DNS Routing – How Does It Differ from BGP Routing?
An important challenge in deploying a cybersecurity defense solution is ensuring that it is actually present. If an attacker can easily bypass your defenses, they’re worse than useless. Users apply BGP and DNS routing to protect themselves online.
This is especially true for DDoS mitigation services. The point of these services is to stand between your systems and all of the traffic. They filter out anything part of a Denial of Service (DoS) attack. Since the main threat of a DoS attack is the volume of traffic coming at your systems, any traffic that slips past the defenses may render them useless. The simplest method to ensure that all traffic passes through your cybersecurity defenses is by placing them physically between your network and the Internet. However, the increased availability of cloud-based solutions makes this approach ineffective.
The architecture of the Internet and the protocols that it uses provides a couple of other options. Both BGP and DNS routing can be used to direct Internet traffic along the paths that you prefer. However, they both work in different ways and have their own strengths and weaknesses.
What is BGP Routing?
The Border Gateway Protocol (BGP) is to help computers find routes for their traffic across the Internet. The size and complexity of the Internet make it difficult or impossible for every computer to know a route to every other computer.
Instead, the Internet is broken into sections maintained by Autonomous Systems (ASes). Each AS is responsible for knowing how to route traffic to computers within its system (which isn’t hard since many ASes are ISPs). ASes send their routing information to other ASes. So a computer can easily send out a query to find out the best route on the Internet.
One of the biggest pros and cons of BGP is that computers don’t actually verify the routes provided to them. In fact, if an AS is with a better route than its official one, it’s likely to replace its current route with the alternative one. This opens up the protocol to attack, by someone advertising fake, short routes to control how traffic flows. However, it can also be used to enable BGP Routing.
By advertising fake routes to their own systems, website owners can control the paths traffic uses to reach their site. This can be a valuable asset. Since it allows the traffic to route through a third-party firewall provider or other external defensive solutions without significant modifications to the underlying hardware or software.
What is DNS Routing?
The Domain Name System (DNS) is a protocol used by the Internet to direct traffic to its intended destination. The purpose of the DNS network is to make using the Internet easier. It achieves this aim by making the address of a website easier to remember.
One can identify a given computer using an IP address. Most people currently use IPv4. So an IP address looks like a series of four numbers separated by periods, like 188.8.131.52. While easy for computers to remember, this doesn’t make it easy for the human user to associate an address with a specific website. Instead, we remember and use domain names for addressing, like google.com. Easy for users to remember and much easier for marketers trying to advertise their product.
The Domain Name System is what performs the translation between the domain name and IP address. Servers around the Internet keep lookup tables of records matching websites domain names to IP addresses.
While this is to point users directly to their intended website, it can also be used as a routing solution. For example, the website has a third-party firewall provider. Then they can modify their DNS records to point to the firewall instead. After scanning the incoming traffic, the firewall provider can then securely forward it to its intended destination. It ensures that the user visits the site that they wanted, while the website benefits from the firewall’s protection.
DNS vs. BGP Routing
Both BGP and DNS routing allow an organization to manage the paths that traffic travels to reach their systems. This can be extremely useful when using a third-party cybersecurity service provider since traffic can be routed through their systems before reaching its destination.
However, when using routing for this purpose, it’s important to know the differences between their capabilities and tailor your choice to the expected attack vector. The main limitation of DNS routing is that it only impacts users who take advantage of DNS’s domain to IP translation services. If an attacker knows your IP address, they don’t need the DNS system and will route their traffic directly to your machines. Despite this, DNS routing is a good choice for protecting against application-level attacks.
BGP routing works best at the network layer, protecting against attacks directed at your particular IP address. If you can update the ASes’ routing tables to include an alternative route through your cybersecurity defenses.
This approach may be more complicated than DNS routing, so it’s best when your organization expects attacks that bypass the DNS system.
Routing for Defense
Both BGP and DNS routing allow an organization to control how traffic reaches its systems, routing it through any number of third-party defenses before reaching its destination. This is especially important for DDoS protection since any route that bypasses the DDoS scrubbers is usable for launching the attack. When selecting a DDoS protection provider, ensure that they offer both DNS and BGP routing solutions to protect against all attack vectors.