Screen Shot 2012-09-10 at 3.09.41 PM

Thoughts on the GoDaddy DNS DDOS Attack, Outage, and DNS hosting options

So with the big outage today, I did some quick looking around. Just wondered if there were any DNS registrars that have decent security practices. It’s tough to find. Not that the attack on GoDaddy was a security breach, it wasn’t. It was a Denial of Service attack, not a hack. But I didn’t know that when I started looking. I still wondered regardless.

Here’s the thing that concerned me though. Of all the places you could have an online account, a DNS registrar should be a super secure service. Right? Right up there with banks and such. I mean, if DNS registrar is down, so are all their DNS names. Right? That’s huge!

Now, I only checked a few places, and I can’t get to GoDaddy right now to compare, but here’s something I found. Go to registrar of choice, go to Login and click the “Forgot Password” link they might have. If they say something like “send your password in email” to you, something is wrong. They should never be able to “send your password”. They should be able to reset your password, yes, but not send your password.

For one, they are sending that password in the clear in an email. I don’t really like that idea. But more importantly, they are storing your password insecurely! I don’t like that either. I suppose, they could be encrypting it in the database and then decrypting to send to you, but that practice, from my own understanding, is not using best practices for secure online services. Am I wrong on that? I don’t think so.

Anyway, I am no expert, but it just got me thinking. I don’t mean to pick on GoDaddy because of their outage today or because of any security practices of theirs, but having my DNS go down made me think about a few things. Does anyone know of a registrar that at least has some common security practices in place? Any of them actually hashing your passwords in DB? (and while I am at it, do they provide private whois in the price?)

One thing I am considering, which this issue also brought up, is hosting my DNS servers separate from my registrar. I have Cloud DNS as part of my Rackspace Cloud Servers. I may utilize that for my DNS server records, where I can set all my A, CNAME, and MX records. Then get that off of GoDaddy. Only use GoDaddy for the registration of my domain names. At least not ALL of my eggs will be in one basket.

Why isn’t there a “cloud” DNS registrar? Maybe that isn’t worded right. What I mean is, I have to register my domain name at a single registrar. If SomeAttackerDude (or whoever) decides to take down my registrar’s servers/data center, my DNS is down for everyone. Why isn’t there a service that allows my registration to exists at many registrar’s servers? So its not only my DNS servers that are distributed, its the DNS registrations as well. Seems like, in 2012, we should have DNS be a bit more “distributed”, don’t ya think?

But I think I am just being ignorant on the above thought. I don’t really know if keeping my DNS registration and DNS hosting separate would help or not in today’s attack. I guess, thinking about it now, does your registration go to the “ROOT” DNS servers? If so, then it is distributed, right? However, if your DNS domain record is only accessible at GoDaddy (or other registrar), then its not distributed. I lack some knowledge on that part, I have to admit. Maybe someone out there with better understanding of DNS root servers and registration technical stuff could chime in on that. If registrations are distributed though, keeping my DNS hosting at Rackspace would have allowed my sites to work today. Even better, I should host DNS at two places, separate from my registrar. Maybe Amazon Route53 too?

Its a lot to think about! I hope by the time I post this everyone is back up and running!

 

UPDATE: 2012-09-10 (later this evening)

Did a little research. Still no expert, far from it, but remember my learned principals from years back now. I just couldn’t answer my own question, that I new my clients would be asking at some point, does keeping my DNS hosting separate from my DNS registration help in a situation like GoDaddy DDOS outage?  Yes.  Yes, it does. Especially if you put your hosts at two different providers.

Here’s a great article on the process of DNS:

http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html

Basically, a “registrar” is the entity acting on your behalf. They provide the DNS Registers at the Top Level Domains (TLD’s or GTLD’s) with your name servers at your domain.   So, being that the TLD’s are distributed, they are available even though Godaddy is not.  And they refer requests for your domain to your  name severs, where requesting clients can receive a response to the individual A host records.

So, IF YOU HOSTED DNS at GoDaddy today, the TLD’s root servers refered requests to your hosted name server, which wasn’t available to return host records, and therefore, no web site in user’s web browser!  If you had only registered your domain with GoDaddy, but then hosted DNS name servers at our ISP or other web hosting provider, those would still have been available to answer requests, and your sites would still be up.

Keep in mind, none of this has anything to do with actual web sites or emails hosted at GoDaddy but those would have been down too. I am only talking about the DNS issue itself, which is where my particular problem was.

Easy fix.  Keep GoDaddy as your registrar, or don’t, host your DNS at two other providers. Basically use your registrar to handle your domain registration, but keep all hosting elsewhere.

One other side note, does Godaddy send passwords back in emails?  Hmmm…. let me check.  (20 seconds later)  NOPE!  Nice!  They have a “password reset” feature and I don’t see any place where they send you your existing password.  Gotta at least commend them for that!  And for their hard work to get up and running today after a major take down.  Now, we have no idea how your passwords are protected there, but…

… On their site as of about 8:00pm PT they say:

At no time was any sensitive customer information, such as credit card data, passwords or names and addresses, compromised.

Nice, actually that’s good to hear. I was concerned this was a major hack and customer information was compromised.  Sounds like this was only a DDOS attack, no hack.

But I am still going to move some of my clients to new registrar, having nothing to do with the GoDaddy, simply that I don’t want all my eggs in one basket.  I am also going to remove DNS hosting from GoDaddy.  Not a problem with GoDaddy, just the too many eggs thing again.  Seems much better to me to keep my DNS hosted in two other locations.  My web hosts themselves, they are already in other locations, so no issue there.

Just an extra note. I am considering some DNS registrations moves to 1&1, unlike several other registrars I saw today, they don’t have a “send your password to you” problem.  Plus they have included private registration.  Cool.  My DNS hosting, that will go to Rackspace Cloud and/or Amazon Route53 I think.

 

UPDATE: 2012-09-11

So I just heard the GoDaddy outage was not from a DDOS as reported by, well, everyone yesterday.  GoDaddy has reported that it was not a hack, not a DDOS, but some sort of router corruption and network problems.  ???  What?   I guess it wasn’t a hack, so that’s good?  Oh well, they are up and running, and I am moving part of my client base to Namecheap. (not 1and1)  And as previously said, I am moving DNS hosting to Amazon and Rackspace.