Expert identifies the latest DNS threats

Part 2 of a Q&A with DNS expert Cricket Liu

In this week’s issue of the Service Provider Newsletter, we continue our discussion with DNS expert Cricket Liu.

This month, Liu will release the latest version of his book entitled "DNS and Bind," one of the definitive textbooks about the Internet’s Domain Name System. Liu is vice president of architecture for InfoBlox, which sells network appliances that handle DNS and other related protocols.

I spoke recently with Liu about the status of DNS and the looming threats for corporate network managers. Last week, Liu talked about the challenges facing DNS because of a spate of new services being added to the protocol. This week, he talks about the most worrisome DNS threats. Here are excerpts from our conversation:

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

In this week’s issue of the Service Provider Newsletter, we continue our discussion with DNS expert Cricket Liu.

This month, Liu will release the latest version of his book entitled "DNS and Bind," one of the definitive textbooks about the Internet’s Domain Name System. Liu is vice president of architecture for InfoBlox, which sells network appliances that handle DNS and other related protocols.

I spoke recently with Liu about the status of DNS and the looming threats for corporate network managers. Last week, Liu talked about the challenges facing DNS because of a spate of new services being added to the protocol. This week, he talks about the most worrisome DNS threats. Here are excerpts from our conversation:

Q. What do you see as the top three threats to DNS?

A. First, there are a burgeoning number of attacks against DNS externally such as DNS amplification attacks. A DNS amplification attack is one in which a hacker who has control of a few hundred PCs has the PCs send out recursive queries to name servers that will take DNS queries from any old computer on the Internet. He’s looking up a specific set of resource records, and he is spoofing one of your IP addresses in the query. All of these name servers start sending responses back, and you get a very, very large magnification affect. You can flood the target name server with responses from other name servers. You can generate so much traffic - multiple gigabits per second of traffic - that you take the name server down as well as the link to the name server. There is also the classic cache poisoning attacks. These attacks are made possible because people have name servers out there that allow recursive queries from any old name server. The default configuration on BIND and Microsoft’s DNS server is to allow recursive queries from anybody. [Berkeley Internet Name Domain is open source DNS software.] Unless you've gone to the trouble of securing your name server, that's what it's going to do.

The second threat is architectural. People have not designed their DNS infrastructure; they've grown it over time. It's really brittle. There are single points of failure. The infrastructure is prone to spectacular failures when you make a small data entry error in zone data or a configuration file.

The third threat is that people don't understand DNS. It’s been this way for 20 years now. Nobody has ever understood DNS. Some of the largest companies we deal with have great, well-meaning people but they don’t understand the protocol. They don’t understand what they need to do to manage it correctly. If you don't understand the protocol, it's hard to use it for all of these advanced applications. And it's just going to get more difficult.

Q. What advice would you offer to an IT executive regarding DNS?

A. First, it's worth spending some money to get your people trained in DNS. Second, it's worth doing a complete top-to-bottom audit of your DNS infrastructure to try to determine whether it might need to be updated. You need to find out if there are bottlenecks that you need to remove or single points of failure. Based on the audit, you should figure out what you need to do. Maybe you have only one DNS forwarder, and you need to add another. Maybe you can make use of DNS appliances.