On March 23, on March 11, Apple's itunes store, App Store, and multiple Internet online Services had a global failure that reached an incredible 11-hour break, which Apple claims was due to internal DNS system errors. The incident led to a sharp fall in Apple's share price of 1.82% and a drop of more than $13 billion in total market capitalisation.
The recent frequent major Internet security incidents both at home and abroad seem to point to the same keyword DNS. This has been a fresh focus on the field, for a while to become the hottest topic, the domestic industry experts unanimously exclaimed that China's domain Name System security Construction is imminent! Let's go look at the Internet domain Name System. Beijing Engineering Research Center (ZDNS) Deputy Director, deputy general manager of the network company Zhihijie how to say!
Domain Name System overall development condition and problem
from the current situation of China's domain name base platform, data statistics show that as of last June, the number of domestic sites for 2.73 million, the total number of domain names reached 19.15 million. According to the monitoring data of the domain name Engineering Center, the total number of domain name servers in China is 880,841, including 96,786 authoritative domain name servers and 784,055 recursive domain name servers.
This, the Domain Name service security level for the "safe" domain name accounted for only One-fourth of the total, "There are hidden dangers" about one-third; More dangerous "up to 43%. The security of the financial network infrastructure is not optimistic. Looking for the reason from the monitoring data, the main existence domain name server node is few, the domain name setting does not conform to the technical standard and so on, facing next generation Internet coming, also lacks the corresponding propulsion measure. Behind these data, there is a lack of professional competence of domain name technicians, but also reflects the importance of the domain name security is not enough, security awareness is weak and so on. Zhihijie said that the common problems in this area can be divided into three categories: 1. Domain Name service providers to provide users with free domain name services, but this kind of service is not guaranteed, a server may hundreds of thousands of domain name is managed to use at the same time, once one domain name is attacked, will ripple all domain name; 2. Enterprises to build their own DNS systems, because they do not have some disaster preparedness measures or even data management configuration errors, lead to paralysis; 3. Hosted to a professional domain Name Service company, this is already a big trend abroad, compared to their own construction of high security, such as Zdns has become the future trend of development.
the threat and risk of the domain Name System
Zhihijie said: This problem can be divided into three aspects, on the one hand, is facing the network attacks from hackers, on the other hand, the internal DNS security and stability of the enterprise, the third is the internal management use.
1) Domain name registration, there is the risk of being hijacked. The recent Google incident as an example, Google domain name (google.com.vn) of the nameserver was tampered with, resulting in the domain name of the following DNS query, are malicious redirect. Although Google's own domain name services do very well, but because the domain name registrar's domain name was attacked, resulting in Google domain name can not be accessed.
2 The second level is the enterprise's own DNS system failure, as in the case of recent Apple events, where online services such as the App Store, ITunes store, Mac App store and ibooks Store are all down, The interruption time reached an unthinkable 11 hours, and Apple claimed that the reason was encountering an internal DNS (Domain Name System) error. In addition, its icloud mail and icloud account & Sign in services were affected before and after the US Eastern Time 9 o'clock (21 o'clock). According to the timeline provided by Apple's website, other services were down at 5 o'clock (17 o'clock) in the eastern United States.
This shows that, as DNS is the initial entry point for Internet applications, these applications will not be accessible if there is a problem with DNS.
3 Internal management uses, such as data configuration errors, resulting in inconsistent data. The biggest problem with domain name services is that because DNS is a distributed system, DNS is a problem, and its impact is very large. The presence of various levels of cache in the TTL (Time to live) and various DNS systems so that if a problem occurs in the DNS system, the problem persists until the resource record TTL expires in all levels of cache. That's why Apple's service took 11 hours to recover completely.
It can be seen from the above, whether it is from the external hacker attacks, or internal problems, once the DNS failure, will bring inevitable serious losses to enterprises.
Security of
Data
users in order to ensure the normal operation of the domain Name System, the general will be at the same time with a number of server operators, with large data in various fields of application, for this piece of information security, he said: For the DNS foreground data is actually user-friendly to query information, is the user access to the portal. This will not involve the disclosure of information, but because DNS can see the access situation of users in different areas, this need to strengthen the protection of enterprises awareness, do not arbitrarily put data to a third party, but by the professional domain Name service provider to host.
domain name in the mobile internet age is also important?
About this piece of Zhihijie to everybody to emphasize a few concepts, one is mobile internet age everybody is using mobile phone, that domain name still have value? This everybody will consider, think domain name seems to have no value, do not need domain name. In fact, this is a misunderstanding, the domain name service has two aspects, even if there is no domain name behind the app, the user feels this replaces the domain name service, in fact the domain name service is to resolve the domain name to transform into the IP address service. Taking the Apple event as an example, this impact on Apple's official website can not open, so that the impact of their entire mobile phone services are not used, so that the domain name is actually the basic services of the Internet, it is the basic services as a portal whether in the mobile Internet or the traditional internet is unchanged, When we visit the app, actually also in the access to the relevant domain name, but not manually entered but by the background of the system to operate, so that the domain name service as the property of this portal, the basic services, the Internet's central nervous system, will not change because of mobile interconnection, this hope that we must have this understanding, Many people think that the domain name service is not important is the wrong idea. Second, the domain name of the time there is another attribute is its brand attributes, we have recently more concerned about the event is a lot of enterprises to buy the domain name of the event, such as 360 of the purchase of 360.com, probably spent almost 100 million yuan, millet company to buy xiaomi.com, Mi.com domain name also spent more than 20 million, Google before a period of time in the top-level domain name. App took more than 25 million dollars. These big internet companies pay special attention to domain names, they are optimistic about the importance of the domain name to the brand. Now the internet has a new change, the traditional. com,. cn,. NET these domain names, now appears the new generic top-level domain name, enterprises can apply for their own top-level domain name, For example, Citic Application. Citic, this new top-level domain security is higher, brand attributes more obvious, the enterprise itself can control, domain name is hijacked the risk of smaller, and the brand more meaningful to the enterprise, this should be the enterprise needs to consider and should pay attention to a piece.