Skip to main content /TECH with /TECH

NIPC urges more attention to domain servers


By Jaikumar Vijayan

(IDG) -- Corporations need to ensure that their domain name servers are fully redundant and geographically dispersed to avoid risking prolonged loss of connectivity to services such as Web browsing, remote log-in and e-mail, the National Infrastructure Protection Center (NIPC) has cautioned.

In its monthly publication, "Highlights," posted on its Web site Friday, the Washington-based NIPC said the Domain Name System (DNS) can be an often overlooked single point of failure, "presenting a risk of total loss of electronic connectivity" for many companies. INFOCENTER
Related Stories
Visit an IDG site

A DNS is used to locate and translate domain names (such as from plain text into a machine-friendly, numeric Internet Protocol (IP) address. The conversion from domain names to IP addresses is done by domain name servers. Every domain has at least one domain name server handling such requests. While many companies pay their Internet service provider or hosting company to handle the name server function, many large corporations prefer to create and administer their own domain name servers.

The major risk factors associated with DNS failure are a lack of redundancy, misconfigurations and architectural flaws in the way such servers are set up, the NIPC said.

Many organizations, for instance, depend on just one name server to handle all requests. If that server were to go down, access to all Web services would be taken down with it.

Sometimes, even companies that have multiple domain name servers make the mistake of putting them all on the same network segment, making them simultaneously unavailable should something happen to the network segment, the NIPC said.

That's what happened to Microsoft Corp. in January when a misconfigured router cut off access to a part of the network that housed all of Microsoft's domain name servers (see "Microsoft Web sites hit by denial-of-service attack," link below). Many crucial Microsoft Web services became unavailable, some for as long as 24 hours.

A surprisingly large number of U.S corporations make such mistakes, the NIPC said, citing figures from Men & Mice, a Reykjavik, Iceland-based research and consulting firm specializing in DNS.

In a survey conducted September 28, Men & Mice discovered that as many as 250 of the Fortune 1,000 companies had all of their domain name servers on the same subnet, said Jon Adalsteinsson, the firm's chairman. That number represented a slight increase from the 246 recorded in January. The same survey conducted on a random sample of 5,000 dot-com domains showed 35 percent making the same mistake.

Government domains didn't fare much better. In a November 8 survey of more than 1,000 government domains, 23 percent had all their domain name servers on the same network segment, Adalsteinsson said.

Among other problems discovered during the survey were misconfigured domain servers and those running old DNS software, both of which could compromise security, he said.

"The funny thing is companies have redundant Web servers and [around-the-clock] monitoring and on-call service but forget about the DNS servers that control access to all of this," Adalsteinsson said. "If the DNS goes down, all of the other redundancy doesn't even come into play."

To address this issue, companies can disperse "name servers across geographic locations, arrange for mutual backup DNS service with another company or contract with a third party to provide additional name servers," the NIPC said.


• Denial-of-service attacks expected
November 7, 2001

• National Infrastructure Protection Center (NIPC)

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.


Back to the top