![Posted by a snivelling, miserable coward Anonymous Coward](/design_picker/fa16d26efb42e6ba1052f1d387470f643c5aa18d/graphics/icons/comment/anonymous_48.png)
Gaffe gaffe.
Not being a spelling nazi, and hoping the grammar gremlins don't (k?)nobble me, but is a gaffe in spelling gaffe recursive?
The unavailability of the US National Security Agency website on Thursday has been linked to misconfigured DNS (Domain Name System) servers. Surfers were unable to reach NSA.gov from about 0700 on Thursday because systems used to translate web addresses humans understand to machine-readable IP addresses were playing up, …
Sorry but I don't see what the problem should be here. I mean, if anyone can find your website then it can't be very secure, can it?
But the idea that the Agency responsible for teaching others how to protect their own systems (and supposedly responsible for the protection of the whole US of A) manages to fall foul of this particular gremlin does show that they are human, after all...
Hey, is that the local news ship hovering outside my window? Nah, they've got a colorful Jetranger and not some funny shadowy thing with a man in sunglasses waving a little silver sti...
What was I saying?
"systems used to translate web addresses humans understand to machine-readable IP addresses were playing up"
Surely you don't have to explain what DNS does to us whenever it's mentioned in an article.
(Can we have a "The Friday Lunchtime Ale has made me want to vent my anger"?)
"For one thing, a web server was run on the same machine (or at least same IP address) as one of the authoritative name server for nsa.gov. Secondly the primary and secondary authoritative name servers are both downstream from the same Qwest edge access router in Washington DC, instead of being properly separated."
The first is fine - you can run an http server on a DNS machine if you like.
And can you share an IP with another machine? I don't think so, not really, say the DNS is running behind a NAT the external IP would be the same but the actual final IP numbers would be different.
The second, well you could argue redundancy to another continent, planet :) etc, but it is just the level of redundancy and it is not a requirement.
I agree, the NSA should probably use extra precaution, but the above is just a matter of preference and in some instances following that advice may introduce other vulnerability.
And nsa.gov is just a PR area for the agency, they would be crazy to run day to day security services through that domain. This is newsworthy, in an ironic way, but I doubt much has been compromised.
"For one thing, a web server was run on the same machine (or at least same IP address) as one of the authoritative name server for nsa.gov. Secondly the primary and secondary authoritative name servers are both downstream from the same Qwest edge access router in Washington DC, instead of being properly separated."
To AC above me, best practice is to avoid running a web server (IIS I presume) and DNS on the same box as it can run into problems. Given their likely huge budget I'd be surprised if they can't afford a spare box for a web server.
Different locations for redundancy, same as others have said, only minimises chances but again, surely they have the budget to keep to best practices and not have to cut corners.
Best practice well that is debatable and that's my point.
If the website is host down, the who cares if the DNS resolves?
Sure it is something I suppose but in itself is not a security risk.
If your website is insecure then you have more to worry about than your DNS. If you are using your DNS for other mission critical then sure, but if it is PR and just web, again who cares, they are one in the same at that point.
And if your secondary is on a network you have less control over, then perhaps that is not as secure.
Compromise the second, DDOS the first and you have the domain. Whereas if you cannot compromise the first or second then DDOS just blocks the site, which is perhaps more preferable.
And moving the DNS to another network you have more control over, may flag the fact the NSA have control on that network.
You have to rationalize and explain the term best practice, you cannot just pull it out the air. Their setup may very well have been best practice for them.
And this human understandable to machine readable thing has crept in again - so just exactly how do virtual domains work with IP numbers when the server is listening on the same IP number then? And what is so incomprehensible to humans with the number 127.0.0.1 (it is quite memorable as well - perhaps more so than many domain names).
The domain system is more than just providing human to 'machine' IP numbers, it's an addressing system that has relation to IP :)
"Surfers were unable to reach NSA.gov..."
Er, you mean it's the sort of site that you might sort of just casually come across while browsing for pr0n, sorry, serious news articles about current affairs?
I can't help feeling that it's more the kind of site you were probably looking for. The question, of course, is why...
The sirens sound, world leaders open their black bags, take out the carefully coded and guarded papers, insert the keys, and press buttons to launch. Their screens read "Not ready reading Drive C: Abort/Retry/Ignore?"
Fear not, Government agencies are run by the same people who make decisions about emptying dustbins fortnightly.
Flocke Kroes asks:
If the DNS+http box breaks, people cannot read my web pages.
Where is the advantage to me of paying for a separate DNS box?
This is an obvious security fundamental: don't put all your eggs in one basket. Having separate boxes means if your DNS server is compromised, it doesn't compromise your web server and so on. Just like you don't use the same password for every computer you use or the same key for every door you unlock. And since web sites are usually easier to penetrate than DNS servers, running these services on the same box is unwise. DNS is far more important than web. If your DNS breaks, everything breaks - email, web surfing, IM, Bit Torrent, etc - not just your web site.
You try to run them on different machines so an attack on one doesn't impact the other.
Imagine the webserver (because that is the most likely) has a problem and hackers get into the machine. With them both on the same machine you can now change the DNS records (and let's up the TTL while your at it) to point www.nsa.gov to somewhere else; perhaps a website using a christmas island domain and pictures of goats, or.. whatever.
Even when the do fix it the large TTL would mean it would point to the wrong server for a long time.
Let's see what NSA have to say about installing a web server on a machine with other services on it:
"Install IIS 5.0 on a server that is not required to support any other service."
(Page 7, Guide to the Secure Configuration and Administration of Microsoft Internet Information Services 5.0)
There you have it, from the authoritative source. Fundamental, really.
PERSONALLY - I really appreciate the odd "in depth explanation" that accompanies many of the unecessarily non-descriptive TLA's like DNS. (TLA BTW is a Three Letter Abbreviation - we used to "play" at them in the 1980's to wind up TGM (the group manager), DBA (database Administrator) and DAD (my father) when I was a cobol programmer so STFU (kindly refrain from voicing another reply)).