Hybrid DNS engine to protect online services

‘Breakthrough’ solution addresses DNS server vulnerabilities.

  • Tuesday, 11th February 2014 Posted 10 years ago in by Phil Alsop

EfficientIP has announced the launch of the industry’s first hybrid DNS engine in response to the growing number, and increasing ferocity, of DNS cyber attacks such as Denial of Service (DoS) and cache poisoning.


Whereas most DNS servers run a single DNS engine, such as ISC’s BIND, EfficientIP’s SOLIDServer Hybrid DNS Engine (HDE) combines three DNS engines, managed in a single appliance. This innovative approach provides greater protection to large enterprises, operators and ISPs as it eliminates single point of failure following security alerts, creates a highly complex security footprint and enables DNS engines to be switched to allow for patching while another DNS engine takes over to protect service availability.


“The high profile breaches making the headlines over the past year show just how damaging a DNS attack can be to an organisation’s reputation, revenues and data security responsibilities,” said David Williamson, CEO at EfficientIP. “As DNS threats continue to evolve, new strategies for defence are needed. Traditional approaches are not enough to mitigate today’s risks. Having an active DNS engine, plus at least one alternative ready for use, significantly reduces the risk of attack, while reducing management complexity for administrators. It’s a really smart way to out manoevre hackers who’ll never be sure which name server software is running, so will find trying to compromise it a daunting, complex and virtually impossible task.”


DNS servers play a central role in managing user access to websites, email and other web applications, translating between IP address numbers and domain names. However, cyber criminals can abuse and manipulate the DNS causing either a massive network jam or misdirected Internet traffic – both of which can result in major Internet service disruption or outages.


Due to the popularity of certain name server engines and their known code vulnerabilities, it is considered best practice that network owners maintain, and be ready to switch between, at least two different name server software products. EfficientIP’s Hybrid DNS Engine does this by incorporating the BIND name server software and two other DNS technologies - Unbound and NSD from NLnet Labs. Unbound is a validating, recursive, and caching DNS resolver designed for high performance. NSD is an authoritative only, high performance name server that offers a more robust environment for defending against a DoS attack. Separating the authoritative and recursive elements of the name server engine significantly reduces the risk of corruption.


Large-scale attacks on DNS servers have significantly increased over the last year with the nature of the threats growing in scale and intensity. With new techniques such as DNS amplification and reflection there has also been a massive increase in the volume of traffic being used to target systems. A hybrid approach to DNS security enables organisations to strengthen the weakest elements of their Internet infrastructure.


“Organizations should invest in protecting their DNS infrastructure,” noted Lawrence Orans, Research Vice President, Gartner in the recent report ‘Leverage Your Network Design to Mitigate DDoS Attacks’. “A secure DNS infrastructure is necessary to mitigate the impact of query load attacks and other attacks against authoritative DNS name servers."