Well, this really isn’t news for those of you who are active in checking out the latest vulnerability advisories. But for those of you who have been busy with other things, I thought it’d be a good idea to add the link to the latest advisory here.

When DNS was invented back in 1983, it must have been rather difficult to envision the world we have later found ourselves in. Denial of service attacks, DNS poisoning, and vulnerabilities of operating systems and commonly used DNS servers are being used regularly to put one of the most critical network services to halt.

Traditionally, DNS servers have been rather open to attacks. They are all too often outdated machines in the back corner of the server room running old versions of various operating systems, as well as outdated and insecure versions of BIND. If anyone has come to view this as a problem, the solution has been simple – it is called resiliency and involves setting up yet another vulnerable DNS server in the network. The more you have them, the less likely it becomes that all of them would break down or be attacked at once. Or so the theory goes.

For some reason, the networking community has not done much to address this problem. Sure, the IETF has come up with solutions such as DNSSEC which has been the talk of the town since the late 90s. But bearing in mind the complexities associated with the standard, it is questionable whether most organizations running DNS servers will have the required know-how and resources in place to implement DNSSEC in the near future. After all, there are more than million DNS servers out there, and it is not very likely that all the administrators involved in the global rollout would have the skills, resources or the dedication of your average IETF engineer.

In real world, the most immediate problems associated with DNS security can be solved by rather simple measures: making sure that DNS servers run on hardened operating systems that are free of known vulnerabilities; that the BIND versions in those servers are up to date; that their firewalls are configured appropriately; and that the three earlier points are verified on regular basis against advisories issued by organizations such as CERT. Additional measures such as Intrusion Prevention System can be used to block out IP addresses that send an abnormally high number of queries to DNS servers, indicating a potential Denial-of-Service attack.

We’ve developed the new Nixu SNS to automate these day-to-day routines. It’ll be interesting to see how it will be received after it’s made publicly available on October 16.

This Web Journal is maintained by Nixu Software. As we have been discussing DNS and other networking issues with literally thousands of organizations during the last 10 years or so, we felt it would be a good idea to share our views and insights with the whole networking community.

While the focus of this blog will be on DNS, IP addressing and related security considerations, we may also make comments on other related topics from time to time.

The game is afoot, as Shakespeare would say. Stay tuned for more.

Your editor-at-large,
Juha Holkkola