Dyn, BIND and DNS Strategy

On October 21, 2016, leading websites including Twitter, Netflix and Spotify were severely interrupted by an attack on DNS hosting provider Dyn.  Many service providers experienced degradation in their DNS services because attempts to access popular web sites resulted in a SERVfail response. So is it time to review your DNS strategy?

 

LinkedIn_Dyn-BIND-DNS_100x400_v2 (002)

Here are the reasons to do so:

#1.

DNS is the telephone directory of the internet.  If DNS performance is degraded then IP-based services degrade.  The Dyn attack clearly shows that firewalls and cloud defenses alone don’t provide enough protection to DNS. The DNS platform itself needs to be robust and self-protecting.

#2.

On November 1st  a critical vulnerability, CVE-2016-8864,  was issued that affects BIND-based DNS systems. This bug allows a remote DDoS attack.  This is the 7th such BIND  vulnerability this year, and the 25th critical BIND vulnerability in the last 4 years – which causes the need to drop everything and patch. Most DNS is based on ISC BIND or commercial varieties of BIND (eg Inblox, F5, Cisco, Huawai, ZTE, Nokia, Ericsson). BIND is basically free open-source software and you get what you paid for.

#3.

All software has bugs and vulnerabilities, but some software is better than other software. At least having a diversified DNS technology strategy gives you an insurance policy. Cyber attacks tend to affect different DNS in different ways. Keep in mind that ISC BIND and Infoblox do not create a diversified DNS technology strategy – they are both BIND.

Secure64® DNS Authority

#4.

If you are scoping out a DNS review then don’t forget to consider the Operating System.  We know the internet is being attacked by IoT devices (cameras, routers and even toasters!) and this is all because the OS and passwords are neglected.  Unlike other technologies in the network, the DNS OS can be deployed in a hardened form or a genuinely secure form to resist root kits and malware.

#5.

Secure64 offers self-protecting authority and caching servers that are built on a proprietary and highly secure micro OS, or with a secure Linux kernel – no BIND, no security devices needed.

Secure64® DNS Cache

Isn’t it time to diversify your DNS?

0 669
Theresa DeGroote

Leave a Reply