Self-developed Software System Featuring High-performance
CNNIC has developed independently a series of safe resolution software including Zlope, a recursive server software, and Zebra, an authoritative server software.
Zlope is recursive resolution server software customized for SDNS service in line with the requirements of recursion service. It is an embodiment of security, high-efficiency and convenience. It has taken into account DNS security in every detail and can effectively protect DNS from being attacked. It supports DNSSEC lookup and keeps cache under complete control.
Zebra, as essential authoritative software of national domain service platform boasting of high-performance and high availability, supports the record of high-volume information and is compatible to DNSSEC deployment. It provides secure, stable, fast and authoritative resolution service for users.
Reliable Wide Area Service Cluster
Advantages of Service Architecture
Reliable wide area service cluster has been built up in the three major operators (China Telecom, China Unicom and China Mobile) and CERNET in light of the distribution features of public recursion service areas and the intercommunication among different domestic operators unique to China. IP Anycast+BGP technology is adopted and deployed in a trans-area and trans-operator format so as to enable users from different areas to access the nearest service and enhance the resolution speed.
The service capacity of SDNS service cluster is substantially extendable and can extend quickly depending on users’ visit capacity, which ensures reliable, stable and incessant service.
Technological Advantages of Anycast
Different clients will access different destination hosts and this process is open to clients, which results in load balancing of destination hosts.
When a destination host is unreachable due to a failure in the accessing network of the destination host, the client’ request will be automatically routed to the closest reachable destination host without human intervention, which provides redundancy for the destination host to some degree.
When the destination host is unreachable because of a Dos attack, the client’ request will be routed to other destination hosts as a result of unreachable network. The load balancing effect of Anycast protects a single destination host from bearing all attack in the event of a DDos attack, thus enhancing the security of destination hosts to a certain degree.
As Anycast can measure the closest destination host by routing, the response speed of the client is greatly increased.
Professional Operation Monitoring Platform
Full Monitoring by CNNIC National Domain Security Monitoring Platform
CNNIC National Domain Monitoring Platform has deployed 10 data monitoring sites all around the country so as to realize continuous monitoring for 7*24 hours of the domain name service system. SDNS is inspected in a comprehensive manner in terms of five dimensions including failure, configuration, traffic, performance and security. By initiative monitoring of service nodes, the operating state of SDNS is examined in advance so as to predict potential risk before the breakdown of service.
Self-developed Attack-resistant Equipment
DNS attack-resistant equipment developed independently by CNNIC can protect recursive/authoritative server from DoS/DDoS attack and SYN Flood attack. It also has such security functions as traffic monitoring and control, traffic counting, and statistics of network environment characteristic states.
Independent Traffic Analysis System
DNS traffic analysis monitoring system conducts real time monitoring of SDNS traffic by means of switch traffic mirroring. It analyzes thoroughly DNS request and response data packet, associates DNS request source addresses, and monitors and identifies abnormity of DNS traffic. By analyzing history statistics of SDNS, it furnishes basis for decision-making on product management and system maintenance in later stage.
