"Anycast is a never-ending game of cat and mouse."
28.12.2021 13:38

Klaus Darilion is credited as the technical mastermind behind RcodeZero DNS. In this interview, the Head of Operations at nic.at GmbH and its sister company ipcom GmbH talks about good-natured babies and overflowing postboxes, and reveals what’s behind the RcodeZero DNS Anycast service.


RcodeZero DNS is just about to turn ten years old. You played a pivotal role in the product’s creation and ongoing development. Why is an Anycast service important for nic.at?
RcodeZero DNS is my baby. Ten years ago, we wanted to build an Anycast service to make sure that we had the technology and its subsequent development was in our own hands. Things got off to a bit of a slow start, but we went on to attract a large number of new customers in recent years. People are becoming increasingly aware of the importance of this particular area against the backdrop of an increasingly hostile internet where DDoS (distributed denial-of-service) attacks continue to proliferate. It’s getting easier for attackers to mount their attacks as there are millions of unprotected servers in the cloud. The burden placed on name servers is skyrocketing as a result. In response, registries and registrars are looking to spread out their DNS infrastructure to ensure they are better placed to deal with peak loads – without customers ever noticing.


Babies are undeniably a joy, but can also be a source of worry sometimes, too. What’s your take on that?
We have two products, DNS for top-level domains (TLDs) and secondary DNS. TLD DNS is an exceptionally good-natured baby. The customer comes to us with their zone – such as .eu and .nl – we configure the data in our system and just like that the service is up and running. But the secondary DNS, which is primarily used by registrars and companies, has to be constantly reconfigured and there is more potential for problems as attacks are mainly directed at secondary domains. The zones that come under attack belong to end customers.


Why is that?
Top-level domains tend to have much more diversified infrastructure, which is why attackers zero in on the customer domain instead of going for the TLD name servers. And then it is down to our customers. We have customers with three million domains who have never been attacked. But then we have customers who host 500,000 domains with us and are constantly being targeted. For us, it’s a never-ending game of cat and mouse. We have to ask ourselves: how do we keep the attackers at bay without compromising our services?


What exactly does this kind of attack look like?
In the case of a DDoS attack, the attacker bombards the server with so much data that the infrastructure is essentially paralysed. Any number of data packets end up blocking the connection. A simple example: someone walks past a post box and keeps chucking their paper recycling in. Soon enough, it is full and there is no room for letters any more. We can take the sting out of these attacks through something called DDoS mitigation, as it is possible to make a distinction between a genuine letter and the recycling. But some attacks take the form of legitimate DNS queries. To continue the metaphor, the post box fills up with phony letters which are wrapped up in authentic-looking envelopes to make them look real. So the recipient has no choice but to open them all. These attacks are actually more time-consuming and cannot be simply sifted out by a DDoS mitigation provider.


2016 brought a second cloud for RcodeZero DNS. What’s the advantage of that?
Two name servers have to be registered for each domain, so that means two IP addresses via which services are queried. Our second cloud introduced a completely separate system for two independent IP addresses. They are logically and physically discreet, so users never land on the same server. Even if one location stops working, this set-up means that access is still possible. This is the major difference between us and other Anycast providers such as Google and Cloudflare who do not have this kind of separation.


There are currently more than 40 locations spread all over the world. How will they develop?
We are really well set up as far as the number of our locations goes, and more are being added to the list constantly. We are getting bigger and more stable – and our performance is improving – all the time thanks to the twin track approach. We have a lot of locations in our first cloud that correspond to the location of the physical servers. Our second cloud, by contrast, is completely virtual. That is a good combination, as we don’t get access to unlimited resources in the cloud. Because of this, we still have our own servers for locations with very high traffic so that we can absorb peak loads. When we started ten years ago, it simply wasn’t possible to build an Anycast service without sending your own physical servers around the world. But cloud infrastructure has changed hugely over recent years. So we have moved over to making increased use of cloud-based servers. This puts an end to shipping hardware to Japan and the USA, which is a highly complicated and costly undertaking.


A growing customer base inevitably means more customer data. In Europe, data protection has a major role to play. How does ipcom deal with that?
For TLD DNS and secondary DNS alike, customer data can only be stored on the servers in encrypted form. There wasn’t a whole lot for us to change in the wake of the EU’s General Data Protection Regulation (GDPR) as we had always been extremely vigilant when it came to customer data anyway. However, as an Anycast provider we have a global set-up, with servers all over the world, meaning that we also export customer data outside the EU. American and Asian providers are under no compulsion to comply with the GDPR. For us, it can be complicated as we need additional agreements to make sure that everything is GDPR-compliant.


What were your personal highlights of the past ten years?
Our DNSSEC signing service was a major milestone. DNSSEC is highly technically complex and we have come up with very effective – and stable – solutions to the challenges associated with the service. For customers, using it is child’s play. It’s pretty easy to make mistakes with DNSSEC, which is why we built numerous protective mechanisms into our signing service. The second major milestone came with the introduction of the dedicated system for secondary DNS. Before its introduction, all customers landed on the same server. If one customer was attacked, then everyone else suffered with them. But now we have a dedicated system that we use for customers with 50,000 domains or more. The customer gets their own large-scale system and is independent as a result.