back to article DNS gaffe leaves spy agency totally under cover

The unavailability of the US National Security Agency website on Thursday has been linked to misconfigured DNS (Domain Name System) servers. Surfers were unable to reach NSA.gov from about 0700 on Thursday because systems used to translate web addresses humans understand to machine-readable IP addresses were playing up, …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Gaffe gaffe.

    Not being a spelling nazi, and hoping the grammar gremlins don't (k?)nobble me, but is a gaffe in spelling gaffe recursive?

  2. Sarah Bee (Written by Reg staff)

    Re: Gaffe gaffe.

    I wouldn't usually let that sort of comment through but since it's Friday, I am feeling frisky, it is a lovely example of irony and it was not my gaffe, I gladly will.

    Haw!

  3. Sarah Bee (Written by Reg staff)

    Re: Gaffe gaffe.

    (I'm afraid I must fix the headline, though. Sorry.)

  4. Anonymous Coward
    Black Helicopters

    But it's *supposed* to be secret!

    Sorry but I don't see what the problem should be here. I mean, if anyone can find your website then it can't be very secure, can it?

    But the idea that the Agency responsible for teaching others how to protect their own systems (and supposedly responsible for the protection of the whole US of A) manages to fall foul of this particular gremlin does show that they are human, after all...

    Hey, is that the local news ship hovering outside my window? Nah, they've got a colorful Jetranger and not some funny shadowy thing with a man in sunglasses waving a little silver sti...

    What was I saying?

  5. John Bayly
    Flame

    Not being grumpy or anything, but ...

    "systems used to translate web addresses humans understand to machine-readable IP addresses were playing up"

    Surely you don't have to explain what DNS does to us whenever it's mentioned in an article.

    (Can we have a "The Friday Lunchtime Ale has made me want to vent my anger"?)

  6. Anonymous Coward
    Unhappy

    Don't mess with the NSA

    Mr John Leyden won't be writing any more articles once the NSA locate him... extraordinary rendition to a cell somewhere unpleasant. He can spend the rest of his days on an IT dictionary for dummies.

  7. Anonymous Coward
    Anonymous Coward

    Are you sure these are problematic?

    "For one thing, a web server was run on the same machine (or at least same IP address) as one of the authoritative name server for nsa.gov. Secondly the primary and secondary authoritative name servers are both downstream from the same Qwest edge access router in Washington DC, instead of being properly separated."

    The first is fine - you can run an http server on a DNS machine if you like.

    And can you share an IP with another machine? I don't think so, not really, say the DNS is running behind a NAT the external IP would be the same but the actual final IP numbers would be different.

    The second, well you could argue redundancy to another continent, planet :) etc, but it is just the level of redundancy and it is not a requirement.

    I agree, the NSA should probably use extra precaution, but the above is just a matter of preference and in some instances following that advice may introduce other vulnerability.

    And nsa.gov is just a PR area for the agency, they would be crazy to run day to day security services through that domain. This is newsworthy, in an ironic way, but I doubt much has been compromised.

  8. Paul
    Boffin

    DNS + IIS = not best practice

    "For one thing, a web server was run on the same machine (or at least same IP address) as one of the authoritative name server for nsa.gov. Secondly the primary and secondary authoritative name servers are both downstream from the same Qwest edge access router in Washington DC, instead of being properly separated."

    To AC above me, best practice is to avoid running a web server (IIS I presume) and DNS on the same box as it can run into problems. Given their likely huge budget I'd be surprised if they can't afford a spare box for a web server.

    Different locations for redundancy, same as others have said, only minimises chances but again, surely they have the budget to keep to best practices and not have to cut corners.

  9. Anonymous Coward
    Coat

    honeypot ?

    not sure anyone - welcomes only new domain elective resolution for user listeners.

  10. Anonymous Coward
    Anonymous Coward

    Best practice?

    Best practice well that is debatable and that's my point.

    If the website is host down, the who cares if the DNS resolves?

    Sure it is something I suppose but in itself is not a security risk.

    If your website is insecure then you have more to worry about than your DNS. If you are using your DNS for other mission critical then sure, but if it is PR and just web, again who cares, they are one in the same at that point.

    And if your secondary is on a network you have less control over, then perhaps that is not as secure.

    Compromise the second, DDOS the first and you have the domain. Whereas if you cannot compromise the first or second then DDOS just blocks the site, which is perhaps more preferable.

    And moving the DNS to another network you have more control over, may flag the fact the NSA have control on that network.

    You have to rationalize and explain the term best practice, you cannot just pull it out the air. Their setup may very well have been best practice for them.

    And this human understandable to machine readable thing has crept in again - so just exactly how do virtual domains work with IP numbers when the server is listening on the same IP number then? And what is so incomprehensible to humans with the number 127.0.0.1 (it is quite memorable as well - perhaps more so than many domain names).

    The domain system is more than just providing human to 'machine' IP numbers, it's an addressing system that has relation to IP :)

  11. Big Al
    Black Helicopters

    Surfers?

    "Surfers were unable to reach NSA.gov..."

    Er, you mean it's the sort of site that you might sort of just casually come across while browsing for pr0n, sorry, serious news articles about current affairs?

    I can't help feeling that it's more the kind of site you were probably looking for. The question, of course, is why...

  12. Flocke Kroes Silver badge

    If DNS and http on same/different boxes

    If the DNS+http box breaks, people cannot read my web pages.

    If my http box breaks, but my separate DNS server is working, people cannot read my web pages.

    Where is the advantage to me of paying for a separate DNS box?

  13. Andy Livingstone

    Confidence and World Security.

    The sirens sound, world leaders open their black bags, take out the carefully coded and guarded papers, insert the keys, and press buttons to launch. Their screens read "Not ready reading Drive C: Abort/Retry/Ignore?"

    Fear not, Government agencies are run by the same people who make decisions about emptying dustbins fortnightly.

  14. Anonymous Coward
    Coat

    why DNS matters

    >>>> If the website is host down, the who cares if the DNS resolves?

    Anyone that looks up your domain. The Internet is about a lot more more than web sites. Have you ever heard of email? Or VoIP? Or IM?

  15. Anonymous Coward
    Stop

    putting DNS and http on same/different boxes

    Flocke Kroes asks:

    If the DNS+http box breaks, people cannot read my web pages.

    Where is the advantage to me of paying for a separate DNS box?

    This is an obvious security fundamental: don't put all your eggs in one basket. Having separate boxes means if your DNS server is compromised, it doesn't compromise your web server and so on. Just like you don't use the same password for every computer you use or the same key for every door you unlock. And since web sites are usually easier to penetrate than DNS servers, running these services on the same box is unwise. DNS is far more important than web. If your DNS breaks, everything breaks - email, web surfing, IM, Bit Torrent, etc - not just your web site.

  16. Anonymous Coward
    Anonymous Coward

    @John Bayly

    I agree with John Bayly, this is supposed to be a tech website no?

    Maybe you should be submitting this type of article to the daily rags where they don't know better.

    (you need a total bollocks icon)

  17. Anonymous Coward
    Thumb Up

    Thanks

    Thanks for the item, that explains why when Iwastrying to get a very interesting paper on securing ****** operating systems it was not available.

    To their credit, the NSA do publish some good stuff on computer security.

  18. Rich

    Why do they need a website

    As a secret agency, why do they have a website? If they didn't have one, or outsourced it to a PR agency (and put it on nsainfo.gov or some such) then this sort of problem wouldn't happen.

  19. Craig Small
    Black Helicopters

    DNS and HTTP servers

    You try to run them on different machines so an attack on one doesn't impact the other.

    Imagine the webserver (because that is the most likely) has a problem and hackers get into the machine. With them both on the same machine you can now change the DNS records (and let's up the TTL while your at it) to point www.nsa.gov to somewhere else; perhaps a website using a christmas island domain and pictures of goats, or.. whatever.

    Even when the do fix it the large TTL would mean it would point to the wrong server for a long time.

  20. foo_bar_baz
    Happy

    HTTP + DNS revisited

    Let's see what NSA have to say about installing a web server on a machine with other services on it:

    "Install IIS 5.0 on a server that is not required to support any other service."

    (Page 7, Guide to the Secure Configuration and Administration of Microsoft Internet Information Services 5.0)

    There you have it, from the authoritative source. Fundamental, really.

  21. Simon Painter
    Thumb Up

    @foo_bar_baz

    NSA.gov is running IIS6

    http://toolbar.netcraft.com/site_report?url=http://www.nsa.gov

    Still shouldn't be on the same box as the DNS though but with NAT/PAT we are making a pretty big assumption that just because the public IP is the same that the actual tin is the same.

  22. Slaine
    Dead Vulture

    not being a technonazi myself...

    PERSONALLY - I really appreciate the odd "in depth explanation" that accompanies many of the unecessarily non-descriptive TLA's like DNS. (TLA BTW is a Three Letter Abbreviation - we used to "play" at them in the 1980's to wind up TGM (the group manager), DBA (database Administrator) and DAD (my father) when I was a cobol programmer so STFU (kindly refrain from voicing another reply)).

This topic is closed for new posts.

Other stories you might like