Tag Archive for: DNS

Dyn, BIND and DNS Strategy

[vc_row][vc_column width=”2/3″][vc_column_text]

On October 21, 2016, leading websites including Twitter, Netflix and Spotify were severely interrupted by an attack on DNS hosting provider Dyn.  Many service providers experienced degradation in their DNS services because attempts to access popular web sites resulted in a SERVfail response. So is it time to review your DNS strategy?

[/vc_column_text][/vc_column][vc_column width=”1/3″][vc_single_image image=”3121″ img_size=”500×300″][/vc_column][/vc_row][vc_row][vc_column width=”2/3″][vc_column_text]

Here are the reasons to do so:

#1.

DNS is the telephone directory of the internet.  If DNS performance is degraded then IP-based services degrade.  The Dyn attack clearly shows that firewalls and cloud defenses alone don’t provide enough protection to DNS. The DNS platform itself needs to be robust and self-protecting.[/vc_column_text][/vc_column][vc_column width=”1/3″][vc_single_image image=”2544″ img_size=”” alignment=”center”][/vc_column][/vc_row][vc_row][vc_column width=”1/3″][vc_single_image image=”644″ img_size=”” alignment=”center”][/vc_column][vc_column width=”2/3″][vc_column_text css=”.vc_custom_1484340668603{margin-right: 10px !important;}”]

#2.

On November 1st  a critical vulnerability, CVE-2016-8864,  was issued that affects BIND-based DNS systems. This bug allows a remote DDoS attack.  This is the 7th such BIND  vulnerability this year, and the 25th critical BIND vulnerability in the last 4 years – which causes the need to drop everything and patch. Most DNS is based on ISC BIND or commercial varieties of BIND (eg Inblox, F5, Cisco, Huawai, ZTE, Nokia, Ericsson). BIND is basically free open-source software and you get what you paid for.[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column width=”2/3″][vc_column_text]

#3.

All software has bugs and vulnerabilities, but some software is better than other software. At least having a diversified DNS technology strategy gives you an insurance policy. Cyber attacks tend to affect different DNS in different ways. Keep in mind that ISC BIND and Infoblox do not create a diversified DNS technology strategy – they are both BIND.

[/vc_column_text][/vc_column][vc_column width=”1/3″][vc_single_image image=”1040″ img_size=”” alignment=”center”][/vc_column][/vc_row][vc_row][vc_column width=”1/3″][vc_single_image image=”1656″ img_size=”” alignment=”center”][/vc_column][vc_column width=”2/3″][vc_column_text css=”.vc_custom_1484340658251{margin-right: 10px !important;}”]

#4.

If you are scoping out a DNS review then don’t forget to consider the Operating System.  We know the internet is being attacked by IoT devices (cameras, routers and even toasters!) and this is all because the OS and passwords are neglected.  Unlike other technologies in the network, the DNS OS can be deployed in a hardened form or a genuinely secure form to resist root kits and malware.[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column width=”2/3″][vc_column_text]

#5.

Secure64 offers self-protecting authority and caching servers that are built on a proprietary and highly secure micro OS, or with a secure Linux kernel – no BIND, no security devices needed.
[/vc_column_text][/vc_column][vc_column width=”1/3″][vc_single_image image=”2131″ img_size=”” alignment=”center”][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]

Isn’t it time to diversify your DNS?

[/vc_column_text][/vc_column][/vc_row]

Botnets, Route Hijacking, and Other Security Threats

Cyber crime has become big business. In the past, hackers tended to work alone or in small groups, and their impact was usually quite minimal. Sometimes it was done just for bragging rights rather than monetary gain, and often had no adverse affects on most of the general public. Read more

DNS over IPv6: Lessons from the field

We have learned some lessons in the field about DNS over IPv6.  The other day, one of our clients called us asking for help with their configurations. They were doing some lab testing while working on their annual upgrade of our software. To give you some background, our customers normally certify each upgrade they intend to use and they do extensive lab testing before they roll it out to their production DNS servers. Read more

Resistance is Futile

The need to move the Internet from IPv4 to IPv6 is inevitable. Almost all of the addresses allowed by the 32 bit based addressing scheme used in IPv4 have been assigned. The 128 bit addressing scheme within IPv6 solves that issue. While the number of available addresses is a significant driver in the need for IPv6, this isn’t the only benefit to be derived. Other benefits include added security, mobility extensions, communication and addressing to the end device, etc.

The North America IPv6 Summit, one of the premier IPv6 shows in the world, was held on April 9-11 in Denver, Colorado.  It focused on educating people on IPv6, providing insight on how to make the transition from IPv4, showed products and technology capable of supporting IPv6. The attendees ranged in background from people just learning about IPv6 to people who are intimately involved with implementing IPv6 with all levels of experience in between.

The event has grown every year and has added breadth of knowledge and increased participation. It is not unusual to meet people from the all over the U.S. along with people from other countries such as Brazil, France, etc…  even Texas;)

The list of sponsors included a wide range of savvy companies and organization that have the foresight see the need to continue to improve the Internet.

This event was organized by the Rocky Mountain IPv6 Task Force (rmv6tf).  My hat is off to the members of the rmv6tf. This is a group of volunteers who see the inevitable need for the Internet to move to IPv6.  The group was formed in 2007 by a handful of dedicated technologists. They have organized this event every year since 2008 with consistency and quality to create the summit.

This event is one that was worthwhile to attend if you have any interest in the future of the Internet. Here is the site for information from the event: http://www.rmv6tf.org/IPv6Summit.htm

Taming the Wild West of the Internet

The FCC, the CSRIC and the Major ISPs should be applauded for taking on three critical issues that greatly affect the trust and security of the Internet: botnet detection, implementation of DNSSEC, and hijacking of broadband routes.

Botnets (a collection of illegally controlled machines) are an invasion and theft of resources, not to mention the nefarious purposes for which compromised machines are then used such as DDoS attacks, Read more