How the heck has it been 40 years already? The ‘80s were just 20 years ago, right?
Why is it that the ‘80s always seem to be 20 years ago?
But it’s true. November marks the Domain Name System’s 40th birthday. It’s officially middle-aged. Middle-aged for a person, that is. It’s downright ancient for an Internet protocol.
Truthfully, I haven’t been involved in DNS since the very beginning. I fell into DNS in the late ‘80s—‘87 or ‘88, I think—after my carpool-mate John had a family emergency and couldn’t attend a class in San Francisco that turned out to be about DNS, and I went in his place. Paul Mockapetris, the inventor of DNS himself, taught that class. He was funny and engaging and I was hooked.
I’ve had the tremendous good fortune to work with many other shining stars of the DNS community over the course of my career (though it is, admittedly, a relatively small gang). And I’m happy to say that DNS folks tend to be a friendly, high-functioning—and of course intelligent—group. I feel proud to call many of them friends.
But enough of that. If you’ll forgive an old (or older?) man a little reminiscing, let’s look back on those 40 years of DNS’s history and think about its future.
DNS History at a Glance
|1983||DNS’s 40th birthday dates to the publication of Request for Comments (RFCs) 882 and 883. These RFCs, both published in November 1983, established the foundation of DNS.|
|1984||The BIND DNS server was also developed in the early 80s. BIND is a (maybe somewhat forced?) acronym for Berkeley Internet Name Domain, which first appeared in a published paper in 1984. As its name suggests, it was originally developed at UC Berkeley (Go Bears!) as a graduate student project. Over time, BIND’s development moved from Berkeley to Digital Equipment Corporation (DEC) to the newly formed Internet Software Consortium, now the Internet Systems Consortium. In the process, BIND became the most popular open source DNS server.1|
|1992||In September 1992, the first edition of “DNS and BIND” was released. There was much rejoicing!|
|1996||With the release of Windows NT 4.0, Microsoft introduced the Microsoft DNS Server.|
|1997||Eugene Kashpureff launched the first DNS cache poisoning attack against the InterNIC’s website.|
|1999||Infoblox was founded! We initially sold hardware appliances to support DNS and DHCP.|
|2000||With the release of Windows 2000 and Active Directory, Microsoft decided to use DNS as a location broker. AD clients locate Domain Controllers by sending DNS queries. Microsoft also incorporated setting up a Microsoft DNS Server part of the Active Directory setup wizard, leading to the (sometimes unwitting) configuration of many Microsoft DNS Servers.|
|2008||Dan Kaminsky discovered his eponymous cache poisoning attack.2 This was a systemic vulnerability in the design of DNS, not in any particular implementation, but fortunately Dan alerted the DNS community before the vulnerability became public and gave us time to address it.|
|2010||Paul Vixie and Vernon Schryver developed Response Policy Zones, (finally) giving DNS servers the ability to detect and deny queries for known malicious or suspicious domain names.|
|2015||Kubernetes was released. A container orchestration system spun out of Google, Kubernetes quickly became dominant, with support on all major public clouds.|
|2016||The Mirai botnet was used to launch a massive distributed denial of service attack against the authoritative DNS servers run by Dyn, a major DNS hosting company. The resulting hours-long outage highlighted the need for resiliency [not sure that’s the word I want] in authoritative DNS infrastructure.|
|2018||RFC 8484 was released, describing DNS over HTTPS, or “DoH” for short. Along with its sister protocol, DNS over TLS, or DoT, DoH addresses a long-standing vulnerability in DNS: its “last mile,” or communications between stub resolvers and recursive DNS servers. DoH was rapidly adopted by the Mozilla Foundation in Firefox and by Google in Chrome.|
What does the future hold for DNS? For example, every so often, I’m asked whether DNS could be replaced by another technology—a DNSv2, if you will. First, let me say that I honestly never expected DNS to be going strong 40 years later. But I think replacing DNS any time soon is unlikely: It’s now ubiquitous. There are literally millions of DNS servers on the Internet and many times that behind firewalls, on corporate networks. And there are billions of devices that “speak” DNS: They send DNS queries and interpret DNS responses. Replacing DNS would require moving a tremendous amount of earth, updating all these devices to speak a new protocol.
And I’m very excited about DNS’s prospects as a tool for good. It’s only relatively recently in DNS’s lifetime that Paul Vixie and Vernon Schryver came up with the idea of Response Policy Zones, which let us turn DNS servers into remarkably effective tools in combating threats including phishing, malware and more. Coupled with Passive DNS, developed by Florian Weimer as a method of distilling DNS telemetry so that it can be collected and analyzed, DNS can now provide unparalleled visibility into what’s happening on a network—on-premises or in the cloud—and near-universal protection from a wide range of threats.
So here’s to my dear, old friend DNS on its birthday! Thank you so much for all you’ve given me, and I wish you many happy returns!
- Please see https://www.isc.org/bindhistory/ for ISC’s history of BIND.
- What is it with cache poisoning attacks and people whose last names start with K? There’s even one more: Amit Klein, who discovered flaws in BIND’s randomization routines that made it susceptible to cache poisoning.