DNS Diversity

Every DNS administrator knows that you need to configure at least two recursive or authoritative DNS servers so that you can still provide service in case one fails. Many administrators also know that these servers ideally should be located in different data centers and utilize different networks so that DNS service will not be interrupted in the event of a data center or network outage. These are examples of why diversity is so important to DNS service availability. By not putting all of your eggs in one basket (one server, one data center, one network), you increase your odds of surviving a failure without impacting users or customers.

Secure64 offers a solution for supporting DNS.

But few people think about the DNS code base itself when it comes to diversity. The fact is that over 75% of the world’s DNS servers run BIND, the free, standard implementation of DNS for over 20 years. As a result, BIND has been tested and deployed by countless organizations, and scrutinized and hardened by hundreds of software engineers over its lifetime.

But no software, open-source or proprietary, is perfect. Like all software, BIND has software defects, and some of these defects are serious enough that they represent security risks. In fact, there were 13 security vulnerabilities reported by ISC in 2010 and 2011 and two more so far this year. In a less widely deployed product, these security vulnerabilities might not be a problem. But because BIND is so widely deployed, it makes an ideal target for a hacker looking to create maximum havoc on the Internet.

So let’s go back to our diversity discussion. If the whole point of having redundant servers, data centers and networks is to be resilient to a failure of a single component, why do we deploy a single version of DNS software everywhere? A major security vulnerability in this one piece of software, if exploited in a zero day attack, could compromise not only an entire organization, but much of the Internet. We have all of our DNS eggs in a single basket.

The DNS experts that run the core Internet infrastructure realized that this was not a good situation some time ago. In fact, they made a conscious decision to utilize multiple, completely independent DNS implementations across the root servers and many top level domains have done the same thing. They know that a vulnerability in one DNS software implementation is unlikely to exist in a completely independent implementation, so having DNS diversity provides resiliency against failure from vulnerability exploits.

So the next time you have to interrupt your schedule to deploy another emergency security patch to your DNS, think about the value that DNS diversity would have to your organization. After all, diversity is crucial in nature.

Secure64 offers a solution for supporting DNS and DNS diversity.