CNET también está disponible en español.

Ir a español

Don't show this again

Christmas Gift Guide
Tech Industry

The sorry state of the domain name game

Jon Oltsik says the internal DNS system is busted and is surprised at how few people are taking notice.

The Domain Name System has certainly taken its share of lumps over the years. In January 2001, Microsoft's Web properties--which included CarPoint, Encarta, Expedia and MSN--were taken offline by a DNS configuration error. More recently, security researcher Dan Kaminsky reported that about 230,000 name servers, or roughly 10 percent of those scanned, were susceptible to DNS "cache poisoning."

These are attacks used by the bad guys to redirect users to bogus sites that pepper the unsuspecting with phishing attacks and spyware downloads.

Experts have been warning that DNS is the Achilles' heel of the Internet for years. Strangely, few of them are talking about the sorry state of internal DNS, which maps services like e-mail, IP telephony and applications to employees. An internal name server crash takes down the network--and every network service.

Even big shops with plenty of dough to spend are often understaffed when it comes to DNS skills.

When this happens, help desk phones ring off the hook--unless they are IP phones, of course, which will be out of commission. At that point, you'll likely see the CEO running down the hall, looking to chew out the CIO or any other IT flunky within sight. If I were the chief information officer, I'd be hiding in a data center basement somewhere, waiting out the storm.

What's wrong with internal DNS? Plenty.

While companies invested millions in switches and routers over the past 10 years, they often run DNS with antiquated versions of the Berkeley Internet Name Domain, or BIND, server software on a Unix platform.

Management of these systems tends to sit in IT no-man's land, somewhere between the networking and Unix administration groups. With this organizational model, either too many or too few people touch the servers. Neither situation leads to good things.

In terms of IT operations, both BIND and Unix platforms have to be configured, patched and upgraded on a fairly frequent basis. If IT managers are diligent with these processes, they constantly take DNS servers offline. If these chores are ignored, the name servers are vulnerable to all kinds of nasty malware attacks. A lose-lose situation.

Even if the name servers themselves are well cared for, BIND can be an absolute bear to manage, as administration is based on cryptic text file manipulation; one little mistake can cascade through the entire network.

Don't be lulled into thinking the problem is money. Even big shops with plenty of dough are often understaffed when it comes to DNS skills. This means that network availability depends upon the brains of a few bright techies instead of automated tools and repeatable processes. Yikes!

What are companies doing to overcome this visible weakness? Not much. Most will continue to let problems linger and experience hours of unplanned downtime each year.

Let me net out a plan here. It makes organizational sense to move DNS management to the networking group, in which people understand how the network functions and are tasked with overseeing it. Networking should own DNS and get paid to keep the network available--plain and simple.

Once this happens, organizations must invest in DNS training and processing so they are dependent on documented processes, not homegrown scripts and IT firefighting. This is consistent with how most IT activities are done.

Finally, CIOs must invest in new tools that greatly simplify DNS administration. Current network configurations are dynamic and will only get crazier as phones, mobile devices and all kinds of other widgets start speaking IP in the ensuing years. If BIND isn't the answer, companies need to replace it with a more modern DNS server solution that can meet business and IT requirements.

The bottom line is that we've been overlooking DNS for years and have been pretty much getting away with it. But that won't work as the world is connected by IP telephony and Web services over the public Internet.

It's like remodeling a house with a bad foundation. Address the foundation first, and you can focus on the problem at hand. Wait until after the remodeling is done, and you'll face a complex, expensive project or the prospect of the whole house crumbling before your eyes.