Experts are asking whether it's time to shine a bright light on the "black art" of Domain Name System (DNS) management.
"DNS is one of those topic areas that I've always called a black art," said Robert Whiteley, senior analyst at Forrester Research. "It is very poorly understood, relative to how important it is."
DNS is essentially an immense, worldwide distributed database. DNS servers across the world help translate Internet domain names, which are comprehensible to humans, into the IP addresses that networks understand.
When a user goes into a Web browser and types a Web address such as SearchNetworking.com, the browser asks the operating system to translate the name into an IP address. The operating system first looks at the host file, then it looks at the local cache. If it finds nothing there, it goes to a local DNS server. If that server doesn't know, it moves on to local root servers and start of authority (SOA) servers.
"It becomes very complex very quickly," said Paul Parisi, CTO of DNSstuff.com, a provider of Web-based DNS management tools. "It's extremely large, so there are lots of points where people can make mistakes. Each one of these objects has a surface area for attack, and each one of these interfaces has a surface area of attack."
Enterprises usually maintain their own local DNS servers to connect their websites, email servers and other applications to the Internet. But these DNS servers have such a low profile in companies that DNS expertise becomes rare.
"Historically, DNS is one of those things that a lot of companies set up and then they kind of forget about it for a while," Whiteley said. "If you look at the vast majority of enterprise class DNS servers, they're these very old, aging bind environments running on Unix, Solaris or something like that. And people haven't touched their DNS infrastructure in quite some time. It's just worked."
However, new and popular networked technologies such as VoIP, Web services, SharePoint and Exchange use DNS, putting new stresses on those old DNS servers.
Then there's the possible use of DNS as a vector of attack by hackers. That possibility is becoming more and more of a reality. Late last month, a Turkish hacker group calling itself NetDevilz apparently hacked the DNS servers of the websites for IANA (Internet Assigned Numbers Authority) and ICANN (Internet Corporation for Assigned Names and Numbers), the international organizations that manage the DNS root zones and assign DNS roots. The same people had hacked the popular photo-sharing site Photobucket.com just a couple of weeks earlier.
"It certainly can be exploited," Whiteley said. "And a lot of companies don't recognize the exploits that they are susceptible to. Security IQ has kind of risen over the years, but this is a technology that has a history of being set-and-forget. A vast majority of companies do leave that open as a back door and don't even know it."
Whiteley said IP address management tools from companies like InfoBlox offer DNS management tools, but many companies aren't ready to invest in such products. "You're talking about an enterprise-class solution that isn't going to be right for everybody," he said.
Chris Harris, an email services expert, said he uses premium DNS management tools from DNSstuff.com to track the DNS information for his email servers. His company, Blackbaud, is a Charleston, N.C.-based provider of software and IT services for nonprofit organizations. Harris manages email servers for multiple nonprofits.
"If I'm having problems with a particular domain, I use their tools to figure out what's wrong, then work with our own folks or clients to resolve the issues," Harris said. "I don't have to worry about command line scripts and things like that to run certain tests. We had the ability to do some tests and check things on our own previously, but now when there is a problem, we can use the general DNSstuff toolset to diagnose problems at least twice as fast as we would on our own."
"There's not a lot of knowledge out in the market about [DNS]," said Rich Person, DNSstuff.com CEO. "It's in the heads of a couple of guys who live in command line. We're the third party that's able to take a general IT guy and show him how his customers are seeing his site."
Person claims that more than 1.2 million IT professionals visit DNSstuff.com every month to run tests on their DNS domains. Many of the website's tools are free, but a year ago the company started building premium tools in order to monetize its site. Last month, the company announced DNSalert 2.0, a tool that automatically runs up to 55 tests against a customer's domain and mail servers and then sends alerts to users if it detects a problem. A network pro who is responsible for his company's DNS can set the alerting tool so that it sends a message straight to his BlackBerry.
DNSstuff.com offers a good set of tools for companies that are trying to get some baseline information on DNS, Whiteley said. For network teams that are still trying to build a business case for IP address management technology, DNSstuff.com is a good interim step for troubleshooting DNS, he added.
"If you are a network administrator or engineer who's in charge of scaling your bind environment, before you go out and do that, you need a pretty good set of tools to baseline your environment," Whiteley said. "How secure is my DNS at the moment? How reliable is it? How is it configured?"
Let us know what you think about the story; email: Shamus McGillicuddy, News Editor