Although to be fair, the point still stands. DNS is inherently insecure, and anything you can do do improve it is worth doing. Just look at OpenDNS - an entire business based on (initially) a free DNS service.
How many people would pay for DNS? If you had asked this question during the late nineties, the answer would have been a very small number indeed. DNS is free; anyone can download a copy of BIND and set up a DNS server. Today, however, millions of companies pay good money for DNS hosting. When I spoke to Rodney Joffe at …
Some of the article made sense but the cloud FUD was laughable. All the article needed was a couple of "cybers" and a "think of the children" :-)
In the past, I have found companies usually only go for this sort of ad when they are desperate for new business. And being desperate usually implies some sort of problem...
There are good reasons why you should outsource DNS but very very good reasons why this has to be assessed and managed - and if as Mr Joffe suggests DNS is business critical then outsourcing for anyone capable of running thier own secure systems could be one risk too far.
Regarding that Chinese routing cockup, can anyone justify why their BGP peers were just accepting any old path from the Chinese routers rather than applying as AS-path filter as should be done? This isn't a problem with the technology, it's a problem with the implementation.
Like that guy at LINX who advertised a DG via null0 and everyone just dumped their traffic into it because they hadn't applied filters. I can't believe it happened again!
Any competent CTO should be using VPNs, transport layer security, encryption, etc. to connect their sites and talk to customers. So they shouldn't be worried in the slightest if traffic they're sending over the Internet takes a detour via China. Or at least, they should be as equally worried as if it detours via the UK (hi Echelon!) or the USA (hi secret NSA wiretap orders!).
I'm sorry, but what does a dodgy Chinese ISP incorrectly announcing IP ranges have to do with DNS?
It's all fine and dandy if your DNS resolves correctly, but if someone else has announced that IP block and the routers between your users and your servers route the customer's traffic the wrong way based on that announcement, DNS isn't going to help you there, no matter how much you might be paying for "premium" DNS services.
While I understand that ideally we should specialize in one field and let others specialize in other fields, I have seen so many problems in outsourcing that I don't think it's always a good idea.
In an ideal world with tons of money and reliable outsourcing companies, with reliable, honest and competent employees, I should outsource every aspect of my IT structure to the best consultants (or contractors, or outsourcers) for that aspect. Firewall, DNS, backups, and so on.
Realistically, I don't have enough money to pay for the best, and outsourcing companies employ underpaid and incompetent people just to maximize profit. And screw the customer's needs.
A customer of mine (I am a freelance sysadmin) had outsourced the interconnection between its offices to the telecom company (they bought managed firewall, vpn, and inter-office routing, plus internet access, obviously) and it was a disaster. Ask for a change, file a request via fax, wait for 3 days, get the WRONG config, repeat, get the right config but they damaged something else in the process. Also, we didn't really know how secure the setup was.
After some years of moaning, I convinced them to do it internally. We now have a much faster network, easily and immediately deployable configuration changes, we know exactly how secure (or insecure) is our setup, and when we don't need changes, the cost is also lower (that is, near zero). Obviously when we need big changes they have to pay for my services, but I still think it will cost less than the previous setup. And it works properly, too.
The REAL problem is that the internet was never designed to let 'everyone' onto it.
It was never supposed to be open.
We need a complete redesign of EVERYTHING!
From how addresses are allocated, how traffic is routed and to naming technology and conventions.
Oh, and fix email at the same time...
why precisely signing up with this firm is any better than correctly configuring one's own damned DNS. Especially since I'm sure there's buried in the fine print of the contract that they are NOT liable for incidental or consequential damages of cache poisoning, which they can't stop from happening to at least small chunks of network at a time. Even if it were the case, the LAST THING that would be helpful would be to create a circumstance where there's a one-stop shop, centralized point of attack that DNS poisoners would maximally benefit from poisoning. That is, if they can poison the lookups fetching addresses of MegaloDNS servers, they can hang onto the ENTIRE representation of the internet instead of to specific domains, much longer, and with even LESS chance of users noticing. Centralizing the point of failure is seldom the right answer to these kind of problems.
> I'm a little unsure why precisely signing up with this firm is any better than correctly configuring one's own damned DNS.
That probably means one shouldn't be in charge of a serious DNS server. Or DNS isn't important to one or one's company.
The platform UltraDNS offers is awesome. They have a global footprint of anycast name servers in co-lo facilities with lots of bandwidth, secure access, backup power supplies, round the clock monitoring, defense in depth from ddos attacks, etc. I doubt anyone apart from professional DNS hosting providers can come anywhere close to delivering that level of infrastructure. If one did do that by oneself, one would know about it.
Whether or not that sort of platform is the only way to have properly configured DNS is another debate. Now one might be able to correctly configure one's own damned DNS without that level of backup. Maybe that quality of service doesn't matter to one. Or one's DNS isn't that important. Either way, one should be fairly certain whether this level of DNS service is any better or not than doing it oneself. One shouldn't be in any doubt about this.
One has chosen the Paris icon because one understands she knows the value of spreading oneself all over the place. Even the servant's quarters and possibly the tradesman's entrance.
It's important to outsource DNS because it seems some sysadmins are not capable of understanding the difference between traffic routing a certain way because of BGP routing failures and traffic routing the right way by BGP but being told to go to the wrong IP address by DNS.
And as for some random DNS provider claiming it is fixing DNS's security problems by introducing it's own systems to combat cache poisoning etc...
What ? Why ?
Joining in with DNSSEC would be a more sensible solution than trying to shore up the existing technology. OpenDNSSEC is a open source package, so anyone can join in.
Then you just need a decent network/security administrator to put a security wrap around your systems and most of your "security" problems are solved.
This is why DNS isn’t just another service that the IT department takes care of"
Oh yeah! I love this one... so, what does the IT department take care of?
Those services we haven't figure yet an easy way to milk from those corporate idiots who think an IT admin should be like an electrical contractor?
That's the internet. Routing is not determinable.
If you want privacy and security, you go for private networks, not public ones. At the very least, you go for VPNs --- which might, of course, still get routed through China!
Sorry: wrong problem, wrong answer.
Rather than making things more complex, lets make them less complex.
Lets just reduce the dynamic aspect. Imagine how the postal service would fail if someone was rearranging the street signs every day? All we need is for people to start frowning on domains that hop all over the address space minute to minute. The more stuff jumps around the more chances there are for things to go wrong. If DNS expiration was measured in hours or days think how much less infrastructure would be needed, how much less traffic there would be and how much latency could be removed. Use the address you got yesterday. IFF that fails then query the DNS.
We've reached the point where the technology is demanding more technology only to support the technology. Its time to get back to basics. Yeah, I know, we need the IPv6 address space to make it work. Then people could actually keep the same address on a box for more than a few minutes.
Having worked on the outsourcing end for quite a while, (my team and I managed around 750k active IP addresses worldwide) I dare to say I know and understand a thing or two about DNS/DHCP (most of the times those two services go hand in hand).
The biggest problem, that I found, is the fact, that the IT infrastructure of companies grows exponentially in comparison, to the company itself.
this means, that an admin, who initially is in charge of everything, very quickly looses the capability to continue to administer the infrastructure by himself. that does not necessarily mean, that he lacks the skill, but just the physical resources.
when you then leave everything on default settings and just make the odd little change here and there, and not document the mods (after all I am on my own, and I just don't have the time!), then there is a massive problem, when the company decides to make policy changes.
It is not unheard of that a DNS/DHCP migration takes 1-2 years, due to the complexity of existing systems, and lack of downtime windows.
I can only encourage all technical managers:
make sure that everything is documented properly!!! That is the MOST IMPORTANT RULE!!!
If you don't it is going to come back and haunt you.
If the documentation is poor or non-existent it is going to cost a multitude in the long run, rather than to employ a contractor to ensure this documentation is up to scratch!!!
I know what I am talking about!!!
And yes DNS is business critical!
Imagine all the web applications within the corporation not being able to function anymore, starting with salesforce.com, intranet, printing (unless printing by IP address).....
Oh and finally......
Windows DNS/DHCP may be nice and easy to set up, but in terms of scalability and maintenance (the term IPAM or IP Address Management springs to mind) a night mare. And to migrate to something proper like QIP, Infoblox, OpenNetAdmin, or openIPAM, seems to have been made deliberately difficult, as data-sources are in various different formats and due to that, difficult to parse. (its not impossible, but it certainly takes quite some experience).
And and for those who know it better: I am not talking of ten or twenty different networks within a tiny little organisation, but two or three thousand within a medium sized enterprise.
that some critical comments got through. Mine, that was posted before any of these, was rejected, even though it says nothing worse than many that got through. I wonder how many from other people were rejected as well.
I'm still wanting a reason added for comment rejection. I know that this is a moderated forum, but I was not abusive or insulting, the grammar and spelling was at least fair to good, and I was commenting on the technical accuracy of the article, although I did accuse the article of being a barely disguised advert. But so did the first comment that got through.
Could we at least know for sure that the comments are not moderated by the author of the article? That would at least give us confidence that critical comments have a fair chance to get through.
Peter, I suspected that my post would be rejected.
I have no problem with migrating public DNS onto a managed service but I have seen one outsourcer get a customer to migrate thier *internal* DNS (windows network) to thier managed service. To say it was a disaster (timeouts, network congestion, latency) is an understatment.
Moving to a managed service is a smart move *at the right time* but at the wrong time or ousourcing he wrong thing (or to the wrong people) can be a nightmare.
Personally I think anyone who writes a "content free" FUD article just damages his employers reputation which is why I will not write for work - doing it "right" just takes too much time and effort :-)
Biting the hand that feeds IT © 1998–2019