sponsored

Security Insider Interview Series: Rodney Joffe, Senior Vice President, Senior Technologist, and Fellow at Neustar

In its current state, the Internet is not sustainable. It will require significant reengineering. Neustar’s Senior Vice President, Senior Technologist, and Fellow Rodney Joffe, has some ideas about how to proceed.

rodney joffee
Neustar

Introduction:

In its current state, the Internet is not sustainable. It will require significant reengineering. Neustar’s Senior Vice President, Senior Technologist, and Fellow Rodney Joffe, has some ideas about how to proceed.

What are some of the flaws in the current Internet architecture and how would you propose reengineering those?

The fundamental problem is we never designed an infrastructure that provides for end-to-end responsibility and authentication. [The Internet] was designed to be a self-regulating, autonomous, and to some extent anonymous infrastructure. That has led to abuse, and now it’s difficult to solve those problems. There’s no authority or authentication, so how do you build onto that? It’s like trying to change the tires on bus doing 60 mph. So, we’re looking for ways to retrofit that capability.

How can something like DNS Shield help with these reengineering efforts?

DNS Shield solves the problem along a more traditional path. Instead of having DNS servers on the public Internet, we can now put them inside the network and have that end-to-end trust. That’s moving toward the model of end-to-end authentication. It’s also building that alternative Internet—changing the wheels on that bus going 60 mph. This is the beginning—creating a private interconnect between me and the company. It’s an initial run at being able to protect what we have.

What should organizations consider when they configure and operate their DNS?

Number one is you should not run a recursive server and authoritative server on the same machine. The recursive DNS needs to be inward facing. You don’t want people on the outside having access, so you want your recursive DNS behind a firewall. The authoritative server serves the public Internet, so that needs to be outside the firewall.

Number two is you should have some sort of rate limiting on recursive servers so if someone does use it for a DDoS attack, you can identify and stop it before it does too much damage. The philosophy behind DNS is really simple, but it’s actually a complicated protocol. And bad guys are using more modern tools to effectively identify and exploit vulnerabilities. You have to keep on top of that.

What are some best practices for deploying and configuring DNS Shield?

The best way is to have two or more DNS Shield nodes within your network. The reason for that is if the first DNS Shield node fails, you have a second. Chances are both aren’t going to go down together. So, we insist a company has two DNS Shield nodes.

And make sure only your DNS Shield node can reach your recursive servers, not your network users. Then if someone launches a DDoS attack, it would only affect public nodes, not the private nodes. From a philosophical point of view, when someone is trying to launch a DDoS attack, they attack the DNS infrastructure. When they continue to see target companies still able to operate, they start to realize this is not winning tactic. If they’re not shutting it down, they tend to move on and look for another target, so it has strategic value as well.

Related: