(WEB HOST INDUSTRY REVIEW) — Posing a threat to domain name servers, a recently discovered a BIND 9 fault has been addressed by Internet infrastructure services provider Afilias (www.afilias.info), whose DNS network, which supports approximately 10 percent of the Internet’s domain names, is secure from the denial of service attacks made possible by the vulnerability.
The Internet Systems Consortium’s (www.isc.org) Berkeley Internet Name Domain (or BIND) is a popular DNS implementation that includes support for dynamic DNS updates as specified. According to an ISC advisory issued Tuesday, BIND 9 can crash when processing a specially-crafted dynamic update packet. The organization also notes that it can affecting all master servers for one or more zones, and may even effect servers not configured to allow dynamic updates.
Afilias’ network and customers are protected by its DNS diversity strategy, which avoids single points of failure like sole reliance on a single DNS resolution software such as BIND.
“Afilias has a fundamental security strategy in place across our DNS operations that integrates diversity at every layer of our infrastructure,” Afilias executive vice president and chief technology officer Ram Mohan said in a statement. “Most critical to this strategy is ensuring diversity in DNS software. An organization can build bigger hardware or expand its geographic footprint, but by running a single type DNS software, whether open source or proprietary, they will always be completely vulnerable to zero day exploits like the one revealed this week with BIND.”
Afilias’ DNS network runs both BIND and NSD, two popular open-source DNS resolution softwares. Running both synchronously lets Afilias simply remove one from production while it is patched or upgraded, ensuring seamless DNS resolution without the loss of uptime. The same cannot be said of systems using a single flavor of software.
“Afilias supports large scale domains like .INFO and .ORG as well as our Managed DNS business, and serves billions of queries daily,” Mohan said. “Our DNS diversity strategy ensures that our network was never in jeopardy, and that the 15 million domain names we are responsible for were always accessible online.”
Being at the forefront of domain security has meant constant innovation and cooperation with governments and organizations. Last month, Afilias signed the .org zone with DNS extensions for the Public Interest Registry (www.pir.org), the company behind the .org top-level domain name, effectively making it the first open TLD to fight DNS hijacking using DNSSEC.
In late April, Brian Cute, vice president of Afilias’ discovery services division, was named to the National Telecommunications and Information Administration’s Online Safety and Technology Working Group, established by the US government’s “Protecting Children in the 21st Century Act,” in order to promote online safety through different educational efforts.
Afilias also joined the Messaging Anti-Abuse Working Group (www.maawg.org) as part of its ongoing domain name anti-abuse efforts, making it the first domain name registry operator to become a member organization.
