Home page logo

nanog logo nanog mailing list archives

DNS Server domains was Re: GoDaddy.com shuts down entire data center?
From: Simon Waters <simonw () zynet net>
Date: Tue, 17 Jan 2006 09:13:46 +0000

On Tuesday 17 Jan 2006 01:04, you wrote:

Not having all your DNS servers in the same domain, or registered through
the same registrar, isn't a "best practice" that has previously occurred
to me, but it makes a lot of sense now that I think about it.

I think the general consensus in the DNS field is that for security reasons it 
is preferable to have as small a set of DNS servers (or perhaps as small as 
set of differently configured servers! Hmm physical security....) in the 
hierarchy above you as possible, since compromise of any of these could 
affect the results obtained for your domain.

See also DJBs "Trusted Servers" note.

Here there is a clear conflict between security through redundancy against 
accident, and resistant to compromise. Although it can be mitigated by 
choosing well managed parents zones.

Incidently we have DNS servers in two domains, but that is historical, and 
both top level domains are managed by Verisign, and delivered via the same 
set of servers. Thus we are dependent on "root-servers.net", 
"gltd-servers.net" and our own servers, only in the resolution of our own 
domain names (and customer domains, where those domains are in .com/.net). 

Of course arguably the effective working of some services (email?) are now 
also dependent on reverse DNS working well, and the delegation of that is 
different again.

That said I think the idea is sound against some issues (at which point one 
should probably also use different providers for the DNS registration 
services, since if their procedures are flawed....). However it does increase 
the risk of certain types of malicious activity, as in general it is 
sufficent to compromise one DNS server involved in serving a name to 
compromise the majority of the traffic (at least in theory, I haven't had a 
chance to prove this in anger yet).

Since we are moving a couple of our nameservers from their current domain, I 
think I'll look at putting them under co.uk, as the UK seems to have tidied 
up its DNS management quite nicely in recent years.

Also during recent event it has struck me that the hierarchy of servers 
involved in providing DNS services is quite small, and has quite different 
characteristics to the other records in the DNS. I'm beginning to wonder if 
having the scaffolding in the protocol itself is the right way, but that is a 
debate that has raged before, and is off topic here.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]