Words of wisdom from the father of DNS

When Paul Mockapetris invented DNS back in 1983, the Internet was the sleepy domain of university researchers and the military, hardly the sprawling engine of commerce and communication that it has become.

In those early days, says Mockapetris, security was a concern but not a pressing one. “DNS is kind of like a phone book for the Internet,” he explains. “Back in those days it was one small phone book. We wrote it in a totally different kind of environment. We did think about security, but it was something we thought we could always add later.”

Ten years ago the IETF finally came up with a comprehensive security standard, DNSSEC (DNS Security). But most feel that DNSSEC is too complex to be a practical solution. Meanwhile, DNS has grown from a small phone book to a massive directory spread across countless servers around the world.

And hackers have discovered it. “The most vulnerable DNS servers are the ones that straddle the boundary between intranet and Internet,” Mockapetris explains. “BIND servers are susceptible to eating the poison pill, accepting bad data.”

Pharming, Mockapetris says, has the potential to evolve into even more sinister forms. “Imagine a pharm scheme that manages to steal a few thousand accounts and passwords from a brokerage house. The hackers could take a large position in a security and then use the account numbers to move the stock just enough to make a substantial sum.”

Mockapetris is currently chief scientist and chairman of Nominum, a 7-year-old software company that develops DNS server software. “We baked security into our DNS servers from the start,” he says, describing Nominum DNS as “carrier-grade.” Indeed, Nominum boasts British Telecom, Telefonica, and Telekom Malaysia as customers.

But most administrators run BIND, what Mockapetris calls the “Swiss army knife” of DNS. “Too often DNS is seen as something that is just there, running on old equipment. Part of making it more secure is to realize it is a fundamental part of your network infrastructure.”

And what about the fate of the DNSSEC standard? Mockapetris acknowledges that DNSSEC’s complexity will prevent it from seeing widespread adoption anytime soon. But he adds this afterthought: “Maybe after we see our first billion-dollar Internet fraud people won’t think DNSSEC such a bad deal after all.”