John PescatoreWhen you put a check in an envelope to pay your mortgage, and address that envelope to your mortgage company, imagine if the Postal Service looked at the address and sent the check to a criminal gang in Elbonia.
When you dial the airlines over the phone and give out your credit card number to buy airline tickets, imagine if the phone company really connected you to some teenagers at Hacker University.
Those two scenarios take a lot of imagination because Postal Services and telephone companies have industrial strength directory services that both allow you to find the real address or phone number to use and industrial strength services that translate the address you put on the envelope or the phone number you dial into a connection to the actual party with whom you are trying to communicate. The Internet – not so much.
Most homes and many businesses are paying as much for Internet connectivity as they are for local phone service or stamps, yet there still aren’t industrial strength Domain Name Services, either within businesses or at Internet Service Providers. The recent DNS attacks developed by Dan Kaminsky reinforced how vulnerable most DNS services are – and how damaging attacks can be.
So, it was good to see OMB push the US Government to move the .gov domain towards DNSSEC, and it was good to see the DNSSEC Industry Coalition formed to facilitate adoption of DNSSEC in the .com and .edu domains. It is also good to see vendors like Bluecat, Infoblox and Nominum selling hardened DNS technology, which is also badly, badly needed – both in ISPs and in enterprises.
Of course, it would be even better to see actual adoption of hardened DNS and DNSSEC… The next time you are competing or renewing your ISP contract, put some questions in the RFP about security and reliability of DNS services. If the budget good fairy asks if you need anything next year or for end of year spending, make sure upgrading DNS services is on your wishlist.
The directory problem – where is the trusted source to find email addresses or web sites? – is a whole nuther thing. We all seem to accept, and some even prefer, that cell phones don’t have directory services – the Internet isn’t going to be any better any time soon.
Category: Uncategorized Tags:
5 responses so far ↓
1 Greg Ness December 10, 2008 at 1:15 pm
John:
Great points. One has to wonder if all of the buzz about cloud computing and other initiatives has taken the challenges within DNS security into account. Cricket Liu has been talking about some of these issues at: http://tinyurl.com/6lf2o7
One of the Cisco cloud experts similarly blogged about the challenges that cloud (and other system automation initiatives) introduce to network infrastructure: http://tinyurl.com/5byutb
Sincerely,
Greg Ness
Infoblox
2 Cricket Liu December 11, 2008 at 3:19 am
You’re absolutely right that adoption of DNSSEC is slow: The Measurement Factory’s latest survey of roughly one million com and net subzones showed 45 that were signed–one more than last year. Uptake outside of the predominantly U.S. com and net is higher, but we’ve got a long way to go.
I believe that part of the reason adoption is low and slow is that DNSSEC is hard to roll out using most of the tools available today. It’s incumbent on vendors like my employer, Infoblox, to make the signing of zones and management of those signed zones as painless as possible.
3 Gopala Tumuluri December 11, 2008 at 6:02 pm
John,
Great post on a critically important topic. While DNSSEC is the perfect answer to secure DNS, waiting for its adoption is not a viable or prudent option for businesses and government organizations. Headlines regularly report attacks on DNS.
The call to action should be to urgently take advantage of the best defenses available today while being ready for DNSSEC. Getting the best defenses available today can be as simple as downloading hardened DNS software on existing servers.
Most major ISPs already seek out the most hardened DNS in the market because they recognize the serious risks to them and their customers. Enterprise organizations that outsource their DNS to these ISPs can rest easy. While, the rest should take their exposure just as seriously and act.
Thank you!
Gopala
Nominum, Inc.
4 Lydia Leong December 12, 2008 at 2:39 pm
Thumbs up.
About three and a half years ago, I wrote two research notes: “DNS Must Defend Against Network Threats“, and “Many Businesses Build Highly Reliable Telecom Infrastructure, But Ignore DNS“.
What I said then is as true now as it was. I still routinely have trouble really impressing into people’s heads that DNS infrastructure is the cornerstone of reliable Internet services and that they should act accordingly.
5 Point-CounterPoint: Security Issues of Top Level Domain DNS Redirection June 25, 2009 at 7:38 am
[...] year I blogged about the real need for industrial strength domain name services. But at the end of that post I [...]
Leave a Comment