back to article Painful truth: DNS, CDNs and CAs are Achilles' Heel for top websites

Internet infrastructure may be fairly resilient thanks to its distributed nature, but the web we've built on top of it appears to be rather fragile. In a paper distributed last week through the ArXiv preprint server, researchers for Carnegie Mellon University find that third-party services such as domain name service (DNS) …

  1. Anonymous Coward
    Anonymous Coward

    Raining CloudFog

    The latest most important article that no Cloud-migrating-executive will ever see... As always, assumption is the mother of all fuckups. 3rd-Party Redundancy costs more, and the more needed, the less the cost savings from migrating in the first place. So most reports will just bury this 'uncomfortable truth' in a bottomless pit... Whether its reports from Garter or the Big-Four accounting firms or another outside consultant (or even corporation's own internal reports). Because bad news tends to get sidelined...

    So this will continue on in the shadows until it just can't be hidden or ignored any more. Then politicians and lawmakers will cry, how did we let this happen? Just wait until more of the world becomes Cashless. Then look forward to more Visa-like outages and disruptions covering larger parts of the globe. In Visa's case, it was its own data center redundancy that acted as a 3rd-Party that brought the whole thing down. Assumptions!

    1. Phil Endecott

      Re: Raining CloudFog

      This isn’t about “cloud”; a self-hosted website still needs DNS, CAs and possibly CDNs and is equally vulnerable to their failures.

      1. AMBxx Silver badge
        Mushroom

        Re: Raining CloudFog

        His comment wasn't specifically about cloud - it's something he just copies into every thread that has the vaguest connection to 3rd party services.

  2. Anonymous Coward
    IT Angle

    the Problems all started with ARPANET

    they invented TCP and we have been piggybacking problem on problem since.

    Definition of ARPANET {should read} ~ It seemed great at the time but terrible for future expansion into a public system.

    If we changed the system for updating and accessing DNS to a distributed one (more so than now) we could prevent all but extreme attacks.

    Before updating, DNS Servers would consult and compare multiple other DNS indexes.

    Updates would have to come from known DSN registry addresses.

  3. Anonymous Coward
    Terminator

    The resilient distributed nature of the Internet?

    "Internet infrastructure may be fairly resilient thanks to its distributed nature .. In a paper distributed last week through the ArXiv preprint server .. Citing how the 2016 DDoS attack that downed managed DNS provider Dyn affected dependent sites like" ..

    Services that depend on a single point of failure are by definition not resilient or redundant. Did Amazon, Netflix and Twitter have no fall over system to kick in when Dyn crashed? Same applied with CDN and CA being run from the one service.

    1. Anonymous Coward
      Anonymous Coward

      Re: The resilient distributed nature of the Internet?

      Well, in the case of DNS specifically: nothing they were willing to deploy. Heck, it would have been trivial for AWS to have stood up their own public DNS. But Dyn was managing a crap ton of private name servers with sometimes complex policy configurations. And as with traditional DR situations, the really difficult question in the middle of a crisis is "when do we cut over?" As for the SSL infrastructure, it's near criminal how that was allowed to be monopolized such a small number of competing bandits. The tech itself isn't horrible, but the infrastructure that it has been made dependent on is like a highway built on quicksand. The Let's Encrypt project has the right idea, but needs many more peers to join in its mission.

      1. AMBxx Silver badge

        Re: The resilient distributed nature of the Internet?

        Maybe we should all take some responsibility for our own stuff. I use OpenDNS instead of ISP's DNS service. I'm never affected by DNS outages as an errors just lead to the use of a cached entry. No idea if there are any negatives, but it's worked for me so far.

        1. SImon Hobson Bronze badge

          Re: The resilient distributed nature of the Internet?

          Maybe we should all take some responsibility for our own stuff.

          And only one upvote allowed !

          At my last place, we ran the DNS for around 600+ customer domains - and when I started it was hosted on two servers sat in the same rack and protected by the same dead UPS. One was on a different internet connection though.

          When I left, we still hosted the master in our own server room, but employed a 3rd party to run secondaries for us - so an outage either at ourselves or at the 3rd party could not bring down the DNS for those domains.

          But also when I left, manglement were busy getting rid of anything needing brain cells - and were transferring the DNS to a significantly inferior hosting service, with a PITA GUI, significantly reduced features, and most critically, all under one hosting provider who had already had more than one major outage in the couple of years we'd been using them.

          For good measure, the main mangler decided to just rip out all the infrastructure (documented, reliable, worked flawlessly for many months after I'd left until it got mangled) - partly on the basis of "I don't understand it, so it's coming out". Had he asked anyone with a clue, he could have avoided taking out the master for 200 domains and having them die a week later as the secondaries expired their cached entries (fun when your VoIP phones go down due to a DNS issue). For starters, the 3rd party hosting had a neat feature that would have allowed promoting them to using a local database - so a few clicks per domain would have dealt with it. Instead they left it till it started taking customers offline and then went into panic mode.

          Still, said manglement were well versed in outright lying to customers - no doubt they'll have blamed a 3rd party service for the outage.

          I use OpenDNS instead of ISP's DNS service. I'm never affected by DNS outages as an errors just lead to the use of a cached entry.

          Do you only use Open DNS ? If so then you're at the mercy of OpenDNS and if they have a major outage. Only if you use them PLUS another completely independent service do you get that degree of resilience talked about in this article.

  4. Unep Eurobats
    Headmaster

    Obligatory apostrophe moan

    It's Achilles heel, not Achilles' heel and certainly not Achilles' Heel. It's the same as, for example, Belisha beacon. Grammatically the same, I mean, not physically. If your heel is flashing yellow I've no idea what that is. See a doctor, I would.

    1. Rich 11
      Headmaster

      Re: Obligatory apostrophe moan

      I'm going to out-pedant you and state that the correct presentation is most certainly Achilles' heel. If you don't like it you can go and beat up my old English teacher, Mr McGaughey. He may be dead by now for all that I know, but you can still dig him up and punch him a few times if that helps.

      1. Anonymous Coward
        Mushroom

        Re: Obligatory apostrophe moan

        There's nothing wrong with Achille's. It fits better in English, and Achille is the spelling used in many languages where the name is still popular. If it sounds right, who cares?!

        Grammar Nazis are the worst kind of Nazis.

        The internet was a mistake. Nuke it.

        1. Rich 11
          Headmaster

          Re: Obligatory apostrophe moan

          Achille may certainly be the modern variation of the name as used in French and some other languages, but as a transliteration of Αχιλλεύς it falls somewhat short of the mark. In fact there is everything wrong with Achille's, given that we are talking about an English possessive.

          1. Unep Eurobats
            Boffin

            Re: Obligatory apostrophe moan

            To refer to the actual heel of the Greek hero, Achilles' heel is of course correct. But for the meaning intended here, of a fatal vulnerability, the word Achilles is used as an adjective and an apostrophe makes no sense. It's certainly not right to talk of my Achilles' heel, since it doesn't belong to him.

  5. Anonymous Coward
    Trollface

    Who knew...

    ...that the Achille's Heel of actual Nazi websites, and anything else the enlightened progressive technorati disagree with, is the Achille's Heel of every website?!

    It's okay, alt-tech will save you. You're welcome.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like