The invention relates in general to applianced Internet domain name servers (DNS), ie, DNS servers supplied as appliances. Specifically, the invention relates to techniques for improving immunity of applianced domain name servers against denial-of-service (DoS) attacks and other types of network security threats. In the following description, DoS attacks will be used as an illustrative but non-exhaustive example of network security threats addressed by the invention, but it is to be understood that the inventive technique is applicable to other types network security threats, such as port scans, DNS cache poisonings or the like.
The use of mnemonic names, as opposed to cryptic Internet Protocol (IP) addresses, is based on domain name system (or servers, DNS). The DNS service is a public, distributed, database which maps domain names to IP addresses and/or vice versa. Traditionally the DNS service has been implemented by means of a hierarchical server architecture in which one server—a primary name server—is used for actual administration of the name service, while one or more secondary name servers act as authoritative name servers for zones managed by means of the primary name server, and caching name servers perform recursive lookups to authoritative name servers in order to resolve name queries originating from clients, ie, provide name to IP address translation. Because public DNS service requires that both the authoritative and the caching name servers are open to the public network, they are vulnerable to hacking attempts and other network security threats.
At the time when this invention was made, web-based dictionary Webopedia defined a DoS attack as follows: “A type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic. Many DoS attacks, such as the Ping of Death and Teardrop attacks, exploit limitations in the TCP/IP protocols. For all known DoS attacks, there are software fixes that system administrators can install to limit the damage caused by the attacks. But, like viruses, new DoS attacks are constantly being dreamed up by hackers.” As stated above, the ingenuity of hackers is not restricted to DoS attacks.
A well-known approach to making DNS servers less vulnerable to DoS attacks is increasing the throughput of individual DNS servers, eg by means of optimization, such that they are able to process the increased load. An alternative approach is increasing the number of individual DNS servers for increased redundancy. This approach has been used together with load-balancing switches such that a DNS server cluster can be substituted for an individual DNS server.
DoS attacks are not the only type of attacks which are being used against DNS servers. Another type of attack is based on viruses, worms, known vulnerabilities of the software modules used in the DNS server, and the like which attempt to infiltrate the internal software of DNS servers. An approach frequently adopted by equipment and software providers against such infiltration is called hardening of the hardware and/or software platform. The purpose of hardening is to make the platform less vulnerable to hacking.
A specific problem underlying the invention is at least partially related to the fact that the platform-hardening approach and the technique of installing software fixes tend to be mutually incompatible. The very act of hardening the DNS platform also makes it harder to install software fixes to the DNS platform.