Companies are putting their IT at risk by treating a crucial element of almost all network services - DNS - as just another part of the plumbing, claims Richard Kirk, vice president of Nominum EMEA.
"The fast-growing usage of the Internet is putting a strain on the underlying networks, and the software to worry about is DNS," he says. Almost every network application relies upon it in one way or another, and it's not just Unix-based software - even Microsoft's Active Directory uses DNS to do naming and to register clients at startup.
"Also, the management of IP devices is becoming more important, for example to do audit trails," he adds.
Yet Kirk says that many of the DNS implementations he sees have grown pretty much organically, with no overall planning. There are compatibility problems too - he encounters organisations that are running two separate DNS systems, one based on the open source Bind software for their Unix systems and another for Active Directory.
"Older Bind software doesn't support the secure updates that Active Directory needs," he says. "So you can end up with two systems to manage and two namespaces."
The big problem is not the capability of the software though, but its management and support. Kirk argues that if organisations do not allocate resources specifically to DNS maintenance, they can end up with an overloaded and fragile system at the core of their network.
"As people add applications that use DNS, they can have problems," he says. "DNS denial of service attacks are becoming more common too - a virus can do it by accident.
"A fragile DNS is OK for a Web browser that retries, but for voice over IP, it might mean no dial-tone or a connection delay - and users won't accept VoIP if it means a backwards step on availability and reliability.
"The DNS could be fragile because it's old software with unpatched vulnerabilities, because of a lack of management - a lack of spending here is worrying when you consider that nothing can work without DNS. The problem is that if it is perceived to be free, then it's seen as low value."
Kirk points out that, although Nominium engineers helped write Bind and the company still supports the application, it is different from many other open source projects in that it does not have a commercial organisation backing it up, trying to make it enterprise-standard, and guaranteeing support.
"Bind was originally a reference implementation of the standard, but people started using it as-is," he says. "Bind was designed six years ago for a different Internet."
Of course, he has a commercial axe to grind: his company now sells alternatives to Bind, in the shape of its own name servers. It also carries out DNS healthchecks for organisations, advising them on how to rebuild their DNS, or how to move from static to dynamic addressing with minimum pain.
The point is an important one though - DNS is crucial, yet too easy to ignore or get wrong. As an example, Kirk cites Microsoft going offline in 2001 thanks to DNS misconfiguration.
"In another case, replicated DNS servers were on the same network segment, so when that segment was lost to a configuration error DNS was lost too," he says. "It all comes back to DNS not being managed as intensively as the rest of the network."
He adds that DNS replication causes problems of its own. Many implementations simply use two physically separated Bind servers, but the servers cannot share the same IP address range so each needs its own self-sufficient allocation of IP addresses. That means the organisation is holding twice as many addresses as it needs.
"IP addresses are now in short supply - again it's people seeing something as free when it's really not," he says.
"The question for the manager is 'Does DNS appear as a line item on your budget, and if not, why not?' People often don't see the cost of DNS, and they don't have an idea at budget level of what their people do with their time."