Security

This article is more than 1 year old

CloudFlare launches nameserver DDoS shield

Hosed and hapless hosters to hide from hackers

Wed 11 Mar 2015 // 04:55 UTC

CloudFlare has launched a DNS proxy service it says will help organisations improve DNS resilience by pushing distributed denial of service attacks to the outer edge of its network.

The Virtual DNS service is billed as a means for DNS providers to mitigate a potential "massive single point of failure" in their nameservers caused by legacy IT infrastructure.

CloudFlare engineer Dani Grant says the service will act as a domain authority for nameservers.

"With Virtual DNS, DNS queries for the provider's records are responded to by the nearest CloudFlare edge location [and] if the proper DNS response is available in CloudFlare's cache, CloudFlare will return the response to the visitor, saving bandwidth at the origin nameserver," Grant says in a post.

"If the DNS response is not available in cache, CloudFlare will query one of the provider's nameservers in the background to fetch the DNS response and send it back to the visitor.

"To protect against attacks, malicious requests to the nameservers will be identified and blocked at CloudFlare’s edge before those requests ever make it to the provider's DNS infrastructure."

Grant says hosting providers often have stubborn legacy DNS infrastructure that lacks the security chops required for potentially thousands of clients that are provided nameservers.

The service will mask IP addresses of a provider's nameservers and continue to answer DNS requests from its cache in the event the servers are knocked offline.

She says the service has been tested over the last year and is being rolled out to enterprise customers.

New York-based virtual private server mob DigitalOcean signed on as an early customer in July and is now delivering 10,000 requests a second, according to Grant, without malicious traffic having hit its nameservers.

The project comes after the DDoS deflection platform in February deployed faster cipher suites to improve browsing on fondleslabs.

Late last year the company finished a two-year effort to switch on keyless SSL that let customers encrypt web traffic through its services without having to hand over private SSL keys. ®

Topics

Special Features

Vendor Voice

Resources

Security

CloudFlare launches nameserver DDoS shield

Hosed and hapless hosters to hide from hackers

More about

More about

Narrower topics

Broader topics

More about

More about

More about

Narrower topics

Broader topics

TIP US OFF

Other stories you might like

Sleuths who cracked Zodiac Killer's cipher thank the crowd

US government excoriates Microsoft for 'avoidable errors' but keeps paying for its products

Microsoft slammed for lax security that led to China's cyber-raid on Exchange Online

Reducing the cloud security overhead

Microsoft squashes SmartScreen security bypass bug exploited in the wild

Feds probe alleged classified US govt data theft and leak

Malicious xz backdoor reveals fragility of open source

OWASP server blunder exposes decade of resumes

H-1B visa fraud alive and well amid efforts to crack down on abuse

Feds finally decide to do something about years-old SS7 spy holes in phone networks

Rust developers at Google are twice as productive as C++ teams

Happy 20th birthday Gmail, you're mostly grown up – now fix the spam

About Us

Our Websites

Your Privacy