The Domain Name System has certainly taken its share of lumps over the years.
In January 2001, Microsoft's Web properties--which included CarPoint, Encarta, Expedia and MSN--were taken offline by a DNS configuration error. More recently, security researcher Dan Kaminsky reported that about 230,000 name servers, or roughly 10 percent of those scanned, were susceptible to DNS "cache poisoning."
These are attacks used by the bad guys to redirect users to bogus sites that pepper the unsuspecting with phishing attacks and spyware downloads.
Experts have been warning that DNS is the Achilles' heel of the Internet for years. Strangely, few of them are talking about the sorry state of internal DNS, which maps services like e-mail, IP telephony and applications to employees. An internal name server crash takes down the network--and every network service.
Even big shops with plenty of dough to spend are often understaffed when it comes to DNS skills.
When this happens, help desk phones ring off the hook--unless they are IP phones, of course, which will be out of commission. At that point, you'll likely see the CEO running down the hall, looking to chew out the CIO or any other IT flunky within sight. If I were the chief information officer, I'd be hiding in a data center basement somewhere, waiting out the storm.
What's wrong with internal DNS? Plenty.
While companies invested millions in switches and routers over the past 10 years, they often run DNS with antiquated versions of the Berkeley Internet Name Domain, or BIND, server software on a Unix platform.
Management of these systems tends to sit in IT no-man's land, somewhere between the networking and Unix administration groups. With this organizational model, either too many or too few people touch the servers. Neither situation leads to good things.
In terms of IT operations, both BIND and Unix platforms have to be configured, patched and upgraded on a fairly frequent basis. If IT managers are diligent with these processes, they constantly take DNS servers offline. If these chores are ignored, the name servers are vulnerable to all kinds of nasty malware attacks. A lose-lose situation.
Even if the name servers themselves are well cared for, BIND can be an absolute bear to manage, as administration is based on cryptic text file manipulation; one little mistake can cascade through the entire network.
Don't be lulled into thinking the problem is money. Even big shops with plenty of dough are often understaffed when it comes to DNS skills. This means that network availability depends upon the brains of a few bright techies instead of automated tools and repeatable processes. Yikes!
What are companies doing to overcome this visible weakness? Not much. Most will continue to let problems linger and experience hours of unplanned downtime each year.
Let me net out a plan here. It makes organizational sense to move DNS management to the networking group, in which people understand how the network functions and are tasked with overseeing it. Networking should own DNS and get paid to keep the network available--plain and simple.
Once this happens, organizations must invest in DNS training and processing so they are dependent on documented processes, not homegrown scripts and IT firefighting. This is consistent with how most IT activities are done.
Finally, CIOs must invest in new tools that greatly simplify DNS administration. Current network configurations are dynamic and will only get crazier as phones, mobile devices and all kinds of other widgets start speaking IP in the ensuing years. If BIND isn't the answer, companies need to replace it with a more modern DNS server solution that can meet business and IT requirements.
The bottom line is that we've been overlooking DNS for years and have been pretty much getting away with it. But that won't work as the world is connected by IP telephony and Web services over the public Internet.
It's like remodeling a house with a bad foundation. Address the foundation first, and you can focus on the problem at hand. Wait until after the remodeling is done, and you'll face a complex, expensive project or the prospect of the whole house crumbling before your eyes.
Biography Jon Oltsik is a senior analyst at the Enterprise Strategy Group.
Hire UNIX peoples who have experience, MSCE will not do
"...BIND can be an absolute bear to manage as administration is based on cryptic text file manipulation where one little mistake can cascade through the entire network." ALL UNIX applications rely on cryptic text files and are prone to errors. All you really need is someone who knows his job and can manage/update UNIX applications. Do not hire Microsoft "specialist" to work on a "real" system. I have seen it happening too many times.
Hire UNIX peoples who have experience, MSCE will not do
"...BIND can be an absolute bear to manage as administration is based on cryptic text file manipulation where one little mistake can cascade through the entire network." ALL UNIX applications rely on cryptic text files and are prone to errors. All you really need is someone who knows his job and can manage/update UNIX applications. Do not hire Microsoft "specialist" to work on a "real" system. I have seen it happening too many times.
Hire UNIX people who have experience, MSCE will not do
"...BIND can be an absolute bear to manage as administration is based on cryptic text file manipulation where one little mistake can cascade through the entire network." ALL UNIX applications rely on cryptic text files and are prone to errors. All you really need is someone who knows his job and can manage/update UNIX applications. Do not hire Microsoft "specialist" to work on a "real" system. I have seen it happening too many times.
Hire UNIX people who have experience, MSCE will not do
"...BIND can be an absolute bear to manage as administration is based on cryptic text file manipulation where one little mistake can cascade through the entire network." ALL UNIX applications rely on cryptic text files and are prone to errors. All you really need is someone who knows his job and can manage/update UNIX applications. Do not hire Microsoft "specialist" to work on a "real" system. I have seen it happening too many times.
Let me first point out that almost every argument in your article is actually a non-argument.
It is indeed a misfortune that DNS is vulnerable to all sorts of attacks. It is also a misfortune that operating systems are. That web servers are. That browsers and mail clients and messaging applications. All computer programs are vulnerable to attacks.
BIND has cryptic configuration files? It's human readable! Which also means something really bad for business. It's open. Anyone can use text processing on it. Would you expect 011100110110111011 to be more readable? Oh, I forgot. I need to "invest in tools" that read and process such uncryptic representations.
One has to invest in DNS training? Well, this is purely evil, since it can mean that one should not invest in anything having to do with human expertise in a certain domain. We do have tools that automate such tasks, like DNS management, right? Of course, these tools themselves are vulnerable to attacks. These tools must be managed. Let's just invest in "some-specific-tool training", not DNS training.
Depending on brains of techies instead of automated tools and repeatable processes? Any good techie will make automated tools which conduct repeatable processes to ease his job. Well, I'm wrong. This assumes that the tools use open formats and one is not dependent on the tool-maker to extend the DNS server. Which does mean less money to the bear. "Yikes!"
And the list can continue. I'm sorry, but we haven't arrived to the level where people aren't needed anymore to make the computer world a nice experience ... for whom? For other people. Like you, I hope that in the future we'll have a nice machine which CEOs can talk to and say "I need a perfect DNS for my organization" and the machine will autoconfigure itself by reading the CEOs mind.
"they often run DNS with antiquated versions of the Berkeley Internet Name Domain, or BIND, server software on a Unix platform."
In other words they do not upgrade to modern BIND software. So if a company is still running 95 does that mean 'windows' is antiquated? no it means that version is.
"In terms of IT operations, both BIND and Unix platforms have to be configured, patched and upgraded on a fairly frequent basis."
Unlike windows which never neds to be patched, upgraded, or configured? All systems need to be patched, upgraded, or configured anyone who tells you othersie probabally also has a bridge to sell you..
"If IT managers are diligent with these processes, they constantly take DNS servers offline. "
Unless *gasp* they run more than one DNS server like everyone should. BIND is so lightweight you dont need a devoted server for all but the most large scale applications. Anyone who would set up mission critical server and not have failover is nuts. I suppose the fact if you only have on domain controller in an AD and you shut it down the fact you lose your fismo roles it a weakness in windows, not an indication of bad architecture
"Even if the name servers themselves are well cared for, BIND can be an absolute bear to manage, as administration is based on cryptic text file manipulation"
Let me first point out that almost every argument in your article is actually a non-argument.
It is indeed a misfortune that DNS is vulnerable to all sorts of attacks. It is also a misfortune that operating systems are. That web servers are. That browsers and mail clients and messaging applications. All computer programs are vulnerable to attacks.
BIND has cryptic configuration files? It's human readable! Which also means something really bad for business. It's open. Anyone can use text processing on it. Would you expect 011100110110111011 to be more readable? Oh, I forgot. I need to "invest in tools" that read and process such uncryptic representations.
One has to invest in DNS training? Well, this is purely evil, since it can mean that one should not invest in anything having to do with human expertise in a certain domain. We do have tools that automate such tasks, like DNS management, right? Of course, these tools themselves are vulnerable to attacks. These tools must be managed. Let's just invest in "some-specific-tool training", not DNS training.
Depending on brains of techies instead of automated tools and repeatable processes? Any good techie will make automated tools which conduct repeatable processes to ease his job. Well, I'm wrong. This assumes that the tools use open formats and one is not dependent on the tool-maker to extend the DNS server. Which does mean less money to the bear. "Yikes!"
And the list can continue. I'm sorry, but we haven't arrived to the level where people aren't needed anymore to make the computer world a nice experience ... for whom? For other people. Like you, I hope that in the future we'll have a nice machine which CEOs can talk to and say "I need a perfect DNS for my organization" and the machine will autoconfigure itself by reading the CEOs mind.
"they often run DNS with antiquated versions of the Berkeley Internet Name Domain, or BIND, server software on a Unix platform."
In other words they do not upgrade to modern BIND software. So if a company is still running 95 does that mean 'windows' is antiquated? no it means that version is.
"In terms of IT operations, both BIND and Unix platforms have to be configured, patched and upgraded on a fairly frequent basis."
Unlike windows which never neds to be patched, upgraded, or configured? All systems need to be patched, upgraded, or configured anyone who tells you othersie probabally also has a bridge to sell you..
"If IT managers are diligent with these processes, they constantly take DNS servers offline. "
Unless *gasp* they run more than one DNS server like everyone should. BIND is so lightweight you dont need a devoted server for all but the most large scale applications. Anyone who would set up mission critical server and not have failover is nuts. I suppose the fact if you only have on domain controller in an AD and you shut it down the fact you lose your fismo roles it a weakness in windows, not an indication of bad architecture
"Even if the name servers themselves are well cared for, BIND can be an absolute bear to manage, as administration is based on cryptic text file manipulation"
Web giant is spending $120 million to beef up its Mountain View, Calif., headquarters, according to filings with the city reviewed by the San Jose Mercury News.
The Samsung Galaxy Mini 2 S6500 could make its debut at the Mobile World Congress in Barcelona later this month, according to a leaked promotional image.
MIT creates a simulation to celebrate the 50th anniversary of Spacewar. A relic of the early days of minicomputers, it was one of the first computer video games and set the stage for many others, including Asteroids.
based on cryptic text file manipulation where one little mistake
can cascade through the entire network."
ALL UNIX applications rely on cryptic text files and are prone to
errors.
All you really need is someone who knows his job and can
manage/update UNIX applications.
Do not hire Microsoft "specialist" to work on a "real" system.
I have seen it happening too many times.
based on cryptic text file manipulation where one little mistake
can cascade through the entire network."
ALL UNIX applications rely on cryptic text files and are prone to
errors.
All you really need is someone who knows his job and can
manage/update UNIX applications.
Do not hire Microsoft "specialist" to work on a "real" system.
I have seen it happening too many times.
based on cryptic text file manipulation where one little mistake
can cascade through the entire network."
ALL UNIX applications rely on cryptic text files and are prone to
errors.
All you really need is someone who knows his job and can
manage/update UNIX applications.
Do not hire Microsoft "specialist" to work on a "real" system.
I have seen it happening too many times.
based on cryptic text file manipulation where one little mistake
can cascade through the entire network."
ALL UNIX applications rely on cryptic text files and are prone to
errors.
All you really need is someone who knows his job and can
manage/update UNIX applications.
Do not hire Microsoft "specialist" to work on a "real" system.
I have seen it happening too many times.
It is indeed a misfortune that DNS is vulnerable to all sorts of attacks. It is also a misfortune that operating systems are. That web servers are. That browsers and mail clients and messaging applications. All computer programs are vulnerable to attacks.
BIND has cryptic configuration files? It's human readable! Which also means something really bad for business. It's open. Anyone can use text processing on it. Would you expect 011100110110111011 to be more readable? Oh, I forgot. I need to "invest in tools" that read and process such uncryptic representations.
One has to invest in DNS training? Well, this is purely evil, since it can mean that one should not invest in anything having to do with human expertise in a certain domain. We do have tools that automate such tasks, like DNS management, right? Of course, these tools themselves are vulnerable to attacks. These tools must be managed. Let's just invest in "some-specific-tool training", not DNS training.
Depending on brains of techies instead of automated tools and repeatable processes? Any good techie will make automated tools which conduct repeatable processes to ease his job. Well, I'm wrong. This assumes that the tools use open formats and one is not dependent on the tool-maker to extend the DNS server. Which does mean less money to the bear. "Yikes!"
And the list can continue. I'm sorry, but we haven't arrived to the level where people aren't needed anymore to make the computer world a nice experience ... for whom? For other people. Like you, I hope that in the future we'll have a nice machine which CEOs can talk to and say "I need a perfect DNS for my organization" and the machine will autoconfigure itself by reading the CEOs mind.
"they often run DNS with antiquated versions of the Berkeley Internet Name Domain, or BIND, server software on a Unix platform."
In other words they do not upgrade to modern BIND software. So if a company is still running 95 does that mean 'windows' is antiquated? no it means that version is.
"In terms of IT operations, both BIND and Unix platforms have to be configured, patched and upgraded on a fairly frequent basis."
Unlike windows which never neds to be patched, upgraded, or configured? All systems need to be patched, upgraded, or configured anyone who tells you othersie probabally also has a bridge to sell you..
"If IT managers are diligent with these processes, they constantly take DNS servers offline. "
Unless *gasp* they run more than one DNS server like everyone should. BIND is so lightweight you dont need a devoted server for all but the most large scale applications. Anyone who would set up mission critical server and not have failover is nuts. I suppose the fact if you only have on domain controller in an AD and you shut it down the fact you lose your fismo roles it a weakness in windows, not an indication of bad architecture
"Even if the name servers themselves are well cared for, BIND can be an absolute bear to manage, as administration is based on cryptic text file manipulation"
if you cant use vi, just use webmin
It is indeed a misfortune that DNS is vulnerable to all sorts of attacks. It is also a misfortune that operating systems are. That web servers are. That browsers and mail clients and messaging applications. All computer programs are vulnerable to attacks.
BIND has cryptic configuration files? It's human readable! Which also means something really bad for business. It's open. Anyone can use text processing on it. Would you expect 011100110110111011 to be more readable? Oh, I forgot. I need to "invest in tools" that read and process such uncryptic representations.
One has to invest in DNS training? Well, this is purely evil, since it can mean that one should not invest in anything having to do with human expertise in a certain domain. We do have tools that automate such tasks, like DNS management, right? Of course, these tools themselves are vulnerable to attacks. These tools must be managed. Let's just invest in "some-specific-tool training", not DNS training.
Depending on brains of techies instead of automated tools and repeatable processes? Any good techie will make automated tools which conduct repeatable processes to ease his job. Well, I'm wrong. This assumes that the tools use open formats and one is not dependent on the tool-maker to extend the DNS server. Which does mean less money to the bear. "Yikes!"
And the list can continue. I'm sorry, but we haven't arrived to the level where people aren't needed anymore to make the computer world a nice experience ... for whom? For other people. Like you, I hope that in the future we'll have a nice machine which CEOs can talk to and say "I need a perfect DNS for my organization" and the machine will autoconfigure itself by reading the CEOs mind.
"they often run DNS with antiquated versions of the Berkeley Internet Name Domain, or BIND, server software on a Unix platform."
In other words they do not upgrade to modern BIND software. So if a company is still running 95 does that mean 'windows' is antiquated? no it means that version is.
"In terms of IT operations, both BIND and Unix platforms have to be configured, patched and upgraded on a fairly frequent basis."
Unlike windows which never neds to be patched, upgraded, or configured? All systems need to be patched, upgraded, or configured anyone who tells you othersie probabally also has a bridge to sell you..
"If IT managers are diligent with these processes, they constantly take DNS servers offline. "
Unless *gasp* they run more than one DNS server like everyone should. BIND is so lightweight you dont need a devoted server for all but the most large scale applications. Anyone who would set up mission critical server and not have failover is nuts. I suppose the fact if you only have on domain controller in an AD and you shut it down the fact you lose your fismo roles it a weakness in windows, not an indication of bad architecture
"Even if the name servers themselves are well cared for, BIND can be an absolute bear to manage, as administration is based on cryptic text file manipulation"
if you cant use vi, just use webmin