Commentary: Digging into the DNS foundation

The domain name system (DNS) is the 411 of the Internet, translating domain names into network addresses that computers understand.

2 min read
By John Pescatore, Gartner Analyst

The domain name system (DNS) is the 411 of the Internet. It translates domain names into network addresses that computers understand. Although the DNS architecture works amazingly well, it is much like a dandelion--elegant and fragile but with deep roots that make it very hard to kill.

Most DNS servers run software known as BIND (Berkeley Internet Name Domain) that has been around since the early days of a noncommercial Internet. Like most software from that era, programmers found security vulnerabilities in BIND and subsequently issued patches for them. Many newly patched versions of BIND introduced new problems, so DNS administrators were often reluctant to upgrade quickly--and many never did.

DNS is a hierarchical system.

See news story:
Security firm warns of outdated software
At the top level of the system--which is maintained primarily by Network Solutions (now owned by VeriSign)--the level of protection from Internet-based attacks is strong because of ongoing hand-holding.

However, many lower-level DNS servers are running vulnerable versions of BIND and have numerous other security vulnerabilities, both technical and procedural. At this lower level, at least one-third of the DNS system is vulnerable to attack, although the impact is much more limited.

The DNS infrastructure will continue to be vulnerable to denial-of-service and other attacks until a more secure underpinning is in place. Internet RFC 2535 lays out security extensions to DNS mechanisms that will provide the increased level of security needed to make the Internet business-strength.

Until this transition is made, businesses should plan for periodic Internet outages and disruptions.

In Gartner's opinion, a good information resource on how to run a DNS server securely can be found at http://www.dns.net/dnsrd/docs/.

(For related commentary on how to protect yourself and your company from potential legal exposures stemming from a DDoS attack, see TechRepublic.com--free registration required.)

Entire contents, Copyright © 2000 Gartner Group, Inc. All rights reserved. The information contained herein represents Gartner's initial commentary and analysis and has been obtained from sources believed to be reliable. Positions taken are subject to change as more information becomes available and further analysis is undertaken. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of the information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof.