How LACNIC Contributes to DNS Resilience
25/03/2024
During the Opportunities for the Development of Critical Infrastructure webinar, LACNIC CTO Carlos Martínez highlighted the contribution of the Regional Internet Registry for Latin American and Caribbean (LACNIC) across three different aspects of DNS anycast.
Anycast for LACNIC’s reverse DNS zones. LACNIC operates the reverse zones associated with the /8 IPv4 and /12 IPv6 blocks it has been delegated. These zones receive large amounts of traffic, which is why it is distributed among anycast servers operated by LACNIC. If the resolution of these zones were to fail, LACNIC members would be left without reverse resolution.
Anycast for the “in.addr.arpa” and “ipv6.arpa” zones. The /8 and /12 zones of every Registry depend on these two top level zones in the reverse DNS hierarchy. Their resolution is crucial for the entire Internet and is the responsibility of all RIRs. In this sense, LACNIC contributes with anycast servers for both “in.addr.arpa” and “ipv6.arpa”. This is an effort that involves cooperation with the other RIRs.
Anycast root server copies. The DNS root zone relies on 13 authoritative servers, and LACNIC contributes copies of several of them. For nearly 20 years, LACNIC has supported the installation of anycast copies through its +Raíces program. Thirty-six copies have already been installed and several others are in the process of installation. The process of installing a copy of a root server involves cooperation with the server’s operator and procuring hardware, Martinez observed.
What is anycast? Anycast is a network addressing and routing method in which a single IP address is assigned to multiple geographically disperse name servers (DNS). When a user queries the DNS, the query is directed to the closest server in terms of latency or network route.
In cases involving the operation of a large-scale DNS, a zone with multiple records and large amounts of traffic, or a recursive server catering to many clients, ensuring server availability may require special attention, Martínez said.
Can the anycast technique be used with DNS? Given that it is a UDP-based protocol, there is no need to struggle with establishing connections. “This works, and it works very well,” Martinez added. For example, if a DNS server that is publishing via anycast disappears because of a failure or shutdown, the problem is solved if the BGP announcement remains in the global BGP tables. “BGP itself selects the next best path. Most of the time, users don’t even notice this is happening,” Martínez said.
Improved latency. The use of anycast allows user requests to be directed to the nearest DNS server, which means that this technique significantly reduces latency. The result is faster loading times for websites and apps, and an improvement in user experience.
Martínez also pointed out that, by having multiple servers that can respond to a single IP address, anycast increases redundancy. If one of the servers fails or is inaccessible, requests can be automatically routed to another available server, thus increasing service availability.
Attack mitigation. Anycast can help mitigate Distributed Denial of Service (DDoS) attacks by distributing malicious traffic across many servers, rather than overloading a single one. This makes it more difficult for attackers to saturate the capacity of a network or server. When anycast copies are available, the attack is naturally diluted among all the copies and absorbed by the copy closest to the addresses being spoofed, thus safeguarding the others.
This is how LACNIC contributes to increasing the resiliency of access to the DNS, one of the Internet’s critical resources. It creates redundancy and reduces criticality, providing for a better response to potential DDoS attacks or eventual critical Internet infrastructure failures.