The Domain Name System was originally used as the Internet’s naming service that much isn’t contentious. Over the years, though, clever people have found all sorts of new applications for DNS. DNSsubiquity, distributed management and (relatively) easy extensibility made it an obvious target for new uses, including blacklists of various types, storage of email authentication and authorization data, and more. Much more.
One of these novel applications of DNS is its use to enhance client security. David Ulevitchand his gang at OpenDNS are pioneers in this area: Their service can restrict access to content by domain name, so that if one of your employees or students tries to visit http://www.hotmamas.com/, they’re directed to a page that says, in effect, tsk, tsk, no you don’t. (Note to Infoblox IT: I loaded that URL solely to make sure I wasn’t leading users somewhere unsavory, please don’t have me fired.) Or if malware on your computer tries to surreptitiously resolve the domain name of it’s command-and-control channel to an IP address to ask SMERSH headquarters for orders, OpenDNS can prevent it and alert you or the administrator of your network that your computer has been infected. Very handy.
Some DNS purists, however, argue that this is a perversion of DNSs mission. DNS, they argue, is a naming system, and the wrong place to implement policy. Leave it to firewalls and proxies and such to make those decisions. Besides, they’d say, using DNS to enforce security policies doesn’t provide the necessary granularity of control. You can only say yea or nay to an entire domain name, no matter how many web pages are offered by the server with that domain name.
Honestly, I can see their point: In an ideal world, some piece of security infrastructure would be responsible for implementing security policy (duh) and the naming service would be left to return information without regard to policy. But the pragmatist in me knows how many organizations can’t afford that expensive security infrastructure and wouldn’t have the manpower or expertise to administer it even if they could. It’s no good to simply leave those folks to the wolves while those of us who work for organizations that can afford commercial security products sleep soundly inside our gated Internet subdivision. DNS, it turns out, can be a cheap, effective place to enforce security policy and, like it or not, folks are going to use it to do that.
I’m interested in hearing your opinion, too. Do you think we ought to leave DNS alone, or is it okay to adapt it to add capabilities that the founding fathers might never have envisioned?
