NIPC urges attention to domain name servers

Corporations should ensure their domain name servers are geographically dispersed to avoid risking prolonged loss of connectivity...

Corporations should ensure their domain name servers are geographically dispersed to avoid risking prolonged loss of connectivity to services such as Web browsing, remote log-in and e-mail, the US National Infrastructure Protection Center (NIPC) has cautioned.

The NIPC said last week that the domain name system (DNS) could often be an overlooked single point of failure, "presenting a risk of total loss of electronic connectivity" for many companies.

A domain name system is used to locate and translate domain names from plain text into a machine-friendly, numeric Internet Protocol (IP) address. The conversion from domain names to IP addresses is done by domain name servers. Every domain has at least one domain name server handling such requests. While many companies pay their Internet service provider (ISP) or hosting company to handle the name server function, many large corporations prefer to create and administer their own domain name servers.

The major risk factors associated with DNS failure are a lack of redundancy, misconfigurations and architectural flaws in the way such servers are set up, the NIPC said.

Many organisations, for instance, depend on just one name server to handle all requests. But if that server goes down, access to all Web services goes down with it.

Sometimes, even companies with multiple name servers make the mistake of putting them all on the same network segment, making them simultaneously unavailable should something happen to the network segment, the NIPC said.

This happened to Microsoft in January, when a misconfigured router cut off access to a part of the network that housed all of the corporation's name servers. Many crucial Microsoft Web services became unavailable, some for as long as 24 hours.

Among other problems discovered during the survey were misconfigured domain servers and those running old DNS software, both of which could compromise security, said Jon Adalsteinsson, chairman of Iceland-based research and consulting firm company specialising in DNS, Men & Mice.

"The funny thing is, companies have redundant Web servers and [around-the-clock] monitoring and on-call service but forget about the DNS servers that control access to all of this," Adalsteinsson said. "If the DNS goes down, all of the other redundancy doesn't even come into play," he said.

To address this issue, companies could disperse "name servers across geographic locations, arrange for mutual backup DNS service with another company or contract with a third party to provide additional name servers," the NIPC said.

Read more on Antivirus, firewall and IDS products