connection between two different points, and in the report, you can see precisely how long it takes a packet of data to reach its target and return to the sender’s device. Despite the fact that the Ping command does not supply additional data about routing or hops, it is still an extremely beneficial tool for estimating the latency between two points. The ICMP echo-request and echo-reply messages are implemented during the ping process.

Cybercriminals utilize it too

Their goal is to disturb the normal network performance. They initiate different attacks, such as an ICMP flood, a Smurf attack, and a Ping of death attack. Attackers are determined to overwhelm the victim and make the standard functionality not possible.

How does it work?

Internet Control Message Protocol stands as one of the leading protocols of the IP suite. Yet, it is not associated with any transport layer protocol, for instance, Transmission Control Protocol (TCP) or User Datagram Protocol (UDP).

ICMP is one of the connectionless protocols, which means that a sending device is not required to initiate a connection with the receiving party before transmitting the data. That is why it differs from TCP, for instance, where a connection between the two devices is a mandatory requirement. Only when both devices are ready through a TCP handshake, a message could be sent.

All ICMP messages are sent as datagrams and include an IP header that holds the ICMP data. Each datagram is a self-contained, independent entity of data. Picture it as a packet holding a portion of a larger message across the network. ICMP packets are IP packets with ICMP in the IP data part. ICMP messages also include the complete IP header from the original message. That way, the target system understands which precise packet failed. 

ICMP Packet Format

ICMP is designed to be used within IP packets. When an ICMP message is sent, it is encapsulated within an IP packet, and the ICMP header follows the IP header within that packet.

In the ICMP packet format, the first 32 bits of the packet are divided into three fields:

Type (8-bit): The initial 8 bits of the packet specify the message type, providing a brief description so the receiving network knows the kind of message it is receiving and how to respond. Common message types include:

• Type 0: Echo reply
• Type 3: Destination unreachable
• Type 5: Redirect Message
• Type 8: Echo Request
• Type 11: Time Exceeded
• Type 12: Parameter problem

Code (8-bit): The next 8 bits are for the code field, which provides additional information about the error message and its type.

Checksum (16-bit): The last 16 bits are for the checksum field, which checks the number of bits in the complete message to ensure that all data is delivered correctly.

Extended Header (32-bit): The next 32 bits of the ICMP header are the Extended Header, which points out issues in the IP message. Byte locations are identified by the pointer which causes the problematic message. The receiving device uses this information to pinpoint the issue.

Data/Payload: The final part of the ICMP packet is the Data or Payload, which is of variable length. In IPv4, the payload includes up to 576 bytes, while in IPv6, it includes up to 1280 bytes.

Types and codes in ICMP

ICMP messages are distinguished by their type and, in some cases, a code to further specify the nature of the message. There are numerous types, each serving a unique purpose. A few common types include:

• Echo Reply (Type 0): A response to an echo request, commonly used in ping.
• Destination Unreachable (Type 3): Indicates that the destination is unreachable for some reason. Various codes further specify the reason, such as network unreachable (Code 0), host unreachable (Code 1), or protocol unreachable (Code 2).
• Redirect (Type 5): Informs the host to send its packets on an alternative route. The accompanying codes provide more details, like redirect for the network (Code 0) or redirect for the host (Code 1).
• Time Exceeded (Type 11): Generated when a packet takes too long to transit a network or when reassembly time is exceeded.

These are just a few examples, and there are many other types and codes in the ICMP specification that serve various purposes.

Configuring ICMP on routers and firewalls

Configuring ICMP settings on routers and firewalls is essential to either allow ICMP traffic, prioritize it, or block it to enhance security. Here’s a brief guide:

On Routers:

1. Access the router’s admin panel, usually through a web interface or command line.
2. Navigate to the advanced settings or firewall settings.
3. Look for an option related to ICMP or ‘Ping Request’ and either enable or disable it as required.

On Firewalls:

1. Open the firewall management interface.
2. Search for a rule or setting related to ICMP traffic.
3. Modify the rule to allow, block, or prioritize ICMP traffic based on your needs.

It’s crucial to consult the router or firewall’s documentation or seek expert advice, as incorrect configurations might result in network vulnerabilities or communication problems.

Router vs firewall, can you guess which is better?

ICMP Port?

As we mentioned earlier, the Internet Control Message Protocol is a part of the Internet protocol suite, also known as the TCP/IP protocol suite. That means it relates only to the Internet Layer. Port numbers are only found in the Transport Layer, which is the layer above.

Although Internet Control Message Protocol does not implement the concept of ports like TCP and UDP, it utilizes types and codes. Typically employed ICMP types are echo request and echo reply (used for Ping) and TTL (time-to-live) exceeded in transit (used for Traceroute).

What is ICMP Ping?

The ICMP echo request and the ICMP echo reply messages are also known as ping messages. Ping command is a beneficial troubleshooting tool that system administrators use to test for connectivity between network devices manually. They also use it for examining for network delay and loss packets.

ICMP Ping is especially useful for performing Ping Monitoring. It works by frequently pinging a precise device. This type of check sends an ICMP echo request to a specific server or device on the network, and the device instantly answers with an ICMP echo reply. That means the connection is successful, and the target server or device is up and running without any issues. 

In case the ping time, which is measured in milliseconds (ms), is prolonged, that is a sure sign of some network issues. 

ICMP vs TCP

The Internet Control Message Protocol, or ICMP, has a completely different function compared to TCP (Transmission Control Protocol). Unlike it, ICMP is not a standard data packet protocol. Moreover, it is a control protocol, and it is not designed to deal with application data. Instead, it is used for inter-device communication, carrying everything from redirect instructions to timestamps for synchronization between devices. It is important to remember that ICMP is not a transport protocol that sends data between different devices.

On the other hand, TCP (Transmission Control Protocol) is a transport protocol, which means it is implemented to pass the actual data. It is a very popular protocol, thanks to its reliability. TCP transfers the data packets in a precise order and guarantees their proper delivery and error correction. Therefore, the Transmission Control Protocol finds its place in many operations, including email and file transfers. It is the preferred choice when we want to ensure ordered, error-free data, and speed is not the top priority.

Suggested page: What TCP monitoring is?

ICMP in IPv6 (ICMPv6)

With the growing adoption of IPv6, ICMP has also evolved to cater to the needs of the newer IP protocol. ICMPv6, introduced with RFC 4443, is more than just an adaptation; it incorporates various features and functionalities tailored for IPv6. For instance:

• Neighbor Discovery Protocol (NDP): ICMPv6 includes NDP, replacing the ARP (Address Resolution Protocol) used in IPv4, facilitating the discovery of neighboring devices.
• Router Solicitation and Advertisement: ICMPv6 aids in the discovery of routers in a network and can solicit advertisements from them.
• Enhanced Error Reporting: ICMPv6 offers more detailed feedback, facilitating improved troubleshooting in IPv6 networks.

As the internet continues its transition from IPv4 to IPv6, the importance and relevance of ICMPv6 will only grow, making it vital for network professionals to familiarize themselves with its intricacies.

Suggested article: IPv4 vs IPv6 and where did IPv5 go?

How is ICMP used in DDoS attacks?

DDoS (Distributed Denial-of-Service) attacks are extremely popular cyber threats. They are initiated with the main goal to overwhelm the victim’s device, server, or network. As a result, the attack prevents regular users from reaching the victim’s services. There are several ways an attacker can utilize ICMP to execute these attacks, including the following:

• ICMP flood attack

ICMP flood, also commonly called Ping flood attack, attempts to overwhelm the target device with ICMP echo request packets. That way, the victim device is required to process and respond to each echo request with echo reply messages. That consumes all of the existing computing resources of the target and prevents legitimate users from receiving service.

The basics of flood attacks

• Ping of death attack

The Ping of Death attack appears when a cybercriminal sends a ping larger than the maximum permitted size for a packet to a victim device. As a result, the device crashes. The large packet is fragmented on its way to the victim. However, when the device reassembles it into its original, the size exceeds the limit and causes a buffer overflow. 

The Ping of Death is considered a historical attack that does not appear anymore. Yet, that is not completely true. Operating systems and networking equipment that is more aged could still become a victim of it.

• Smurf attack

The Smurf attack is another common threat where the cybercriminal sends an ICMP packet with a spoofed source IP address. The network equipment responds to the packet and sends the replies to the spoofed IP, which floods the target with large amounts of ICMP packets. 

Just like the Ping of Death attack, the Smurf attack should not be disregarded. Unfortunately, in a lot of different companies and organizations, the equipment is a bit aged, and the threat is real!

Conclusion

The ICMP (Internet Control Message Protocol) is an incredible network layer protocol that allows devices to report errors and improve their communication. Moreover, it is a great tool for network diagnosis. It is not a surprise that a lot of administrators use it daily for a better understanding of their network with the popular utilities Ping and Traceroute. Even more beneficial is the Ping monitoring, which completes regular checks. Lastly, keep in mind to take proper supervision of your network, so it stays protected from DDoS attacks that utilize the protocol for malicious purposes.

The post What is ICMP (Internet Control Message Protocol)? appeared first on ClouDNS Blog.

Here we will show you some good practices to manage your DNS. Prevention is the best defense. Pay attention to these pieces of advice and take action.

Hide the master DNS

Configure the master DNS as a hidden. Like this, it will not be shown in the records of the name server. It will not appear, and it will not respond to any queries. Its purpose will be to give zone transfers to secondary name servers which will be public but doing it safely and hidden.

Secured Access

Make the connection between the master DNS and the secondary name servers secured. Use ACLs (access control lists) and TSIGs (Transaction signatures). Like this, your secondary servers won’t be fooled, and your network won’t get corrupted.

Disable recursion

Do this on the external servers and reduce the risk for your authoritative servers to be part of DNS attacks like DNS Amplification.

Add rate limits

Even if you disabled the recursion on your authoritative DNS servers, they still could be used in DNS Amplification attacks with your domain names. To mitigate the options of the DNS attackers, you can add rate limits. If you are using bind software, here is an example configuration you can add to the options clause to set rate limit from 2 queries per second on average for each IPv4 class C (/24) network:

rate-limit {
responses-per-second 2;
ipv4-prefix-length 24;
slip 1;
};

Don’t show all information

The information about the version of your DNS software is for you. Don’t make it public. If hackers know it, they can use it against you by exploiting the particular vulnerabilities that the software might have. For example, if you are using bind software you can add a version in the options clause like this:

version “unknown”;

Place content (web) servers where your customers are

Be smart and think about your users. Place name servers where your clients need them the most. It will reduce the latency and improve the experience for your users. It will also minimize the load on your other servers, give you extra protection, and it will reduce the chance of failure. If you have multiple target markets in different locations (for example EU and the US), you can use GeoDNS service to direct the customers to the right servers which are closer to them.

Anycast DNS

Use Anycast DNS for your business. This will make the experience for your users, faster and better. It will dramatically reduce the time to load the first page of your website, which helps your SEO significantly. It makes it more resilient, making it harder to experience a down time and more protected from DDoS attacks because of the different points of presence.

Use DNSSEC

Domain Name System Security Extensions (DNSSEC) provide an additional layer of security on top of your DNS. This DNS best practice prevents a certain kind of attack where the attacker intercepts and potentially alters the DNS queries and responses. DNSSEC ensures that the users are communicating with the intended website or service, and not a malicious version of it. However, it’s important to note that DNSSEC can be complex to implement and manage and should be thoroughly tested before deployment.

Monitor DNS traffic

Keep an eye on your DNS traffic. Unusual patterns or a sudden increase in DNS queries could signal a security breach or a DDoS attack. By leveraging monitoring services and implementing alert systems, organizations can quickly identify and mitigate any unusual DNS activity, minimizing the impact of potential threats.

Control the traffic with DNS filtering

An excellent defence against viruses, spyware, and other malicious traffic is to block it before it can infiltrate your network. That’s where DNS filtering comes in. This technique control and restrict access to specific websites or content based on DNS queries. By implementing it, organizations can proactively prevent access to malicious or inappropriate websites, reducing the risk of malware infections, data breaches, and other cyber threats.

Keep log files

Maintaining logs of DNS server activity is another crucial DNS practices for security incident response and forensic analysis. These logs provide valuable information about DNS queries and responses, allowing organizations to identify and investigate security incidents. By analyzing the logs, organizations can understand the nature of the incident, track the source of the attack, and take appropriate measures to mitigate the impact. Additionally, DNS logs help meet compliance requirements, facilitate audits, and optimize network performance.

Use Geographical DNS for Load Balancing

Implement Geographical DNS (GeoDNS) to optimize the distribution of user traffic based on geographic locations. By directing users to the nearest or least loaded server, GeoDNS reduces latency and enhances the user experience. This approach not only improves response times but also helps in managing traffic loads more efficiently across distributed networks. Additionally, GeoDNS can be configured for failover mechanisms, rerouting traffic seamlessly in case of server downtime, thereby increasing the reliability of services.

Regularly audit your DNS configuration

Regularly reviewing and auditing your DNS configuration can help you identify and fix any misconfigurations or security vulnerabilities. The audit should cover all aspects of the DNS setup, including checking for unnecessary open zones, ensuring correct IP address mapping, and validating DNS record settings.

Free DNS audit tool

Conclusion

These are some of the most recommended DNS practices. While there will be new threats, many of the DNS attacks happening these days can be evaded. No matter if your network is small or large, try to keep it safe and protected, by following our recommendations. Restrict access to some parts of the network, and remember that well-designed infrastructure is vital to your digital presence.

The post DNS best practices appeared first on ClouDNS Blog.

What is Anycast DNS?

Anycast DNS is a network addressing and routing technique in which a single IP address is assigned to multiple servers distributed in different geographical locations. It is a method used to improve the performance and reliability of DNS (Domain Name System). 

With Anycast DNS, when a user requests a website, the DNS query is directed to the nearest available server based on network topology, latency, and other factors. As a result, Anycast DNS provides redundancy, load balancing, and high availability.

Unicast vs Anycast DNS Routing

When discussing DNS routing methods, it’s essential to compare Anycast DNS with the traditional Unicast DNS to understand their differences and advantages fully.

Unicast DNS is known as the more traditional form of DNS routing, where each DNS server has a unique IP address. When a DNS query is made, it is routed to a specific server, which has been assigned to handle DNS requests. While Unicast DNS is simple and effective for many applications, it has limitations in scalability, speed, and redundancy. The DNS response time can vary significantly depending on the user’s distance from the server, which can also become a single point of failure if the server goes down.

Anycast DNS uses a single IP address across multiple servers distributed globally. This setup allows a DNS query to be routed to the nearest server in terms of network latency, making it significantly faster and more reliable than Unicast DNS. Anycast DNS provides redundancy and load balancing because if one server fails, the DNS query will automatically reroute to the next closest server. It is especially beneficial for handling large volumes of traffic and defending against DDoS attacks, as the traffic is distributed among multiple nodes rather than directed at a single server.

How does Anycast DNS work?

Anycast DNS uses a group of servers that hold the same IP address rather than having a single DNS server to which all DNS queries go. This results in faster response times and increased reliability, as requests are automatically directed to the closest server

Here are the simple steps involved in how Anycast DNS works:

1. Multiple DNS servers are set up across different geographic locations, each having the same IP address.
2. When a user makes a DNS query for a domain name, the query is sent to the nearest DNS server.
3. The DNS server receiving the query then responds with the IP address of the requested domain name.
4. The user’s device then uses this IP address to establish a connection with the server hosting the domain.
5. If the nearest DNS server is unavailable due to any reason, the query is automatically redirected to the next nearest available DNS server.

Advantages

Anycast DNS is a highly beneficial solution that offers numerous advantages, including the following:

• Anycast is easy to configure. You have just one IP that is assigned to every server, no matter where they are in the world. In more traditional DNS solutions, you would have to configure for every location separately.
• High availability. As we said before, the router will redirect the user to the closest server, but if the server is down, it will simply redirect to one of the rest. They all have a mirror image of the same DNS records, if one is down, the closest next will get the load. The users won’t even notice it.
• Scaling. Anycast DNS is very easy to put in practice. Imagine you are getting too much load on a particular server, what do you do? You just deploy one more server in the area where you need it. It is easy to set it up, and you can do it very quickly. This is one of the common ways how we are expanding our Anycast network.
• Enhanced security. Anycast DNS can help mitigate Distributed Denial of Service (DDoS) attacks by distributing the traffic across multiple servers, making it harder to overwhelm a single server.
• Load balancing. Anycast DNS distributes requests evenly among servers, preventing overload and ensuring load balancing and optimal use of resources.

Anycast DNS network by ClouDNS

You can take advantage of the Anycast technology with each of our Premium DNS, and DDoS protected DNS plans. You will have access to 50+ Points of Presence (PoPs) around the world. There are real hardware devices in each one. These points are distributed in a way to provide fast connectivity to everybody. It also serves as a load balancer to reduce the stress on a single domain server. In the case of DDoS protected DNS plans, you can resist a strong attack by distributing the traffic. 

With ClouDNS, you can use a route monitoring at each PoP. It analyzes the routes and provides the optimal path. Such a system lowers the downtime dramatically. If one server is down, the request is going to another server without extra complications. ClouDNS provides the highest SLA for each location. 

We also provide 24/7 Live Chat support. Our technical team is here to help you if you have any questions regarding our services.

To take advantage of our Premium Anycast DNS service, just go to our page and choose the best plan for you. Our Anycast network consists of 50+ Data Centers on six continents, and we also offer Anycast DDoS protected DNS servers and Anycast GeoDNS servers.

Think about your needs, and if you are not sure what to choose, you can always contact our customer service for help.

Premium Anycast DNS service - Try for free

Conclusion

In conclusion, Anycast DNS is a powerful technology that can help improve website performance, availability, and security. Operating with a network of servers spread across multiple locations allows users to connect to the server closest to them, reducing latency and improving website response times. Additionally, it can help protect against DDoS attacks by spreading the traffic. Whether you’re running a small website or a large-scale application, Anycast DNS can help ensure that your users have a fast, reliable, and secure experience. It is definitely worth considering as a valuable addition to your infrastructure.

The post What is Anycast DNS and how does it work? appeared first on ClouDNS Blog.

What is User Datagram Protocol?

The short acronym UDP stands for User Datagram Protocol, and it is a communication protocol applied across the Internet. It sets low-latency and loss tolerating connections between the different applications.

UDP offers fast communication due to the fact it allows data transfer before the receiving party provides an agreement. Therefore, UDP is highly valuable in communications that require speed and are considered time-sensitive. For example, Voice over IP (VoIP), Domain Name System (DNS) lookup, and video or audio playback.

Yet, this protocol is prone to data packet loss during travel from the source to the target destination. As a result, it could create some difficulties with the data transfer and makes it easy for cybercriminals to execute a Distributed Denial-of-Service (DDoS) attack.

History of UDP

User Datagram Protocol (UDP) emerged in the 1980s as part of the TCP/IP suite. It was initially developed for the ARPANET project, also known as the precursor to today’s internet. Created by David P. Reed and others, UDP was designed for simplicity and efficiency in transmitting datagrams, making it ideal for applications where speed and low overhead are priorities.

Unlike TCP, UDP does not guarantee delivery or order of packets, nor does it manage connections. This lack of reliability allows UDP to be lightweight, making it suitable for real-time applications like video streaming, online gaming, and voice-over IP (VoIP).

User Datagram Protocol gained fame due to its use in early internet protocols and applications, including DNS (Domain Name System) and DHCP (Dynamic Host Configuration Protocol). Nowadays, it continues to be widely used in various networked applications where low latency and reduced overhead are critical.

Despite its simplicity, UDP’s lack of error correction and flow control means it’s vulnerable to packet loss and out-of-order delivery. However, its efficiency and speed make it necessary in many networking scenarios, complementing TCP’s reliability with a lightweight alternative for specific use cases.

How does it work?

UDP (User Datagram Protocol) acts in a simple way by transferring data between two devices in a network. It transmits packets (datagrams) straight to the target device without setting a connection, specifying the packets’ order, or examining if they are delivered as arranged. 

Compared to TCP (Transmission Control Protocol), UDP provides more speed, yet it is not so reliable. 

TCP communication involves a process known as a “handshake,” which establishes the connection. In addition, only when it is completed the transfer of data packets could happen.

On the other hand, the UDP connection is not including this “handshake” process which means one device simply starts sending the information to the receiving one. Additionally, UDP communications do not include details about the order or confirmation for the arrival of the data. It is exactly the opposite when it comes to TCP.

Based on these characteristics, UDP has the ability to transfer data packets a lot faster than TCP.

The downside of a UDP connection is the loss of packets during the transit, which is not going to be resent as they are in TCP connections. Therefore, when applications implement UDP, they should be able to tolerate losses, duplications, or errors.

TCP Monitoring vs. UDP Monitoring

UDP header

UDP (User Datagram Protocol) operates with headers. It uses them for packaging the message data to be sent over the network. Each UDP header includes several parameters, also known as fields, which are determined by the technical specifications of the protocol.

The UDP (User Datagram Protocol) header contains four main fields. Each of them is 2 bytes. The UDP header has the following fields:

• Source port – It is 16-bit data that specifies the precise port which is going to send the packet. In case the target device doesn’t need to reply to the sender, this field could be set to zero.
• Destination port – It is 16-bit data that serves to specify application-level service on the target device, meaning the port of the device receiving the data. It could be between 0 and 65,535.
• Length – It defines the entire number of bytes, including the UDP header and the UDP data packets for transfer. The precise limit for the UDP length field is defined with the underlying IP protocol utilized to send the data.
• Checksum – It is a 16-bits field, an optional field. The checksum gives the ability for the receiving device to confirm the integrity of the packet header and payload. It is an optional field, meaning if the application wants the checksum or not. In case it doesn’t want the checksum, then all of the 16 bits are zero. In UDP, the checksum field is used for the header and data part. In IP, the checksum field is used only for the header field. It is optional in IPv4, yet it is required in IPv6.

Applications relying on UDP

Gaming, voice, and video

The User Datagram Protocol is a great choice for various different network applications that require minimum latency, like gaming, voice, and also video communications. Services like these will not lower their quality if some of the data packets are lost during the transfer. Yet, despite the lost packets, there is a chance to implement techniques for further error correction and improvement of the audio and video quality. 

Domain Name System Lookups

DNS queries are small and simple requests which receive basic and straightforward answers. A device initiates a DNS query to the DNS servers for receiving essential information about a domain, like the IP address (IPv4 or IPv6). The process is on hold until the DNS query receives its reply. Due to the fact that TCP uses a three-way handshake procedure, it means the request is probably going to be answered very slowly. As a result, it will affect the performance in a negative way. For that reason, DNS queries rely on UDP for quick answers.

Why does DNS use UDP?

Multicasting

Another way for implementing UDP (User Datagram Protocol) is for multicasting. That is based on the fact it supports packet switching. Moreover, this network protocol could also be implemented for additional routing update protocols, for instance, Routing Information Protocol (RIP).

UDP vs. TCP – what are the differences?

Let’s explain a little bit more about what are the main differences between these two protocols:

• Type of protocol

Both TCP and UDP are transport layer protocols. However, there is a main contrast between them. TCP is a connection-oriented protocol. On the other side, UDP is a connectionless protocol. So, simply TCP needs to establish the connection before the communication, while UDP does not need to ensure that the two devices have a connection.

• Reliability

TCP is considered a reliable protocol based on the fact it ensures the delivery of the data packets. It involves an acknowledgment mechanism, in which the sender gets the acknowledgment from the receiver and examines if it is positive or negative. In case it is positive, the data has been delivered successfully. If it is negative, TCP is going to resend the data.

UDP is considered an unreliable protocol based on the fact it does not provide any guarantee that the delivery of the data has been successful.

• Flow Control

TCP involves a flow control mechanism. It makes sure that an extensive number of packets are not sent to the target device simultaneously. On the other hand, UDP does not implement this flow control mechanism at all.

• Ordering

TCP operates with ordering and sequencing techniques. That way, it guarantees that the data packets are going to be delivered in the absolutely exact order in which they were sent. On the other side, UDP does not involve any ordering and sequencing techniques. That means the data could be transferred in any order.

• Speed

As we mentioned, the first step for TCP is to build the connection between the two devices. Additionally, it completes a check for errors and makes sure that the transmission of the data packets is successful. On the other hand, UDP does not build a connection or ensure the transmission. For that reason, UDP is way faster than TCP.

• Flow of data

When we speak about TCP, it offers the full-duplex service. That means the information is able to flow in both directions. Additionally, when we take a look at UDP, it is more fitting for the unidirectional flow of data.

Is UDP secure?

UDP (User Datagram Protocol) serves a great purpose for applications that tolerate packet loss. That is not an issue. Yet, based on the fact that UDP is a connectionless protocol and it does not implement a “handshake” procedure provides an opportunity for cybercriminals. They take advantage of that by flooding their victim with UDP traffic. Attackers do not need to establish a connection and receive permission for initiating such a DDoS attack.

Usually, the UDP flood attack involves sending a massive amount of UDP datagrams to different ports on the victim’s device. That causes the victim to answer with the same amount of ICMP packets indicating that these ports are unreachable. As a result, the victim’s resources are exhausted, and the DDoS attack is completed.

What is flood attack?

Thankfully there are different ways to protect your device, network, server from such malicious attempts. 

• You can limit the response rate of ICMP packets. However, you should know that this could filter out legitimate packets too.

Suggested page: Explanation of ICMP Ping traffic monitoring

• A robust network of many servers (such as Anycast DNS) is a great way to prevent a single server from being drowned with malicious requests.
• Especially for your DNS network, it is a great approach to implement DDoS protection.

Advantages and Disadvantages of UDP

By understanding the main advantages and disadvantages of User Datagram Protocol, you can determine if it is the right protocol for your application. So, let’s take a closer look at what this interesting protocol can offer. 

Advantages of UDP

The User Datagram Protocol provides several benefits, which are the following:

• Fast: It does not require the establishment of a connection before transmitting data, which makes it faster than TCP.’
  Suggested page: Explanation of TCP monitoring
• More efficient: UDP is a lightweight protocol that requires less overhead than TCP.
• Suitable for real-time applications: User Datagram Protocol is ideal for real-time applications, such as online gaming, video conferencing, and live streaming, where speed is more important than reliability.

Disadvantages of UDP

The main drawbacks of the User Datagram Protocol include the following:

• No reliability: It does not guarantee the delivery of packets or guarantee that packets will arrive in order.
• No congestion control: UDP does not have congestion control mechanisms, which means that it can flood a network with packets if not used carefully.
• Limited use cases: User Datagram Protocol is not suitable for applications that require reliable data transmissions, such as file transfers, email, or web browsing.

Suggestes article: Secure File Transfer Protocol (SFTP) Explained

UDP monitoring from ClouDNS – What is it and how to use it?

UDP monitoring is a type of network monitoring that involves scanning a selected UDP port number on a given IP address to check the availability of a service or application. Suppose the monitoring system is unable to establish a connection with the selected port. In that case, it marks the check as DOWN, indicating that the service is unavailable or experiencing issues. UDP monitoring is extremely helpful for identifying potential network problems or service disruptions before they affect end users. In addition, it allows network administrators to quickly diagnose and resolve issues, ensuring that critical services are available and performing optimally.

Conclusion

For sure, the development of UDP (User Datagram Protocol) is revolutionary. It allows fast delivery, which is highly valuable for a number of applications. UDP finds its purpose in many services despite the fact it has some downsides, mainly in DNS, video streaming, and gaming.

The post UDP (User Datagram Protocol) explained in details appeared first on ClouDNS Blog.

Who can join this reselling program?

Many can benefit from it, but mostly it can add extra value to your hosting or domain business. You can seamlessly integrate our DNS services to your product portfolio and resell DNS. Thanks to the API that we provide, every business function is easily accessible and fully flexible.

Resell DNS services of the following:

Through our platform, you can resell three types of services: Premium DNS, DDoS Protected DNS and GeoDNS and the different monthly subscriptions that we have.
Premium DNS with unlimited DNS records and DNS queries per month, 8 DNS servers around the world, 50+ Anycast locations, up to 400 DNS zones and up to 1,000 mail forwards
https://www.cloudns.net/premium/

DDoS Protected DNS with unlimited DNS records and DNS queries per month, 4 DDoS Protected DNS servers around the world, 50+ Anycast locations, up to 400 DNS zones and up to 1,000 mail forwards and 10 000% Uptime Guarantee.
https://www.cloudns.net/ddos-protected-plans/

GeoDNS with up to 10 DNS zones, up to 10 000 Records and 1 000 000 000 DNS queries per month
You can check the full descriptions of the services here
https://www.cloudns.net/geodns/

Easy to Integrate

Another advantage is the secure connection over HTTPS. It is the secure version of the HTTP protocol that sends data between the browser and the website. The data will be private and encrypted.

HTTP vs HTTPS

Our interface lets you use all the management and selling functionalities in a very intuitive way. Every menu will be where you think it will be.
In case of a problem, you can contact our dedicated team of API specialist that will help you find the solution to your problem in no time.
About the selling functionalities, we assure you that we support via ticket system. This will ease your management.

Completely Platform Independent

Resell DNS no matter what platform  do you use. This means that you can use it under whatever operating system you have – Windows, OSX, Linux, ChromeOS or another. The browser is also not an issue; we work with standards compliant HTTP API. And to be truly platform independent, you can still program in any programing language that you like.

Secure and Scalable

We have taken different measures to protect our system and to provide a safe experience to all of you, our customers. In addition to the HTTPS protocol that we use, we protect from API abuses and DDoS Attacks; we have an advanced monitoring system to check for threats and extra level of protection, a restricted access through whitelisted IPs. Only the approved IPs have access.

Suggested page: Explanation of Web (HTTP/HTTPS) monitoring

For your convenience, you can use our WHMCS module https://www.cloudns.net/whmcs-module/.

Through it, you easily offer ClouDNS services to your clients. It supports versions 5, 6 and 7. The module is open source, and it is entirely free and customizable.

ClouDNS makes it easy for you and provides you a control panel for all your needs. You can manage and check all of your activities on it. https://panel.cloudns.net

How to start our DNS resell Program?

You are already thinking of how to add ClouDNS services to your portfolio and increase the value for your clients. Luckily it is effortless to start our reselling program.
Just click this link https://www.cloudns.net/resellers-api/, fill your data, choose the service you would like to resell and wait until our team gets back to you.
Your request will be quickly reviewed, and you will start benefit from the reselling program in no time.

The post How to resell DNS services? Add DNS to your product portfolio. appeared first on ClouDNS Blog.

The DDoS attacks are also increasing. According to Kaspersky Lab 33% of organizations experienced a DDoS attack in 2017, compared to 17% in 2016. So we also want to know if the top shopping websites are well prepared for future attacks.

In this article, we will check with our DNS tool all of the top 50 E-Commerce websites. We will see if their speed and DDoS protection is fine or they will need to improve. Based on our research we will make recommendations how these websites can improve.

DNS Tool

For this research, we will be using our DNS lookup tool

It shows how fast the servers are responding from six different international locations – 1. Roubaix, France, 2. Atlanta, USA, 3. Sao Paulo, Brazil, 4. Sydney, Australia, 5. Johannesburg, South Africa and 6. Singapore.

It is a small and very helpful tool that you can use for diagnostic of your DNS. It is easy to use, and it let you download a PDF report of your findings.

What are we checking?

Name servers

We are checking how many name servers are listed on the parent server. It is recommended to be more than two; three is ok, four is better. This adds resilient to your DNS network; it will result in better up time. If one or two are down for maintenance, the rest will still satisfy the needs of your customers. Another benefit is the increased security. More servers can handle better the traffic and this way they resist more to DDoS attacks.

NS records

NS records delegate a sub-domain to the name servers you have. They should be synchronized.

SOA record

Another that needs to show the same result for all of the name servers. It shows the start of authority, so it must indicate the same master name server, timestamp and few more characteristic.

A record distribution

By location for the domain and the www.domain (same but with www).

Speed

And finally one of the most important for an e-commerce website, the speed. As said above, a slow site can push the visitors away and lose a lot of sales.

Top 50 E-commerce websites

For the case study, we will also use the following SimilarWeb rank list.

Results

You can find all reports that we generated and additional information in this spreadsheet.

1.Amazon.com

The first one in the list is Amazon.com. They are using Dyn DNS and Neustar UltraDNS and average response time of the name servers is 50.66ms. We don’t know why they don’t use their DNS network – Route 53.

2. Taobao.com

Very slow global speed – 350.59ms. They don’t use any DNS provider, which is interesting since they are owned by Alibaba, and Alibaba has AliDNS. We don’t know why Alibaba does not use their DNS services.

3. eBay.com

Congratulations eBay, that’s the way to do it. Using Verisign as their Primary DNS provider and Dyn as a Secondary DNS. Low speed in South Africa, but they have ebay.co.za for that.

4. Tmall.com

Another property of Alibaba. Low speed even in Singapore (above 130ms). Not good Tmall. Alibaba do you plan to use your DNS for your websites?

5. Craigslist.org

Not a typical shopping site, but it’s on the list, so we need to check it out. Average speed 162.98ms. Even the two name servers in Atalanta show 64 and 63 ms. We think their users deserve better speed than that. No backup DNS.

6. AliExpress.com

In 2016, AliExpress claimed they reduced load time by 36% and recorded a 10.5% increase in orders and a 27% increase in conversion rates. Our report shows that they are using Alibaba Cloud. But unfortunately, this doesn’t help. The average response time of the name servers is 215.78ms. Just two name servers are showing speed less than 100ms. And this is a global site which depends on international users. We suggest adding a Secondary DNS provider. A company which generated almost 23 Billion in revenue in a single day, surely can set aside few thousands of dollars annually for this.

7. JD.com

An average response time of the name servers is 399.32ms. If they want to beat Alibaba at least, they have to provide good speed for their users. Singapore speed is also very low – name server in Singapore shows 145ms.

Next stop four properties of Amazon in different locations. Let’s see if some of them are using Route 53 this time.

8. Amazon.de

Excellent speed Amazon.de – 50.60ms. Using two DNS providers again – Neustar and Dyn. No sign of Route53 though. Interesting.

9. Amazon.co.uk

Good job Amazon.co.uk. – the best global speed of the top 10 websites – 45ms. Using ten name servers and two DNS providers again – Neustar and Dyn. This is a recipe for success. Still no sign of Route53 though.

10. Amazon.co.jp

Two DNS providers again – Neustar and Dyn and good average response – 76.06ms.

11. eBay.co.uk

Using Verisign as their Primary DNS provider and Dyn as a Secondary DNS as eBay.com. Good overall speed.

12. Walmart.com

The whopping amount of 12 name servers. Not the fastest global speed, but since the majority of their audience is coming from the US, the result is excellent. Using two DNS providers, Akamai and Neustar UltraDNS. Some say that they got in the online business too late, but they are sure fast learners and understand that speed and security is the only way to compare to Amazon.

13. Avito.ru

According to SimilarWeb, the majority of their traffic is coming from Russia, Ukraine and the rest of the CIS countries. Wow, 2.17ms. Global speed and maybe we have a winner. They are using Cloudflare and no secondary DNS provider. Fast speed on all 6 test POPs. We can’t say much, except that they are doing an excellent job. Only if they had backup DNS, it would have been the perfect example.

14. Mercadolivre.com.br

Latin America’s most popular e-commerce website. According to Similarweb 98% of the Mercadolivre.com.br traffic is coming from Brazil. No DNS providers, The speed is not good even in Brazil – above 100ms.

15. Amazon.in

Around 10% of their traffic is international, so it’s good for them to have good global speed. And they do. Using Dyn and UltraDNS, they achieve excellent speed – 68.96ms, except South Africa.

16. Rakuten.co.jp

No DNS providers = slow global speed. Not much to say here. Guess they don’t rely on revenues outside Japan.

17. Allegro.pl

Again no DNS providers = slow average response. Yes, you’ll say they don’t need it because they are targeting mostly users in Poland, but what about the searches outside PL. Around 5% of their traffic is coming outside Poland. And what about DDoS protection and backup?

18. eBay.de

As the other eBay domains, this one is also using Verisign as their Primary DNS provider and Dyn as a Secondary DNS. Good overall response – 70.92ms.

19. Amazon.fr

Around 20% of the traffic comes outside of France, so it’s good to have at least reasonable EU speed. And they do. Using Dyn and UltraDNS, they achieve excellent global speed, except South Africa.

20. Аmazon.it

Amazon surely knows how important is speed and to have a backup. So far they are using the same recipe for success – two DNS providers – Dyn and UltraDNS.

21. Leboncoin.fr

The French classified site. Good speed in France, slow speed globally. No sign of DNS providers. If anyone from Leboncoin is reading, please protect your revenue and your users and set up a backup DNS.

22. 58.com

Like all other Chinese e-commerce sites, they also have terrible global speed – 357.49ms and don’t use Managed DNS provider.

23. Target.com

Using Akamai which is good, but no Secondary DNS provider. Excellent speed in the US and Europe. Overall good – below 100ms.

24. Etsy.com

One of our personal favorites. Let’s see how they perform the test. Using AWS and Dyn. Nice to know that someone is using Route 53 after we found out that the Amazon doesn’t. Good speed everywhere except South Africa – 51.06ms.

25. Bestbuy.com

Using Akamai but no Secondary DNS provider. Good speed in the US and Europe. Low speed in Australia, Brazil, and South Africa. For reference, bestbuy.com.mx also doesn’t have good speed in Brazil.

26. Amazon.es

The Spanish domain of Amazon also has good global speed – 69.31ms and again uses two Managed DNS providers – UltraDNS and Dyn.

27. Sahibinden.com

The most prominent Turkish online store. They are using five nameservers, and 1 of them is not responding. Terrible global speed – 631.28 and no DNS providers (we checked the website few times, and the servers were not responding, and the speed was over 500ms each time).

28. Flipkart.com

The Indian e-commerce giant. They use Neustar. Excellent average speed. No Secondary DNS.

29. Ikea.com

The Scandinavian furniture manufacturer uses no DNS providers for its online shop. Good speed at our French POP and not so good globally.

30. Gearbest.com

A genuinely international website with traffic from all over the globe. Using Akamai, but the global speed is above 100ms. Highest response time in Brazil, which is interesting since according to Similarweb 18% of their traffic is coming from this country.

31. Mercadolibre.com.ar

Argentina’s most famous e-commerce store. No DNS providers, The speed is not good even in Brazil – above 100ms.

32. OLX.pl

Another Polish e-commerce site. They are using Amazon Route 53. Excellent speed in Europe. No Secondary DNS, no backup.

33. eBay-Kleinanzeigen.de

Good response according to our France POP, poor global speed – 176.19ms. No DNS provider is detected.

34. Mi.com

The international online portal of Xiaomi – the smartphone manufacturer. The average response time of the name servers is terrible – 367.21ms. They don’t use DNS providers, and respectively their bounce rate is high.

35. Amazon.ca

Good job also for Amazon.ca. Using two DNS providers again – Neustar and Dyn. The technical guys from Amazon understand the importance of using DNS provider. The last of the Amazon properties on our list and still none of them are using Route 53. Can we say according to this that the Dyn and Neustar DNS networks are better than the Route 53’s… Don’t know; we leave the presumptions to you.

36. OLX.ua

As the rest of the OLX properties, they are using Amazon Route 53. Excellent speed in Europe. No Secondary DNS, no backup.

37. Wish.com

Using the services of Amazon Route 53. Good overall global speed – 61.72ms, except South Africa – above 150ms.

38. HM.com

The international shopping site of the H&M brand. Good speed in EU and US, poor in Brazil and Singapore. Maybe they don’t rely so much on sales in South America and Asia. They are using Akamai, but no secondary DNS provider.

39. Mercadolibre.com.mx

Another site from the Argentinian giant. Hope this one performs better, let’s see. Good speed in the US, poor everywhere else, even in Brazil. Average response time is 143.79ms. No sign of DNS provider and backup DNS.

40. HomeDepot.com

Good speed in the US, which is good, since they are relying heavily on US consumers. Fear global speed – 102.44. If you look at the spreadsheet and the report you’ll see that they are also using Akamai.

41. Market.yandex.ru

The marketplace of Yandex – the Russian bear. They are using their DNS, which gives excellent speed in Europe, but very poor globally – 178.63ms. We’re guessing global presence is not essential for them. The bear won’t leave Russia with this speed.

42. Americanas.com.br

Good overall speed, except in South Africa, but with 99% of the traffic coming from Brazil, that is logical. Using Route 53 but unfortunately no Secondary DNS provider.

43. Alibaba.com

Like all tested so far Alibaba properties, Alibaba.com is not an exception. Poor global speed – 256.2ms, especially in Australia, South Africa, and Singapore. No Secondary DNS provider. Bounce rate is high respectively – 46.31%.

44. Sonymobile.com

The international platform of Sony Mobile is in 44th place. Using Route 53 but no backup DNS provider. Guess Sony didn’t learn the lessons from the frequent DDoS attacks they received on their PlayStation Network.

45. DMM.com

The Japan-based electronic commerce and Internet company is next. They are using ten name servers, 6 of which are from Akamai, but global speed is not high.

46. OLX.com.br

As the rest of the Argentinian classified giant OLX properties, com.br is also using Amazon Route 53. Good speed almost everywhere except South Africa. No backup DNS.

47. Macys.com

Macys are using Akamai also. Good speed in Europe and US, poor in Brazil. Average response time – 128.06ms. No secondary DNS.

48. Suning.com

Sunning is one of the largest retailers in China. Almost two years ago Alibaba bought shares in the company, so let’s see if they are using AliDNS or not. And the answer is no. Poor speed almost everywhere except Singapore. No primary and backup DNS provider, which corresponds to the highest bounce rate of all e-commerce websites so far – above 70%. That’s millions of dollars lost according to everybody’s calculations.

49. Kohls.com

As the rest of the websites using Akamai network, the site of the American department store retailing chain has good speed; only Brazil is lagging. But since 98% of their traffic is coming from the US they can live with it. The lack of back DNS is not good though.

50. Asos.com

The British online fashion and beauty store comes last in our report. They have lots of international traffic, only 25% of the traffic comes from the UK, the rest is all over the globe. They have eight name servers, using Dyn and Secondary DNS provider. Excellent global speed, except in South Africa.

Conclusion

According to our research majority of the big brands still didn’t learn the lesson from the 2016 Dyn DDoS attack, where huge sites were down for hours. 70% of the sites in this case study don’t have backup DNS. Not setting up a backup DNS or at least using a single DNS provider, leaves you open for DDoS attacks and respectively revenue losses. The question is not if it’ll happen but when.

Winner global top speed is Avito.ru with an average response time of 2.17ms.

The average amount of name servers per site is five, and the average DNS lookup speed of all 50 websites is 146.63ms.

We can draw a parallel between the response time of the websites and their bounce rate, as 89% of the sites with bounce rate above 40% had also lousy speed (see red fields in the spreadsheet).

And finally a recommendation for all other e-commerce sites – if you want to fight the big boys and win, you need to invest in your site speed and DNS. Make sure you are using not one but two DNS providers. You will be surprised at how little money you can get a good night’s sleep.

The post A case study of the top 50 e-commerce sites and their DNS appeared first on ClouDNS Blog.