Defending the root
The root servers are critical Internet resources, but occupy the "high ground" in terms of defensibility. The root server database is small and changes infrequently, and entries have a lifetime of about a week.
Any organisation can download an entire copy of the root database, check for updates once a day, and stay current with occasional reloads. A few organisations do this already.
Root server operators are also starting to deploy root servers using "anycast" addresses that allow multiple machines in different network locations to look like a single server.
In short, defending the DNS root is relatively easy since it is possible to minimise the importance of any root server, by creating more copies of the root database--some private, some public.
Top-level domains, or TLDs, will be much harder to defend. The copying strategy that can defend the root server will not work for most TLDs.
It is much harder to protect, say, .com or .fr than to defend the root. This is because the data in TLDs is more voluminous and more volatile, and the owner is less inclined to distribute copies for privacy or commercial reasons.
There is no alternative. TLD operators must defend their DNS servers with rate-limiting routers and anycast because consumers of the TLD data cannot insulate themselves from the attacks.
Defending your organisation
If your organisation has an intranet, you should provide separate views of DNS to your internal users and your external customers. This will isolate the internal DNS from external attacks.
Copy the root zone to insulate your organisation from future DDoS attacks on the root. Consider also copying DNS zones from business partners on extranets.
When DNS updates go over the Internet, they can also be hijacked in transit--use TSIGs (transaction signatures) to sign them or send updates over VPNs (virtual private networks) or other channels.
But understand that until tools for digital signatures in DNS are finished and deployed, you are going to be at risk from the DNS counterfeiting attacks that lie not too far in the future (and that have apparently already occurred in China).
Unfortunately for those of us who depend on the Internet, the attackers seem likely to strengthen their tactics and distribute new attackware, while the Internet community struggles to mount a coordinated approach to DNS defense.
Paul Mockapetris, the inventor of the domain name system, is chief scientist and chairman of the board at Nominum.
