Dyn, BIND and DNS Strategy

[vc_row][vc_column width=”2/3″][vc_column_text]

On October 21, 2016, leading websites including Twitter, Netflix and Spotify were severely interrupted by an attack on DNS hosting provider Dyn.  Many service providers experienced degradation in their DNS services because attempts to access popular web sites resulted in a SERVfail response. So is it time to review your DNS strategy?

[/vc_column_text][/vc_column][vc_column width=”1/3″][vc_single_image image=”3121″ img_size=”500×300″][/vc_column][/vc_row][vc_row][vc_column width=”2/3″][vc_column_text]

Here are the reasons to do so:


DNS is the telephone directory of the internet.  If DNS performance is degraded then IP-based services degrade.  The Dyn attack clearly shows that firewalls and cloud defenses alone don’t provide enough protection to DNS. The DNS platform itself needs to be robust and self-protecting.[/vc_column_text][/vc_column][vc_column width=”1/3″][vc_single_image image=”2544″ img_size=”” alignment=”center”][/vc_column][/vc_row][vc_row][vc_column width=”1/3″][vc_single_image image=”644″ img_size=”” alignment=”center”][/vc_column][vc_column width=”2/3″][vc_column_text css=”.vc_custom_1484340668603{margin-right: 10px !important;}”]


On November 1st  a critical vulnerability, CVE-2016-8864,  was issued that affects BIND-based DNS systems. This bug allows a remote DDoS attack.  This is the 7th such BIND  vulnerability this year, and the 25th critical BIND vulnerability in the last 4 years – which causes the need to drop everything and patch. Most DNS is based on ISC BIND or commercial varieties of BIND (eg Inblox, F5, Cisco, Huawai, ZTE, Nokia, Ericsson). BIND is basically free open-source software and you get what you paid for.[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column width=”2/3″][vc_column_text]


All software has bugs and vulnerabilities, but some software is better than other software. At least having a diversified DNS technology strategy gives you an insurance policy. Cyber attacks tend to affect different DNS in different ways. Keep in mind that ISC BIND and Infoblox do not create a diversified DNS technology strategy – they are both BIND.

[/vc_column_text][/vc_column][vc_column width=”1/3″][vc_single_image image=”1040″ img_size=”” alignment=”center”][/vc_column][/vc_row][vc_row][vc_column width=”1/3″][vc_single_image image=”1656″ img_size=”” alignment=”center”][/vc_column][vc_column width=”2/3″][vc_column_text css=”.vc_custom_1484340658251{margin-right: 10px !important;}”]


If you are scoping out a DNS review then don’t forget to consider the Operating System.  We know the internet is being attacked by IoT devices (cameras, routers and even toasters!) and this is all because the OS and passwords are neglected.  Unlike other technologies in the network, the DNS OS can be deployed in a hardened form or a genuinely secure form to resist root kits and malware.[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column width=”2/3″][vc_column_text]


Secure64 offers self-protecting authority and caching servers that are built on a proprietary and highly secure micro OS, or with a secure Linux kernel – no BIND, no security devices needed.
[/vc_column_text][/vc_column][vc_column width=”1/3″][vc_single_image image=”2131″ img_size=”” alignment=”center”][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]

Isn’t it time to diversify your DNS?