The phone book is on fire: Lessons from the Dyn DNS DDoS attack
When the DDoS attack crushed Dyn last October, did your DNS fail? Heroku's sure did. In response, Lex Neva deep dove into everything DNS to learn how to implement resilient DNS properlyreading RFCs, asking questions of pros, and performing real-world experiments when no one knew the answers. Join Lex to find out what does work and all the crazy details of DNS that he uncovered.
Talk Title | The phone book is on fire: Lessons from the Dyn DNS DDoS attack |
Speakers | Lex Neva (Fastly) |
Conference | O’Reilly Velocity Conference |
Conf Tag | Build resilient systems at scale |
Location | New York, New York |
Date | October 2-4, 2017 |
URL | Talk Page |
Slides | Talk Slides |
Video | |
When the DDoS attack crushed Dyn last October, did your DNS fail? Heroku’s sure did. In response, Lex Neva deep dove into everything DNS to learn how to implement resilient DNS properly—reading RFCs, asking questions of pros, and performing real-world experiments when no one knew the answers. Join Lex to find out what does work and all the crazy details of DNS that he uncovered. Opinions on how to react to a DDoS against your nameservers vastly differ. Some companies lowered the TTL for their in-zone NS records to make it easier to add a new nameserver in a crisis. Lex shares empirical proof that this doesn’t work. Adding a redundant DNS server in advance is a good solution, but it can be much harder than it sounds. What can you do if your DNS records are heavily dynamic and your provider doesn’t offer AXFR support? Lex walks you through the options. Even if you’re a seasoned DNS pro, you’ll be surprised by what you learn.