CTIT University of Twente
Research Business & Innovation About CTIT Research Calls Looking for a job? Intranet

DNS Anycast Security

Project Number: 628.005.014

Project Manager: Prof. dr. ir. Aiko Pras

Project website:


The Domain Name System (DNS) is one of the most essential services for the operation of the Internet. If the DNS fails, communication over the Internet becomes impossible.

A key problem for the stability of the DNS system are DDoS attacks. The severity of such attacks is quickly becoming a huge problem; according to recent studies we witness a growth between 50% and 100% on a yearly basis [1]. Not only do attackers (mis)use the DNS system for large scale distributed reflection and amplification attacks, but also DNS servers themselves are more and more becoming the target of DDoS attacks. Such attacks can be initiated by script-kiddies (using “DDoS as a Service” websites), organized crime, terrorists and even nation states. Next to DDoS attacks, the load on DNS servers also quickly increases due to the Internet of Things (IoT), where billions of sensors and embedded devices are connected to the Internet. Finally the concentration of Internet data and services within Content Delivery Networks (CDNs) and cloud services (Google, Facebook …) changes the pattern of DNS requests and the load on DNS servers.

An interesting approach to increase the stability of the DNS system is to use DNS anycast queries. In such approach multiple distributed DNS servers share the same IP address (as opposed to assigning unique IP addresses to each server). Such multiplication not only increases the resilience against DDoS attacks, but also allows virtualization and distribution of DNS servers, as well as deploying and removing DNS servers at specific locations on-demand to deal with transient query peaks. A challenge, however, is to solve  the (self)management problems associated with DNS anycast. Where to locate the anycast servers? How to route the traffic? How to institute and remove virtual anycast servers, without disrupting DNS operation? How to secure this new infrastructure?

The goal of this project is to investigate the large-scale development and deployment of DNS anycast services, in particular the virtualisationsecurity and (self-)management of such services. Our approach is to collect unique measurement data from the large-scale DNS infrastructures operated by our industrial partners and analyze this data to validate our scientific results. To the best of our knowledge, we will be the first to perform such world-wide DNS anycast measurements and validation. Our contribution is to propose novel approaches to virtualize, secure and manage large scale DNS anycast services.

Project duration: 1 January 2016 - 1 January 2017

Project budget: 150 k-€ / 75 k-€ funding

Number of fte's: 1 fte

Participants: UT, NL-Net, SIDN, SURFnet