This story at eChannel Line reports on attitudes about domain name system (DNS) server security that were revealed in a study done by Mazerov Research and Consulting for Secure64 Software. The results raise a lot of interesting questions about how serious executives and IT workers take protection of these servers, which toggle between IP addresses and the domain names with which people are familiar.
The researchers queried 465 IT and business folks. Companies use three-and-a-half to four security measures to protect their DNS servers. On one level, that makes sense, since the loss of these servers would effectively cut the company off from the Internet. There is a downside, however: The writer points out that such a mix of security technologies adds complexity, especially considering that each approach must be periodically tested and upgraded.
The piece looks at the attitudes toward a 90-minute loss of Internet connectivity, a possible outcome of a serious DNS problem. Seventy-four percent of people said productivity would suffer, 54 percent said basic business functions would cease and 40 percent said revenue would be lost. Thirty-nine percent said their brand would be damaged and 12 percent said they would be extremely or somewhat likely to go out of business.
The researchers found that the closer employees got to actually overseeing the DNS servers, the less time they said would pass before losing connectivity became a crisis (126 minutes for high-level executives, 105 minutes for IT executives, and 72 for those with hands-on responsibility for maintaining connectivity).
This is no academic exercise. This Computerworld story reports on a serious vulnerability in one of the key software elements of DNS, Berkeley Internet Name Domain 9 (BIND 9). If unpatched, the vulnerability can take ISP and enterprise users to phishing sites set up by criminals. A link to the patch is included in the story.
DNS security appears to be complex and changes cumbersome. Luckily, however, there is a good deal of helpful information on the Internet. For instance, this technical posting at LinuxGuruz says there are several ways to increase DNS server security: Restrict zone transfers; implement split DNS; use separate networks for different DNS servers; implement Transaction SIGnatures (TSIGs) and employ DNS Security Extensions (DNSSEC).
More tutorials can be found at Microsoft Certified Professional magazine. This is the second part of a two-part feature on DNS security. The first part of the story focuses on split DNS designs and safe zone data transfers, the writer says. This installment discusses how to avoid DNS cache poisoning and related technical topics.
The bottom line is that few things are as important for an organization to guard than its DNS servers. The criminals seem to know this, and attack on a regular basis. Luckily, there seems to be no shortage of useful information available. It is up to IT staffs to use it.