DNS Turns 20 Years Old

The Domain Name System (DNS) turned 20 years old yesterday, the 22nd of June 2003. Like the Internet's version of the white pages, DNS translates host names (www.jasonc.com) into corresponding numerical addresses (64.81.242.139). Because data packets on the Internet are routed only by numerical addresses, working, reliable DNS service is very important. Indeed, loss of DNS service, whether due to a configuration error or a network problem, is effectively the same as loss of Internet service for many. Likewise, an attacker gaining control of local DNS service usually corresponds to his/her gaining control over nearly all data flows on the affected network. It's crucial for enterprises and individuals to have reliable and secure DNS service.

Unfortunately DNS is often difficult to install and maintain, unreliable, and insecure. Some surveys estimate that 30% of "network failures" are actually due to misconfigurations or failures of DNS. To make matters worse, a number of serious security holes have been discovered in the most common software used to implement DNS, the Berkeley Internet Name Daemon, aka BIND. Some estimates suggest the majority of DNS servers on the Internet are vulnerable to one or more of these holes. And while exploitation of these vulnerabilities was initially rare, in the past years DNS attacks have become a staple of network intruders. One vulnerability, known as "cache poisoning", is particularly serious because it has been difficult to entirely prevent given the current DNS protocol. Even up-to-date installations of BIND can fall victim to it.

Security experts refer to a "window of vulnerability" between the time a new security hole is discovered and the time an appropriate patch is installed. In practice, the window "opens" and "closes" gradually because information about new vulnerabilities takes time to disseminate and patches take time to distribute and install on what may be hundreds of thousands of affected servers. The window of vulnerability for DNS systems tends to be lengthened because BIND and DNS are very complex and can be difficult to upgrade. Given the justified caution system administrators feel about making any change to their complicated and mission-critical DNS systems, this window can stretch to months or even years.

All this suggests that an alternative to BIND would be a healthy and welcome development. Such an alternative should be easy to install and maintain, highly reliable, and offer multiple layers of security.

There are in fact quite a few free DNS server projects. Many are incomplete or have been abandoned, and others have fallen victim to DNS-political issues and personality conflicts. There are also several commercial DNS server products, each with different feature sets and intended customers. Nothing has achieved widespread use so far.

to be continued...

Some free DNS server projects: NSD, djbdns / Oak, Posadis, MaraDNS, MyDNS, ldapdns, PliantDNS, Eddie's Enhanced DNS, pdnsd (caching only), pdnsd (unmaintained), Yaku-NS (abandoned), Dents (abandoned), CustomDNS (abandoned), ,

Some commercial DNS server products: Incognito Name Commander (software), UltraDNS Managed DNS Service (ASP), PowerDNS Software, Microsoft DNS Server (software), Cisco Network Registrar (software), Lucent VitalQIP (software), Simple DNS Plus (software, windows-only), QuickDNS, , , ,

Notes:

1. Most of the DNS servers listed above implement only a subset of BIND's features, though for many users only a subset is required and some observers believe simplicity leads to more easily understood code and configuration files which in turn lead to greater security and reliability.
2. One DNS root server has recently switched over to running NSD rather than BIND.
3. bind vs tinydns
4. bind vs ultraDNS