Recent attacks on outsourced DNS have caused extended outages for major organizations, making them unreachable on the Internet and costing millions in lost revenue and customer goodwill.  All of these organizations, including such notable companies Amazon.com, have one thing in common: they outsource hosting of their external DNS.  Is this a good idea?

Disclosure: I work for Infoblox, a vendor who offers a DNS appliance.  Even worse, I’m in the marketing department.  Yet hear me out as I think I am asking a valid question of an industry poised to outsource more IT services to the cloud (ala cloud computing).

Perception versus Reality

While DNS outsourcing promises better security and lower costs, the reality is often the opposite:  usage-based DNS pricing can cause costs to spiral out of control; and attacks on a single service provider can impact DNS for thousands of companies.

Higher Costs with Less Control

Outsourced DNS can create an attractive point of attack that impacts hundreds or thousands of companies and yet over which your security team has no meaningful visibility or control..  This places your customers and partners’ access to your presence on the Internet at the mercy of a potentially vulnerable third party.  Why outsource a critical lifeline for a business?

As we talk about dynamic infrastructure and cloud computing, the concept of outsourcing no doubt enters the picture.  Is this recent outage (and other recent cloud outages) a harbinger of what can happen when critical IT infrastructure is centralized and a single provider becomes, in effect, a single point of attack?

Risk versus Reward Conundrums

While this DNS outage may be seen as part of a drumbeat of “acceptable outages” often incurred by external service providers, I think it begs a bigger question: how much of an ecommerce or supply chain lifeline should be outsourced and what would be the required “payoff” for the extra risk incurred? 

Are there broader economic risk implications that accrue when service providers are responsible for too much infrastructure?  We are suffering the throes of financial turmoil because individual incentives didn’t evenly align with an increasingly interconnected global financial system.  Risks were taken that rewarded individuals for exposing the whole system to potentially catastrophic stresses and strains and (credit) availability risks.

Some Fair Questions about Outsourced DNS

So I ask: should external DNS ever be outsourced for a major enterprise?

Clearly all of those impacted have deeper technology expertise than I do so I won’t try to argue the technical aspects.  The answer is of course different for every organization, the analysis for any organization needs to include the following:

-Is outsourcing more or less secure than hosting one’s own external DNS?  If a company is still using conventional servers for their external DNS, which may take days or weeks to patch in response to a new vulnerability like last summer’s Kaminsky exploit, then outsourcing may be better – although claims by certain outsourcers of “invulnerability” to attack must certainly now be called into question.  Alternatively, a company using hardened appliances for external DNS and using techniques like Anycast can make very secure, very robust infrastructures that are robust against attacks and can be patched in minutes.

-Is outsourcing external DNS more or less costly that hosting one’s own external DNS?  Again, the answer depends upon many factors, but perhaps mostly upon the view of DNS as an application or as infrastructure.  If DNS service is like an application, then the prospective benefits for outsourcing DNS are similar to those for using cloud computing, i.e. it can be more cost effective to purchase application capacity on demand than to build an application infrastructure that supplies peak capacity.  On the other hand, if DNS is viewed as infrastructure, then it generally is more cost effective to purchase and manage the needed capacity and avoid being concerned with overage charges for unanticipated peak loads.

I have a unique (and perhaps jaded) perspective as I work for Infoblox, a vendor who offers a DNS appliance.  Yet I think the question is worth asking to an IT community already exposed to outsourcing and being pulled into new models of IT service delivery.

You can follow my ramblings in real time at: www.twitter.com/archimedius or join the conversation at www.infra20.com.