DNS Shield™
The DNS Shield™ is a revolutionary extension of the UltraDNS Network and Directory Services Platform that provides new levels of performance and security to the Internet. NeuStar has partnered with leading Internet service and network providers including Yahoo!, Verio, EarthLink and America Online to ensure that the millions of domains powered by UltraDNS are always available to their customers.
The implementation of the DNS Shield involves the deployment of authoritative DNS servers within the recursive DNS networks of each participating ISP – creating a hardened, secure and robust Internet infrastructure that provides unprecedented levels of performance and security for their customers. By deploying the DNS Shield, the ISP Partner’s recursive DNS infrastructure connects directly to the UltraDNS network, creating a fully trusted and protected environment for DNS resolution. This “out of band” command and control combination provides the most advanced protection available against Distributed Denial of Service (DDoS) and pharming attacks.
The DNS Shield provides UltraDNS customers with the most secure DNS service available. Customers are now able to propagate their zones and have all DNS queries resolved in a secure private environment – milliseconds away from the recursive servers that are the source of the queries.
The nodes deployed within each partner network are functionally identical to those currently distributed across four continents for the public UltraDNS network. Customers benefit from enhanced security against Internet disruptions, because all DNS queries from DNS Shield Partner ISP customers are resolved locally within the ISP’s own infrastructure. In the event of a network catastrophe on the public Internet, or any other network failure, all DNS Shield customers’ queries are isolated from the effects and continue to be resolved locally, ensuring that domains powered by UltraDNS are 100% accessible.
In addition, by virtue of the fact that the public UltraDNS nodes are connected to the DNS Shield Partners’ recursive servers across secured point-to-point connections, the integrity of the DNS answers are assured far in advance of the implementation of the DNSSEC extension to the DNS protocol. This assurance enables both the Partner ISPs and UltraDNS customers to immediately protect themselves against many of the effects of DNS poisoning and spoofing.
Implementation Specifications
Each DNS Shield partner deploys two or more complete, self-contained authoritative “Private Nodes” onto their local segments. These DNS Shield Nodes are functionally identical to the Public Nodes, and utilize a specially-designed implementation of the Anycast IP addressing scheme using BGP. Protected connectivity to the UltraDNS Replication Network ensures global data consistency between these Private Nodes and the rest of the UltraDNS global network. The DNS Shield Nodes employ the same operational standards as the Public Nodes so that updates and maintenance are handled uniformly throughout the network. Should the Private Nodes within an ISP Partner’s network fail for any reason, the local routes announced by those Private Nodes would be withdrawn, and the trusted Recursive Servers would automatically follow the normal external announcements and paths to the UltraDNS public nodes.
The ISPs create and maintain Access Control Lists (ACLs) to restrict access between the authoritative Private Nodes and their own Recursive Name Servers. The partners’ trusted Recursive Servers connect to the Private Nodes to establish a fully isolated and protected environment for DNS query resolution for any UltraDNS-hosted zone.
|
