February 07, 2001, 4:57 PM — THE TROUBLES MICROSOFT experienced with its Web sites last week show that the DNS is a weak link in Internet infrastructure. Large corporations worry about distribution of Web site content, but forget about DNS, according to a specialized Icelandic company.
DNS software and consultancy firm Men & Mice over the weekend checked the Web site setup of 978 of the Fortune 1000 companies. "The results surprise us: Twenty-five percent have a bad setup," said Men & Mice CEO Petur Petursson.
A survey of 5,000 random sites in the dot-com domain -- sites with URLs ending with .com -- showed that about 38 percent had a shaky DNS configuration.
Software giant Microsoft last week paid the price for a poor DNS configuration when many of its online properties were inaccessible, first because a technician made a costly mistake configuring a router and then, a day later, because of a DoS (denial of service) attack, Microsoft said after the blackouts.
Microsoft made itself vulnerable to attacks and outages by setting up its four DNS servers in one subnet, said Petursson. "It is not wise to put all name servers in one subnet. It can go down for various reasons; a network cable could be cut, there could be an attack, or a human error -- like a misconfigured router -- can cause an outage."
A subnet, short for subnetwork, is a separate part of an organization's network. Typically subnets represent all systems connected in one location. Microsoft runs its four DNS servers in the same subnet, Men & Mice said.
Petursson explained, "If Microsoft had had a fifth DNS server outside its network and the four went out, traffic would automatically go to the fifth one. People would still be able to visit Microsoft's sites, with possibly some minor delays."
"All companies of that size [Fortune 1000] spend huge amounts of money to distribute load and content, but forget about DNS," Petursson said. "Sadly, DNS is not secure enough, it's a threat. We don't really have a good solution."
Petursson did note a standardization process is under way for so-called Secure DNS. "But this will take at least one more year," he said.
DNS servers translate domain names, such as Microsoft.com, into IP addresses. The IP addresses are used to locate servers on a network. When the DNS goes down, locations on the network can no longer be found using the Web addresses.
"It's only a minor effort to distribute DNS servers. Most companies do it, everybody should do it. Internet service providers can take care of it for a small fee, as DNS does not require a lot of bandwidth," Petursson said.