June 7th, 2011
What’s wrong?
In May, just after the April 2011 Amazon Cloudpocalypse, Heroku experienced a DDoS attack on its service. In the aftermath, Heroku posted revised DNS guidelines, suggesting that root domains (example.com) not be used, in favor of subdomains (www.example.com).
Now this was pretty strange, since it ran counter to a trend that preferred root domains since they simplify URLs and branding. Most sites are configured so that example.com and www.example.com go to the same place, making the subdomain redundant. Given the choice, it is much more straightforward to just use the root.
In DNS, however, the two operate under very different rules. Subdomains are configured using a CNAME record, which can point to another domain (somewhere.com) or IP address (127.0.0.1, for example). But root domains have to use A records, which are only supposed to point to IP addresses, representing a particular physical computer server.
In cloud computing however, there is no concept of physical servers. Everything is virtual, which allows you to easily add, remove servers and other resources. Resources just appear, ready to be used.
What Heroku found was that during the attack, it needed to shift resources around to dodge the attacks. Because they’re on a cloud platform and they’re smart guys, they accomplished this feat easily. But many applications on their system weren’t able to mimic the dodge because they had their root domains chained to three immovable IP addresses.
If you tried to access your website at example.com, it wouldn’t respond, because your browser was trying to get info from one of the IP addresses, which were suffering the attack. However, if you tried www.example.com, you were talking to proxy.heroku.com (via CNAME record), which had already dodged the attack and was functioning normally.
I don’t pretend to understand the full implications of this, but it seems clear that ideas about how DNS should work aren’t relevant, or even compatible, with cloud computing. This, I imagine, gets some hardcore engineers pretty excited, since it means there is a growing need and opportunity to rewrite some of the rules about how the Internet works, and who wouldn’t want to be involved in that?
It makes me wonder about what other standard assumptions are also beginning to fray, and I find myself taking more time to consider well-established details, looking for loose threads to pull.