IT managers cautioned over domain server setups

The U.S. government’s cybersecurity agency is urging IT managers to ensure that their domain name servers are fully redundant and dispersed at multiple locations in order to avoid potential disruptions to services such as Web browsing, remote access and e-mail.

In the December issue of a monthly publication called Highlights that’s posted on its Web site, the Washington, D.C.-based National Infrastructure Protection Center (NIPC) said the Domain Name System (DNS) is an often-overlooked single point of failure “presenting a risk of total loss of electronic connectivity” for users.

Domain name servers are used to translate Internet domain names from plain text into numeric IP addresses that can be read by computers. The major risk factors associated with failures of such machines are a lack of built-in redundancy, misconfigured servers and architectural flaws in the way the systems are set up on networks, according to the NIPC, which is affiliated with the FBI.

For example, the agency said many companies depend on just one domain name server to handle all Internet connectivity requests from end users.

In addition, companies that have multiple DNS servers sometimes put them all on the same network segment, the NIPC said. That could make the servers simultaneously unavailable if something happened to the network segment.

Microsoft Corp. learned that lesson in January when a faulty configuration change on a router and a series of denial-of-service attacks cut off access to its DNS servers, which were all housed on one section of the company’s network. Most Microsoft Web sites were unavailable for parts of several days.

A surprisingly large number of U.S. companies make such mistakes, the NIPC said, citing data from Men & Mice, a Reykjavik, Iceland-based research and consulting firm that specializes in DNS issues.

In a survey conducted in late September, Men & Mice discovered that as many as 250 of the Fortune 1,000 companies had all of their domain name servers on the same subnet, said Jon Adalsteinsson, the consulting firm’s chairman.

“Companies have redundant Web servers and (round-the-clock) monitoring and on-call service, but they forget about the DNS servers that control access to all of this,” he said. “If the DNS goes down, all of the other redundancy doesn’t even come into play.”