Cricket on DNS
The latest on DNS Security, DNSSEC, IP Address Management... and more
It's an unfortunate fact of life that name servers are exploited by malware. Malware queries name servers to map the domain names that identify their command and control channel to IP addresses. Malware uses DNS as a channel over which to transmit new code. And some malware targets name servers with distributed denial of service attacks.
The latest versions of BIND, however, enable DNS administrators to turn the tables on malware.
I remember years ago, Infoblox hired our first real IT guy (my friend Nate Campi). Not long afterward, Nate tightened up our firewall rules--et voila, I could no longer query name servers on the Internet directly. I bristled at this, and asked Nate his rationale for cutting off our access. We couldn't run dig and nslookup from our clients anymore!
Back in October 2010, I posted Whither DNSSEC? which speculated on DNSSEC's second act. If the Internet had a fully DNSSEC-secured namespace, we could add email authorization data and SSH fingerprints to DNS. Two commenters, Chris Angelico and John Speno, suggested storing web site certificates and certs for signing applets in DNS, too.