Akamai Diversity

The Akamai Blog

A Rich Policy Language for the DNS

For many years ISPs in certain parts of the world have been required by their regulators/governments to redirect certain websites that were deemed malicious or suspicious. DNS offered a straightforward way to do this; and Nominum, now part of Akamai, is a DNS company, developed an early mechanism using a DNS zone file that made it simple for ISPs to comply. The technology was originally named "Malicious Domain Redirection" (MDR), and it basically allowed DNS server operators to perform a single action for a given domain name. Actions could be categorized so that each action or redirection did not have to be repeated.

Governments continue to pursue initiatives to impede access to the internet in various ways, but it's also become clear that internet users themselves are interested in managing their internet access. For instance, families want to enable filters in their homes so children can take advantage of everything that's great about the internet, but in an age-appropriate way. Network-based solutions that don't require lots of administrative overheard are especially appealing to this audience.

In considering the requirements for more personalized DNS-based services Nominum quickly discovered that expressing policies in DNS zone files had limitations. Advanced use cases like personalized parental controls for home internet (where each family can choose what kinds of content is permitted in their home, and who gets to see what1) could not be implemented and even protecting DNS servers themselves became more challenging as attacks got more sophisticated.

As a result, Nominum developed a far more versatile DNS policy engine called "Lightweight View Policies" (LVP), which ultimately became the foundation for an entire suite of applications. LVP allows for a degree of personalization and targeting of malicious DNS traffic that simply isn't possible with one-dimensional policies.

To give a sense of its considerable power and flexibility, one set of domain-based policies can be applied to one subscriber/IP, and a completely different set of domain-based policies can be applied to another subscriber/IP - every IP can have a unique view of the internet. Any aspect of the DNS packet (domain, query type, result code, size, etc.) can be used as a trigger and policy triggers can be time-based (no social media for teens during study time and dinner!). Policies can be applied at any time in the query process (pre-query, post-query or pre-send) and rate limiters can be applied at any stage of policy evaluation. They can also be connected with logical operators (AND, OR, NOT), and ordered, nested, and evaluated with priorities. Subsequent enhancements even allow policies to be applied to individual devices and users behind a residential gateway or NAT. There are many more features to enable fine-grained management of DNS query traffic.

These rich policy capabilities enable highly personalized services which will be explored in a future blog post. Together with dynamic feeds that track unwanted or malicious web resources, it's possible to offer services that are continuously updated automatically as target domains and IPs change, and even if individual families change their preferences (as children get older and gain access to more of the internet for instance). Network operators don't have to intervene as things change; everything is tracked and managed by the platform.

The policy has been part of every other networking element forever, and there's industry consensus about its use in the DNS. Paul Vixie presented "Response Policy Zones (RPZ) for DNS Redirection" at BlackHat a few years ago, and it was implemented in ISC BIND. Other DNS resolver implementations followed with varying degrees of capability. RPZ is conceptually similar to Nominum's early MDR implementation, but with a different syntax. Recent changes extend RPZ with multiple zone files, but there's no way to match on a client IP and then have successive domain-based policies, which limits the ability to support personalization of services. There's also no way to configure time-based policies.

There's strong alignment of interests between families looking to personalize their internet access, and ISPs looking to cement the subscriber bond with smart and sticky services. DNS-based solutions with rich policy enable a foundational layer of protection for subscribers that is lightweight and effective. When deployed with a platform that automates the distribution of dynamic domain feeds, policies and data to drive the system, it can be simple and seamless for both subscribers and providers.

1 Personalized services also require a configuration portal that makes it easy for families to set filters and manage their devices. This will be discussed in a separate blog post.