CloudfloorDNS Blog

BIND is the world’s most popular DNS server – serving a large portion of the Internet due to it’s open source model and free distribution. This DNS software is a wonderful benefit for the Internet community, but also something that requires care and affection.

Just last week, a major flaw (CVE-2015-5477) was discovered in BIND DNS Version 9.X that could allow a single lone wolf attacker (An Internet “bad guy”) to take down a large number of domain entities across the internet with an easy to execute malformed query. All it takes is a push of the button and your domain and all of your online resources could become virtually crippled.

Fortunately, CloudfloorDNS uses a proprietary DNS system that is not vulnerable to these BIND attacks/exploits.

This story isn’t about BIND per se – its about not placing your organization at risk by using DNS smarter. How so? It’s simple. There are two options. One, use an Authoritative DNS Provider that isn’t susceptible to the same risks that some open source software can present. Two, add a non open source Authoritative DNS Provider to your delegation along with your existing provider that may use open source Name Server software. Having dual Authoritative DNS providers will mitigate risk by not allowing your Internet presence to be threatened by open source vulnerabilities and it also offers additional geographic redundancy. This may sound over the top, but if your business relies on a single organization that uses open source software only, and they get hit with a vulnerability attack as described above, your company and your online business simply goes offline. Not only your website, but your entire online entity will go down in flames. It’s just as bad as allowing your domain name to expire.

When it comes to DNS, thinking smarter and not waiting until a failure or attack to make those critical infrastructure decisions can save you in the long run.