Frequently Asked Questions
Are you serious about a secure and resilient DNS? We take DNS resilience very seriously and have designed our DNS server platforms and network for maximum resilience. The following provides information on frequently asked questions of CommunityDNS as well as information we feel is important. So if you are serious about a secure and resilient DNS please contact us. We look forward to hearing from you!
Click on a question to reveal the answer
- What is DNS?
DNS (Domain Name System) is commonly referred to as the "address book of the Internet". Through DNS lookups, or queries, a human-readable website name is translated to the respective IP address understood by the destination wishing to be reached, such as a website, by the Internet.
- Why is the CommunityDNS platform proprietary and not based on either BIND or NSD?
When first looking to provide DNS services we looked at BIND. In our minds, while BIND was the most used DNS server platform, it did not meet our criteria for security and capacity. Without those you don’t have the resilience necessary to support the demands people, businesses, countries and online economies place on the Internet. Because of the deficiencies associated with BIND we knew that if we were going to build a truly resilient DNS platform we had to develop the platform ourselves. When NSD came out we felt it, like BIND, did not meet the requirements we had in providing for a resilient DNS.
Learn more: CommunityDNS' dedication towards security
- What does CommunityDNS have against Open Source?
Because of the deficiencies associated with BIND and NSD some people feel CommunityDNS has something against Open Source projects. CommunityDNS "does not" have any issue with open source development. Many great things have developed because of the "group-think" associated with Open Source. Both BIND and NSD platforms are a result of the collective open source community. Because of that it is easy to see why BIND and NSD are the most widely used of the platforms. For CommunityDNS we set the bar high with regards to ensuring a resilient DNS. As mentioned before, because of the deficiencies associated with BIND or NSD, we felt they did not have the speed, efficiencies nor the security necessary to provide for a truly resilient DNS.
CommunityDNS strongly believes that in order to have true resilience, platform diversity is necessary in every organisation's DNS environment. Therefore CommunityDNS believes organisations use CommunityDNS as a supplement to their existing DNS infrastructure; an existing infrastructure that can use either BIND or NSD. When embracing the concept of platform diversity by using both BIND or NSD, the downfall is both platforms are based on open source coding. By mixing open source with proprietary you are bringing the best of both worlds into your DNS infrastructure as you are not only utilizing two different platforms, you are utilizing a proprietary platform that is not open to the same security risks as found in an open source-developed platform. The Internet is relied heavily upon by individuals, businesses, countries and online economies. Having a resilient DNS platform that incorporates strong levels of security and capacity into its design in the best way to provide a resilient DNS.
Learn more: CommunityDNS' dedication towards security
- CommunityDNS is only a DNS network for ccTLDs and TLDs?
The short answer is "No". While CommunityDNS first grew serving customers from the ccTLD and TLD community, CommunityDNS also provides secure DNS services for the resilient-minded registrars, ISPs, hosting providers and enterprises.
- Why does CommunityDNS go to such lengths to provide for speed and security?
What is DNS? The Domain Name System, or "the DNS" is at the heart of the Internet. The DNS is what translates human readable Internet addresses into the (Internet Protocol) IP address numbers computers understand. Maintaining a resilient Internet is important.
When ever an individual Internet user, a business, a country or an online e-commerce relies on the Internet, it relies on the DNS. The malicious community has shown their willingness to disrupt DNS for financial gain. Such attempts are well documented. The malicious, or hacker community have become more organised and are well funded. To help fuel their need for money they trick users into reaching their sites, whether for selling bogus products for a profit or obtaining sensitive, personally identifiable information. This has always been a serious matter. Studies have shown that because of such actions by the malicious community there is a percentage of the Internet user base that is reluctant to purchase items through the Internet; thus limiting the potential for a country's or region's online economy. The other reason is organisations post their respective zone data through DNS. It is imperative that such data remain secure and tamper-proof. So yes, security is VERY important to us.
The reason CommunityDNS applies so much effort towards speed with each of its DNS servers, aside from it being good practice to develop efficient code, "speed" is the unspoken element in a resilient DNS. If the malicious community can send data faster than a DNS platform can handle, legitimate queries are kept from being answered, thus an outage occurs. If a DNS platform has the speed to handle high volumes of traffic legitimate queries can still be handled without appearing to "fall over". There have been well documented instances where DNS platforms fail at traffic levels far lower than what CommunityDNS handles on an average, non-busy day. With that said, speed is the unspoken dimension on DNS as it relates to resilience. The greater the speed, the greater the capacity a network has for ensuring resilience. So yes, speed is VERY important to us.
Here is a good video describing what CommunityDNS does and why we go to such lengths and why our secure DNS platform provides for maximum resilience of the DNS.
Learn more: CommunityDNS' dedication towards security
Learn more: CommunityDNS believes capacity is a necessity
- What are CommunityDNS' plans for DNSSEC?
Because of the malicious community's work in cache poisoning, the development and rollout of DNSSEC (DNS SECurity) is necessary. While there is still much to be done in DNSSEC's development it is still a good step forward. Recognizing this fact CommunityDNS supports all three flavors of DNSSEC (NSEC, NSEC3 and NSEC3 with OptOut). Recognizing this need CommunityDNS was an early adopter of DNSSEC. CommunityDNS has always supported NSEC as the platform was developed to incorporate NSEC. When NSEC3 was ratified in March 2008 CommunityDNS was NSEC3 compliant shortly thereafter. In mid 2009 CommunityDNS became fully complient with NSEC3 with OptOut.
While some DNS providers have added support for DNSSEC in 2010 and others are still planning, CommunityDNS was at the front of the movement with its support of the eventual rollout.
Learn more: CommunityDNS' dedication towards DNSSEC
- What are CommunityDNS' plans for IPv6?
Understanding how the Internet has developed greater than people had originally imagined and understanding the alarming importance of an ever decreasing number of available IPv4 addresses, CommunityDNS incorporated IPv6 (Internet Protocol version 6) into its initial dynamic DNS server platform design. Since CommunityDNS' platform was first released the network has been fully, or "naitive" IPv4 and IPv6 compliant.
- What are CommunityDNS' plans regarding IDNs?
IDNs (Internationalized Domain Names) are destined to create a fundamental shift in how the Internet is used. Being that more people do not use the Internet than those who do, the introduction of IDNs will provide not only a regionally and culturally-based Internet experience, it will also allow those who are not using the Internet today to be able to enjoy its benefits. As such CommunityDNS realized early on the importance of supporting IDNs. As such when the final method for handling IDNs was determined, CommunityDNS built in the full support of IDNs throughout its network. While IDNs at the TLD level are only now being rolled out, CommunityDNS has been supporting 2nd level, or subdomains that require IDN support for a while now.
- CommunityDNS “Fast Facts”
A good summary of CommunityDNS may be found by going to the CommunityDNS “Fast Facts” page.
- What is/will be the functionality of a “production” web management panel? Is it the same as the current one available after registration with Community DNS?
While the test bed offers limited functionality, the production server provides participating DNS Operators with a robust system in place. The participating DNS Operator instructs Community DNS to collect the zone data from a specific IP address of its master name server. Community DNS then hard codes that information in and locks it down. The DNS Operator can trigger an update by sending Community DNS a NOTIFY and the Community DNS platform will automatically update. The DNS Operator can also force an update check from the STATS pages.
- Will the web management panel provide some functionality to collect DNS statistics e.g. number of queries, ranking of networks generating most traffic, etc?
Yes, a participating DNS Operator will have access to data relating to activity in its own zone(s) from each name server location. CommunityDNS' global Anycast network map illustrates nodes positioned around the globe to ensure maximum resilience.
IN ALL CASES, monitoring tools are secure so that only the participating DNS Operator has access to data, monitoring, and other activities in its own zone(s).
In addition, a participating DNS Operator will also have access to lists of actual updates (add/modify/deletes) by time of day and maximum/minimum number of names that day as well as general graphs such as: Total query rate for the Anycast cloud, total queries to its IP Address and number of queries on each individual server location - giving the DNS Operator regional analysis, total number of names, and update levels.
- Will the Community DNS Shared Resolution System suppurt DNSSEC?
The simple answer is 'yes'. The System has been designed to anticipate the introduction of DNSSEC once appropriate standards have been adopted, published and adequately tested for implementation.
- Will the Community DNS Shared Resolution System support IXFR, TSIG?
Community DNS currently supports RFC 2136 compliant Dynamic Updates, optionally signed with an RFC 2845 compliant TSIG. A DNS Operator can test it currently on the test bed platform by simply selecting Dynamic Updates and giving Community DNS the IP address of the Operator's server followed by "/" and your TSIG key. For example:
Updates using AXFR and IXFR are also supported. The server will automatically detect if the DNS Operator's master supports IXFR and request it if it is supported.
- Will the Community DNS Shared Resolution System use RNDC KEY to authorize dynamic updates?
Community DNS prefers to use TSIG to authorize Dynamic Updates. RNDC.KEY is better used for obtaining data from the remote server. TSIG is for signing packets, while RNDC (Remote NameD Control) is for remotely controlling a bind server. But can also be used to remotely ask for very limited stats information.
- How fast is the recovery time with the Community DNS Shared Resolution System?
It is absolutely vital for a DNS solution to have a fast recovery time for many reasons including disaster recovery. And the Community DNS Shared Resolution System has the fastest in the industry. Under current conditions, for a zone of 1 million names, its recovery time would take only 4 seconds! And improved performance can be expected in the future.
- Does the Community DNS Shared Resolution System come with an SLA?
The System offers and operates to a 99.999% SLA.
- Is the Community DNS Service intended to serve as a slave or a master?
Generally, the Community DNS anycast service is intended as an outsourced slave service designed to supplement the DNS Operator's existing resolution system. However, if desired by the DNS Operator, Community DNS can implement a full DNS system, including Master and Slaves which fully utilize the Community DNS resolution capabilities.
- How much does it cost?
The Community DNS Shared Resolution System is set up to have a flat monthly fee based on the volume of domain name registrations in a DNS Operator's zone(s). It is priced at a fraction of the cost of alternative DNS providers or even in-house development and deployment costs. Pricing information, and special programs for Operators in developing regions, are available through a Community DNS representative.
- How many names can the Community DNS Shared Resolution platform handle?
As of July 2007, the System has been tested to a capacity of 500 million names, answering in excess of 100,000 queries per second (6 million queries per minute, 8.6 billion queries per day) for each server in the Anycast constellation. This not only provides zones with fast and reliable service, but gives Community DNS ample capacity to thwart even the most sophisticated DDOS attacks of today. And additional performance enhancements are on the horizon.
- Can a participating DNS Operator manage its own zone and the data that is collected?
The Community DNS Shared Resolution platform gives a DNS Operator outsource advantages with maximum ability to control and manage its own zone(s) and data, with flexible service offerings.
CommunityDNS: Proven leader in DNS
It is this level of leadership and of thoroughly understanding the importance of security that CommunityDNS strives for excellence in DNS resilience. As leaders in security and capacity as well as the early adoption of IPv6, DNSSEC and IDNs, CommunityDNS’ dynamic DNS services remains fully capable of resolving ALL of the world’s queries using the network engineered for security, optimized for speed and designed for resilience.