In this week’s issue of the Service Provider Newsletter, we continue our discussion with DNS expert Cricket Liu.

This month, Liu will release the latest version of his book entitled "DNS and Bind," one of the definitive textbooks about the Internet’s Domain Name System. Liu is vice president of architecture for InfoBlox, which sells network appliances that handle DNS and other related protocols.

I spoke recently with Liu about the status of DNS and the looming threats for corporate network managers. Last week, Liu talked about the challenges facing DNS because of a spate of new services being added to the protocol. This week, he talks about the most worrisome DNS threats. Here are excerpts from our conversation:

Q. What do you see as the top three threats to DNS?

A. First, there are a burgeoning number of attacks against DNS externally such as DNS amplification attacks. A DNS amplification attack is one in which a hacker who has control of a few hundred PCs has the PCs send out recursive queries to name servers that will take DNS queries from any old computer on the Internet. He’s looking up a specific set of resource records, and he is spoofing one of your IP addresses in the query. All of these name servers start sending responses back, and you get a very, very large magnification affect. You can flood the target name server with responses from other name servers. You can generate so much traffic - multiple gigabits per second of traffic - that you take the name server down as well as the link to the name server. There is also the classic cache poisoning attacks. These attacks are made possible because people have name servers out there that allow recursive queries from any old name server. The default configuration on BIND and Microsoft’s DNS server is to allow recursive queries from anybody. [Berkeley Internet Name Domain is open source DNS software.] Unless you've gone to the trouble of securing your name server, that's what it's going to do.

The second threat is architectural. People have not designed their DNS infrastructure; they've grown it over time. It's really brittle. There are single points of failure. The infrastructure is prone to spectacular failures when you make a small data entry error in zone data or a configuration file.