The number of ‘things’ connected to the internet is already bypassing the number of people on the planet. This Internet of ‘things’ is changing the way we live and work: from the way food is grown and produced on farms through automated temperature and feeding controls, to the way we check prices and buy through connected terminals, to the vehicles we drive, the security cameras at work, and automated gates at the entrance. Connected ‘things’ are everywhere. All these ‘things’ are helping us to be more productive and efficient while also offering more and more convenience.
Ten years ago everyone evaluating DNS solutions was always concerned about performance. Broadband networks were getting faster, providers were serving more users, and web pages and applications increasingly stressed the DNS. Viruses were a factor too as they could rapidly become the straw that broke the camel’s back of a large ISP’s DNS servers. The last thing a provider needed was a bottleneck, so DNS resolution speed became more and more visible, and performance was everything.
The transition to IPv6 is top of mind for most service providers. Even in places where there are still IPv4 addresses to be had surveys we’ve run suggest v6 is solidly on the priority list. That’s not to say everyone has the same strategy. Depending where you are in the world transition options are different – in places such as APAC where exhaustion is at hand one of the many NAT alternatives will likely be deployed since getting a significant allocation of addresses is not going to happen and other alternatives for obtaining addresses will prove expensive. Ditto the European region, who is next on the list to find the IPv4 shelves bare.
With IPv6 World Launch coming up it’s worth pausing to consider the collective efforts of the Internet industry in enabling and deploying an essential evolutionary technology at what will become truly massive scale. It’s easy to be a detractor and believe there has been little progress – but the Internet hasn’t melted down and there is no evidence it is about to. Perhaps the issue is that progress occurred in a different way than was predicted or preferred by the experts. The reality is providers everywhere have developed coping mechanisms for IPv4 exhaustion. Innovation, operational sweat, and perhaps some tough negotiating make it happen. But isn’t that the essence of the Internet?
The situation surrounding DNS Changer highlights some interesting issues. Unless end users remove DNS Changer malware from their machines, those machines will always try and connect to the DNS server addresses encoded in the malware. Today they’ll connect to “clean” DNS servers that replaced the hackers DNS servers as a result of a court order. But those servers are unlikely to remain in place. This means at some point infected machines will lose their Internet connectivity.
Like any critical part of network infrastructure, securing recursive DNS requires a layered approach. All the points of entry into the system – the console(s), network, etc need to be protected. Before we look at the types of protection we need to consider the various types of attacks against recursive DNS server infrastructure, they can be broadly categorized based on the attack target:
There was an intriguingly named vulnerability revealed this week: Ghost Domains. A paper describing it can be found here. A team of researchers in China discovered a way to allow a domain to remain reachable in the DNS even after it has been revoked from a TLD. It looks like they expended a lot of energy testing their new idea and discovered there are several caching DNS software releases that are vulnerable.
Your new DNS infrastructure is up and running! Here’s what to watch for, how to monitor, and tips for patches and upgrades.