Experts argue over whether shallow DNS gene pool hurts web infrastructure

Similar code base puts kissing cousins in a BIND


Experts are split over whether a lack of 'genetic diversity' in the (Domain Name System) DNS infrastructure is leaving the internet at greater risk of attacks.

Four in five (80 per cent) of the world's internet-facing DNS servers are essentially genetically identical, according to Domain Name System vendor Secure64.

In the natural world, such a limited gene pool would leave a species vulnerable to a single disease, as most graphically illustrated by the potato blight that hit crops throughout Europe during the 1840s. Lack of diversity in DNS technology could be similarly bad news because a single successful attack could theoretically take down a massive portion of global DNS infrastructure.

Most of the world’s DNS servers rely on the same DNS code base (BIND, Berkeley Internet Name Domain), creating the potential for a global internet wobble in the event of a sophisticated attack or virus. And more than a dozen major vulnerabilities have been reported in BIND DNS software, which underpins much of the web's DNS tech from multiple vendors.

'You don't hear about them, but exploits do occur'

Secure64 was unable to cite a clear example of a critical security bug in BIND that might be an agent in the doomsday scenario it presents. the firm nonetheless maintains that the risk from a lack of diversity in DNS systems is all too real.

"Most exploits are never reported in the media for obvious reasons, but DNS experts know that these exploits do occur," Mark Beckett, VP of marketing at Secure64, explained. "This is why most operators of large DNS networks are very concerned about patching security vulnerabilities very quickly, as they don’t want to risk loss of service availability for their users or customers."

Beckett was able to cite a couple of examples of exploits (here and here) but whether these attacks are severe enough to be categorised as super-critical is debatable.

Greater diversity at the hardware, operating system and application layers would contribute greater resistance against DNS attacks or at least offer a fallback system when servers need to be patched, according to Secure64.

"Any software product can have vulnerabilities, but BIND is an especially attractive target because it is so widely deployed," argues Dr Bill Worley, CTO of Secure64 and a former chief scientist at HP. "When a company’s DNS infrastructure is entirely dependent on one technology, that’s an obvious risk. That is why genetic diversity is so important for DNS infrastructure."

"Organisations that exclusively use BIND-based commercial DNS products are forced to spend unplanned time upgrading software on their DNS infrastructure or risk exposing their DNS service to attack and disruption. This endless cycle of patching increases both risk and operational costs. Genetic diversity at the hardware, operating system and application layers protects customers against vulnerabilities that affect other DNS variants."

Overstating the risks to drum up biz? Who us?

However other DNS experts, while agreeing that diversity was important on the wider scale, said that Secure64 was overstating the case for businesses to switch to a two supplier approach while ignoring some of the practical problems involved in maintaining a relationship with two or more suppliers.

Cricket Liu, vice president of architecture at DNS appliance firm Infoblox, explained: "I tend to agree with the general premise that 'genetic diversity' is important.  But the idea that over 80 per cent of the world's DNS servers are essentially genetically identical isn't accurate.  The population of Microsoft DNS Servers is just enormous, though they tend to be used internally."

"The requirement for genetic diversity is a systemic requirement, not a requirement of any single organisation's DNS infrastructure. Yes, we want the root name servers to exhibit such diversity (and they do by running a mix of implementations), but there's a very high price to an organisation to running multiple code bases: the need for additional, specialised expertise; the danger that the overall quality of administration degrades; the need to manage multiple vendor relationships; the danger of interoperability issues and inconsistent feature support."

Secure64's Beckett conceded that Liu had raised a valid point. "It is harder to manage multiple software products than a single one, so most organisations don’t do it," Beckett told El REg. "But some larger organisations are starting to adopt a DNS diversity strategy, despite its extra overhead, in order to mitigate the risk of a software failure in a single component.

"We suggest that what is good for the internet (genetic diversity of DNS) can also be good for an individual organisation," he added.

Secure64 markets DNS servers based on NSD (Name Server Daemon) and not BIND. Beckett denied suggestions that its warning about genetic diversity was either a disguised sales pitch or an example of mud-slinging against BIND.

This is not a commercial versus open source argument, nor is it a 'my product is better than yours' argument. It is simply a security best practice to bolster your resistance to potential failures in one piece of software by deploying at least one other completely different implementation in your network. So you could diversify your authoritative name servers by deploying both BIND and NSD, for example (in fact, this is exactly the strategy deployed by the root servers and many of the large top level domains) so that a bug in one implementation is unlikely to affect the other. Or you could deploy a commercial resolver like Secure64 DNS Cache with BIND or djbdns and you would bolster your resolving infrastructure in the same way.

"You just have to make sure that you deploy two 'genetically different' implementations. Deploying BIND with a commercial, BIND-based appliance does not provide you with the desired diversity, for example," Beckett concluded. ®

Similar topics

Broader topics


Other stories you might like

  • Client demo in 30 minutes. Just what could go wrong?
    DNS means Do Not Shove under desk

    On Call Welcome to a continent-trotting edition of On Call, in which a Register reader takes a trip to sunnier climes only to be let down by a clown in windswept Blighty.

    Our hero, whom we shall call Simon though that is not his name, was gainfully employed at a UK telecoms outfit way back in the mid-1990s. Carrying the vaunted title of systems engineer, he was based in the City of London doing pre-sales work for some of the world's biggest finance companies.

    High-powered stuff, indeed.

    Continue reading
  • Russia acknowledges sanctions could hurt its tech companies
    Cuts taxes, offers subsidies, defers military service for developers – and preps for internet isolation

    Russia's Ministry of Digital Development has acknowledged that sanctions may send its tech businesses to the wall, and announced a raft of measures designed to stop that happening – among them ending dependency on internet infrastructure hosted offshore and disconnecting from the global internet.

    News of the industry support measures comes from an FAQ published by the Ministry on Saturday, which The Register has translated with online services. Among the questions asked is the poser: "What to do if IT specialists massively lose their jobs due to the suspension of the activities of foreign companies or a reduction in the export revenue of Russian developers?"

    The answer is that Russia plans a round of subsidies aimed at sparking the development of software it's felt may soon be hard to source or operate. Other measures outlined in the FAQ are the ability to offer jobs to foreign workers without first having visas approved, a zero per cent tax rate for tech companies involved in activities the Kremlin feels are necessary, preferential mortgage rates for techies, and even exemption from military service.

    Continue reading
  • ICANN responds to Ukraine demand to delete all Russian domains
    Even if we wanted to, which we don't, we can't, so we won't, says boss

    ICANN on Wednesday rebuffed a request from Mykhailo Fedorov, First Vice Prime Minister of Ukraine, to revoke all Russian web domains, shut down Russian DNS root servers, and invalidate associated TLS/SSL certificates in response to the Russian invasion of Ukraine.

    Fedorov made his request because Russia's assault has been "made possible mainly due to Russia propaganda machinery using websites continuously spreading disinformation, hate speech, promoting violence and hiding the truth about the war in Ukraine."

    In a publicly posted reply [PDF], Göran Marby, CEO of ICANN, said his organization is an independent technical body charged with overseeing the global internet's DNS and unique identifiers and must maintain neutrality.

    Continue reading

Biting the hand that feeds IT © 1998–2022