Airport DNS Infrastructure

Category: Infrastructure & Resilience | Date: 2019

Triple-Redundant DNS for Critical Aviation Systems

When a website goes down, it's usually because something broke. But what if the problem is bigger? What if an entire part of the country loses power or internet? For a busy airport, being offline could affect thousands of travelers checking flight times, booking parking, or getting directions.

I built a DNS system that can handle these worst-case scenarios. DNS is like the phone book of the internet. When you type "bishopairport.org" into your browser, DNS tells your computer where to find that website. If DNS stops working, no one can reach the site.

The Problem

The airport's previous setup was a basic cPanel configuration running on a single server. Even with careful planning and long TTL settings (which tell computers how long to remember DNS answers), this setup sometimes caused problems. When that one server had issues, visitors couldn't reach the website at all.

Most websites use DNS servers in just one or two places. If those places have problems, the website becomes unreachable. For an airport that serves as a regional hub, this kind of downtime is not acceptable.

The Solution: Three Servers Across Three Regions

I set up three DNS servers using Technitium, an open-source DNS server software. Each server runs on its own VPS (Virtual Private Server) in a different part of the United States:

West Coast - Handles traffic from the western states
East Coast - Serves users on the eastern seaboard
Central - Covers the middle of the country

But geographic separation wasn't enough. We also made sure each VPS provider used a different network backbone. Network backbones are the major internet highways that connect different parts of the country. If two servers share the same backbone, a backbone outage could take both offline at once.

By choosing providers on separate backbones, we created true independence between the servers. A problem with one provider's network won't affect the others. This design means that even if a major disaster knocked out one entire region, two other servers would still be running. Users would barely notice any problem.

Adding DNSSEC for Security

DNSSEC is a security layer that proves DNS answers are real and haven't been tampered with. Think of it like a wax seal on a letter. It shows the message is genuine and hasn't been changed.

Without DNSSEC, attackers could redirect airport visitors to fake websites. Even worse, they could trick certificate authorities into giving them real security certificates for domains they don't own. Certificate authorities check if you control a domain before issuing certificates. If an attacker can hijack DNS, they can pass that check and get a valid certificate for a fake site.

With DNSSEC enabled, we completely closed this attack surface. No one can pretend to be the airport online. Browsers verify they're getting the real website address, and imposters can't obtain legitimate certificates for the domain.

We also added SSHFP records to the DNS. These records contain fingerprints of our server keys. When an administrator connects to a server, their computer can check DNS to confirm it's really our server and not an imposter. This adds another layer of identity verification.

For email security, we configured SPF, DKIM, and DMARC records. These work together to prevent email spoofing:

SPF tells the world which servers are allowed to send email for the airport
DKIM adds a digital signature to outgoing emails proving they're genuine
DMARC tells receiving servers what to do with emails that fail these checks

Because all these records are protected by DNSSEC, attackers can't tamper with them. The airport's emails are delivered securely, and no one can send fake emails pretending to be from the airport.

How It Works Together

When someone types the airport's web address:

Their computer asks DNS for the website's location
The request goes to whichever of the three servers is closest
That server responds with the correct address
DNSSEC proves the answer is authentic
The browser connects to the real airport website

If one server goes down, the other two take over automatically. Users don't need to do anything different.

Results

The system achieved an A+ rating for DNS resilience. This means:

The airport website can survive major regional outages
Visitors always reach the real website, not fake copies
Response times are fast because servers are spread across the country
No single point of failure can take the system offline

The strategic choice to use different providers on separate backbones has proven its value. When major cloud providers have experienced outages that took down thousands of websites, the airport's DNS stayed online. These big outages make headlines and affect companies worldwide, but our setup remained completely unaffected every time.

Tech Stack

Technitium DNS Server - Open-source authoritative DNS software
DNSSEC - Cryptographic security for DNS records
Multiple VPS Providers - Servers in different data centers and regions
Automated Monitoring - Alerts if any server has problems

This project shows how smart planning and the right tools can make critical systems much more reliable. The same approach works for any organization where being offline is not an option.

The best measure of success? Nobody thinks about DNS anymore. The system just works.

Visit the airport's website at: Flint Bishop International Airport

← Back to Portfolio