CircleID

Domain Name System (DNS) surveys such as that recently conducted by Men & Mice continually demonstrate that the DNS is riddled with errors. Since the DNS continues to work, this raises three questions:

1. Does it matter that the DNS is riddled with errors?
2. Why is it riddled with errors?
3. How can it be fixed?

1. Does it matter that the DNS is riddled with errors?

Since the DNS is usually configured as a redundant system with 13 root servers, and most registrars ask for two DNS servers, some problems such as lame servers don't immediately disrupt the operation of email and websites.

But unless these problems are identified and fixed, they will eventually result in unnecessary downtime. I have seen several RAID arrays with two broken disks, a result of failing to monitor the array and replace the first broken disk in a timely fashion. The DNS is no different. Other problems, such as the use of DNS software with known security holes, may allow people to steal a website's traffic or misdirect it using a particular recursive DNS server.

So the question "does it matter?" can be answered only by answering these key questions:

a) How important is it for your DNS to work correctly?
b) How long can your company risk not receiving emails or traffic to the site?
c) How important is it that your email not be intercepted?

Some problems with DNS configuration, such as appropriate redundancy in server locations, are minor problems for small companies. If their ISPs or Internet connections are having trouble, dealing with a broken DNS at the same time is a minor irritation. Standard conforming mail transport agents will queue email until the problem is fixed.

Eighth Layer, my own IT company, takes this view: The 'eighth-layer.com' domain does not have the redundancy I would like, but it is sufficient for the usage obtained. The money and effort put into its maintenance are minimal.

But as soon as companies have multiple sites connected to the Internet, or start engaging in ecommerce, security and availability of the DNS become much more vital.

2. Why is it riddled with errors?

There are, I suspect, two main reasons why the DNS has so many errors. The first problem is know-how. The DNS is a relatively simple system clouded in obscure terminology (as always in IT), but many in-house IT staff have little regular exposure to it. They make changes maybe once a year or when something goes wrong, and in between forget all they had figured out to make it work in the first place. They often haven't read the RFCs (Request For Comment) detailing common errors, and don't have the knowledge to determine whether what they have done is correct. So if it seems to be working they leave it, and if it doesn't they fiddle with it till it does.

The second problem is simply lack of maintenance in particular, a failure to monitor changes to the DNS, whether your own or the parent domain's (usually zones like ".com" and ".co.uk"). Let's look at two zones I monitor on a weekly basis — "eighth-layer.com" and "dclug.org.uk", the Devon and Cornwall Linux User Group (D&C LUG).

The first hasn't had any changes requested by us in two years, yet my monitoring shows that the company maintaining it makes a change about once every three months. Most changes aren't important, but on one occasion they dropped the entire zone.

The Linux user domain has been far more active, maintained by another member of the D&C LUG. It has had its name servers changed several times, and I've picked up the odd minor inconsistency in these changes. Here, though, we also picked up a couple of incorrect changes to the "org.uk" domain, and were able to notify the administrators (who presumably don't monitor their DNS servers as closely as we do), and thus help preserve the redundancy and performance of the "org.uk" domain as well as our own.

The failures of parent domains, particularly to maintain secure and available DNS services, has not been a huge problem with the DNS. I believe this is largely because those with malicious intent have preferred other means of attack. Because large numbers of people are affected by outages of these domains, when a failure occurs it is usually picked up quickly. But helping to avoid outages in the first place, given it is a necessary part of one's own monitoring, must be better for all concerned.

3. How can it be fixed?

The most important step you can take is to monitor the DNS for problems on a routine basis. If you run DNS servers yourself, routine maintenance of a server, including reading, understanding and fixing errors in the logs, is vital. Regardless of who looks after your DNS domains, you should ensure that the consistency of the information is checked routinely. Whether you use relatively simple, free tools such as "doc" by Brad Knowles, or a sophisticated tool such as DNS Expert from Men & Mice, routine monitoring is key in ensuring the DNS remains properly configured.

You may also choose to have your entire DNS outsourced to an infrastructure solution provider such as UltraDNS. In my experience, many organizations who run their DNS servers themselves would be better advised not to. In a private survey of large private companies local to the Eighth Layer office, all those who managed their DNS themselves had an error of some type. One company allowed its ISP to manage all but one domain (the MX record for each domain, where email is delivered to a privately managed domain), and every domain but that one was properly redundant and well configured.

It is also important to ensure that appropriate upgrades are made to the DNS software to address security concerns. The Internet Software Consortium, which is responsible for the most widely used DNS software, releases all security announcements through CERT to ensure that the staff responsible for monitoring the DNS are on their Advisory Mailing list. Other vendors of DNS software have their own channels for distributing such information. 

By Simon Waters, Consultant. Visit the blog maintained by Simon Waters here.

Related topics: DNS, Security