>>Hello, we are here On the Ground. This is theCUBE’s On the Ground program at Centrify’s Headquarters. We go to Cricket Liu, chief
DNS officer at Infoblox. Been with the company from the beginning. Great to see you again. Wrote the book on DNS. What year was that? That was between DNS, was
like, when I was born.>>Yeah, 1992. September 1992 was when it was published.>>Great to see you. We’ve done some podcasts
together over the years.>>Yeah, good to see you too.>>DNS, now obviously
global, ICANN’s now global, it’s part of the U.N., all
different governance bodies, but it’s certainly still
critical infrastructure.>>Yeah, absolutely.>>Critical infrastructure
is now the big conversation as the security paradigm has moved from data center to the Cloud, there’s no perimeter anymore.>>Yeah.>>How is that changing the DNS game?>>Well, I think that folks are starting to realize how critical DNS is. In October of last year, we had that huge DDoS attack against Dyn, the big DNS hosting
provider in New Hampshire and I think that woke a lot of folks up. A lot of folks realized, holy cow, these guys are not too
big to fail as they say. Even though they have
enormous infrastructure, widely distributed around the globe, they have such a concentrational power that a huge number of really,
really popular web properties were inaccessible for quite sometime, so I think that caused a lot of people to look at their own DNS infrastructure and to reevaluate it and say, well maybe I need to do something.>>Interesting about the
stack wars that are going on, that attack, as we’ve lived through and you’ve been part of it as chief technical
officer in many companies. DNS was always that part
where it’d be secure but now you have block change, you have new kinds of infrastructure with mobile computing now
over 10 years post iPhone.>>Yep, the critical moment.>>How has infrastructure
changed, beyond DNS ’cause it still needs to work together?>>Yeah, well, it’s funny because we do have all of
these new types of devices. We do have new technologies. But a lot of things
have remained the same. DNS is still the same. The remarkable thing is that
the latest version in my book is 10 years old, actually
11 years old now, so it’s older than the iPhone and people still buy it because the underlying theory is still the same. It hasn’t changed. It’s a testament, really, to the quality of the original design of
DNS that it still works for anything and that it’s scaled to serve a network as diverse and as
large as the internet is today.>>What’s your biggest observation, looking back over the
past decade with DNS, about the emergence of
virtual machines, now Cloud. Again, the game is still the same ’cause DNS is the plumbing and it provides a lot of the key critical infrastructure for the web and now mobile. What’s the biggest observations that you’ve seen over the decade?>>Well I’d say one of
the things that’s happened over the last several years that’s maybe the most important development in DNS is something that we call
response policy zones. Up until now, DNS servers
have just been sort of blithely complicit when it
comes to, for example, malware. Malware wakes up on a
device and it assumes that it has DNS available
to it and it uses DNS, for example, to find
command to control server, maybe a drop server to exfiltrate data to. In the DNS server, even
though it’s being asked to look up the address record for CommandAndControlServer.Malware.Org, it just happily goes along with it. A few years ago, Paul Vixie, who I’ve known for a very long time, came up with this idea
called response policy zones which is basically to
imbue our DNS servers with resolution policy so
that you can tell them, hey if you get a query for a domain name that we know is being used
maliciously, don’t answer it. Don’t resolve it like you normally do. Instead, hand back a little white lie like that doesn’t exist and moreover, log the fact that somebody looked it up because it’s a good indication
that they’re infected.>>So bringing policy to DNS is really making it more intelligent.>>Yeah, that’s right.>>And certainly as networks grow, I was just watching some of my friends setting up the wireless at Burning Man and the whole new change of
how Wi-Fi is being deployed and how networks are being constructed is really coming down to
some of the basic principles of DNS to route more, be responsive, and this is kind of a new change.>>Yeah, there’s a lot going on in changes to the deployment of DNS. It used to be that most big companies ran all their own DNS infrastructure. At this point, I think
most large companies don’t bother running, for
example, what we’d call their external authoritative
DNS infrastructure. They give that to a big
hosting provider to do, somebody like Dyn or Verisign or Neustar or somebody like that,
so that’s a big change.>>Cricket, I want to ask you about the CyberConnect Event
going on in New York. Infoblox is involved. Security is paramount,
so now an industry event. Centrify is the main sponsor. You guys are involved as a vendor, but it’s not a vendor event,
it’s a industry event. It’s a broad category. What’s your thoughts on
this kind of industry event? Usually in events it’s been
Black Hat or vendor events pushing their wares
and selling their stuff but now security is global. What’s your take on this event?>>Well, I’m hoping to be able to spend a little bit of time talking
to folks who come to the event about DNS and how it can be used as a tool in their security tool chain. The folks who come to us as Infoblox to our events already know about DNS. They’re already network administrators or they’re responsible for
DNS or something like that. My hope is that we can
reach a broader audience through CyberConnect and
actually talk to folks who maybe haven’t considered
DNS as a security tool. Who maybe haven’t thought
about the necessity to bolster their DNS infrastructure.>>One final question since
we’re on bonus material time. I’ve got to ask you about
the global landscape. I mean, in my early days involved in DNS when I came was from the
’98 to the 2000 time frame. International domain names were Unicode. That’s not ASCII. So that technically wasn’t DNS, but still, they were keywords. They had this global
landscape in, say, China, that actually wasn’t DNS so there’s all these abstraction layers. Has anything actually
evolved out of that trend of really bringing an
abstraction layer on top of DNS and certainly now with the nation-states with security are issues,
China, Russia, et cetera. How does all that play out?>>Well, international domain names have actually taken off in some areas. And basically it’s as you
say, you have the ability now to use Unicode labels in domain names in certain contexts, for example, if you’re using your
web browser you can type in a Unicode domain name and
then what the web browser does is it translates it into an
equivalent ASCII representation and then resolves it using DNS
which is the traditional DNS that doesn’t actually know about Unicode. There are actually some very interesting security implications to using Unicode. For example, people can register
things that have Unicode, we would say, glyphs in them that look exactly like regular ASCII characters. For example, you could register paypal.com where the A’s are actually
lowercase A’s in Cyrillic. It’s not the same code
point as an ASCII A. So it’s visually.>>Great for hackers.>>Oh yeah. Visually indistinguishable from paypal.com in a lot of contexts and
people might click on it and go to a page that looks like PayPal’s.>>John: So its a phishing dream.>>Yeah, really dangerous potentially and so we’re working out some
of the implications of that, trying to figure out, within,
for example, web browsers, how do we protect the user
from things like this?>>And a lot of SSL out there, now you’re seeing HTTPS everywhere. Is that now the norm?>>Yeah, actually, within the internet engineering
task force, the IETF, after it became obvious
that state-sponsored–>>John: Attacks.
>>Eavesdropping.>>You were smiling.
>>Was kind of the norm.>>Got to find the right word.>>Yeah, the IETF embarked
on an effort called DPRIVE and DPRIVE is basically a
bunch of individual tracks to encrypt basically every
single part of the DNS channel, especially that between
what we call a stub resolver and the recursive DNS server so that if you’re a customer
here in the United States and a subscriber to an ISP
like Comcast or whomever, you can make sure that that first hop between your computer
and the ISP is secured.>>We’re getting down and dirty under the hood with Cricket Liu on DNS. I got to ask kind of up
level to the consumer. One of the things that
kind of pisses me off the most when I’m surfing the web is you see the browser doesn’t resolve or you go hit someone’s website, oh yeah, something.io,
these new domain names, top level gTLDs are out
there, .media, all these, and companies have firewalls
or whatever their equipment is and it doesn’t let it through. Because they’re trying to
protect the perimeter still, must be, I mean, what does that mean when companies aren’t
letting those URLs then, it is a firewall issue or is it more they’re still perimeter based, they’re not resolving it,
they’re afraid of malware? Somethings aren’t resolving in? What does that mean?>>Well I think as often as not
it’s an operational problem. It could be just a misconfiguration on the part of the folks who are hosting the target website’s DNS. It could be that. I don’t know a lot of folks who–>>So it’s one of their
policies or something, it’s just kind of locking down.>>Could be that too. Or it could be, for example,
that they have a proxy server and they’re trying to limit access to the internet by category. Maybe it does categorization
and filtering by–>>Can you work on that? Can you write some code for that? Well thanks, great to see you, thanks for sharing this conversation here On The Ground at Centrify.>>You’re welcome.>>And good luck with the
CyberConnect Conference.>>Yeah, nice to see you too.>>Alright, I’m John
Furrier with On The Ground here on theCUBE at Centfity’s headquarters in Silicon Valley. Thanks for watching.

Tagged : # # # # # # # # #

Dennis Veasley

Leave a Reply

Your email address will not be published. Required fields are marked *