Cisco Router as DNS Server Demonstrates Functional Aggregation

Did you know that a sufficiently new Cisco router can be a DNS server? Apparently this functionality is not that new (dating from 2005), but I did not hear of it until I saw the article Cisco Router: The Swiss Army Knife of Network Services. I think this is a good example of what I may start calling "functional aggregation," whereby features previously provided on separate servers are collapsed to one box. I know others call that "convergence," but that term applies to so many topics (voice + video + data, etc.) that I'll use FA here. It doesn't matter anyway, because some marketing drone will invent a catchy name that everyone will end up using at some point.

One interesting aspect of this story is that it points to a simple blog post called Use your Cisco router as a primary DNS server that shows how easy it is to configure this feature. That post is then followed by a new article called Protecting the primary DNS server on your router, which explains how a router as DNS server can be overwhelmed faster than a separate, robust server. The comments to the second post also provide a justification for DNS on router functionality, namely it saves the cost of a dedicated DNS box if your router is underutilized.

The danger not mentioned in those posts is that a DNS server is another potentially exploitable service. The greater the number of services exposed to the public on a system, the greater the likelihood for compromise. It's one of the reasons people have tried to run separate services on separate servers for years.

I think we'll see the following trends based on these sorts of developments.

  • The poorest businesses (in terms of budget, expertise, and time) will seek to not maintain any IT infrastructure at all, and will rely on outsourced services. FA means nothing to them because they don't maintain gear.

  • Moderately equipped businesses will adopt some FA solutions because they are "good enough" or "just good enough," given their constraints.

  • Well-equipped businesses whose staff can make the case for stand-alone functionality (i.e., separate DNS servers, etc.) will avoid FA solutions for critical infrastructure. Otherwise they will outsource or use FA to save money.


I think these arguments apply equally well to security services such as those found in so-called "unified" security appliances.

Comments

X-Istence said…
I have never been a big fan of running all services on one machine, where possible I run multiple servers with different services, or at least split all of them up by running one host machine with VMWare sitting on top of it.

I don't understand why companies like Cisco would include such functionality that can cause more harm than good. What if their implementation is flawed, and a bug is found, now an automatic virus uses it, and it shuts down your network, what are you as a network admin supposed to do. Packets are not flowing anymore, which is bad! If it is on a separate "image" (and with image, I mean a physical server, or a virtualised server), then it can be fixed while the rest of the world goes on, and you temporarily set everyone's DNS server to 4.2.2.2 (thanks level 3!)
Anonymous said…
This comment has been removed by a blog administrator.

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics