Preventing the Outsourcing of our Critical Infrastructure  

04/05/2022

By Santiago Aggio

Our proposal seeks to encourage small and medium-sized ISPs (Internet Service Providers) in the region to implement recursive and authoritative DNS (Domain Name System) servers in their own infrastructure and thus avoid having to operate the service through a third party using public recursive servers.

Outsourcing the service leads us to have less control and monitoring capacity. In addition, we experience limitations in our ability to resolve problems and to apply our own resolution policies.

Having our own recursive and authoritative DNS servers allows us to reinforce our critical infrastructure and also enables the measurement of different service parameters, such as the number of queries received, the type of queries, how many are IPv6 queries, etc; in short, it enables the ISP to obtain all the data related to DNS statistics.

A key aspect here is that the infrastructure required to have our own DNS servers does not require a large investment: two authoritative servers (direct registered and inverse delegated zones), two recursive servers (accessible to our users’ or clients’ own IP addresses) and a server to sign the zones (DNSSEC).

Metrics and Measurements. The installation of own recursive and authoritative servers allows to have real-time information, taking advantage of the statistics channel and counters available in Bind and Unbound DNS services to obtain more information. In addition, Prometheus + Grafana programs provide a real-time view of service metrics.

The information generated by these tools complements the measurements and detections obtained from the analysis of packets, IP flows and logs (example graph).

We invite small and medium-sized ISPs to implement their own recursive and authoritative DNS servers.