Friday, July 09, 2010

DNS Root Servers should be dispersed geographically!

Physical location of Domain Naming Services (DNS) root servers within the continental United State.

I believe the DNS root servers should be physically located in each of the four (4) times zones within the continental United States - Pacific Time Zone, Mountain Time Zone, Central Time Zone, and Eastern Time Zone.

Obviously these DNS root servers are the ones controlled by the United States. If you look at a map of the DNS root servers in the US now, they are grouped on the East and West coasts with few in the middle of the country.

There are four (4) DNS root servers located in Los Angeles and 12 DNS root servers located in Silicon Valley. That means if an earthquake hits the state of California (when would that ever happen?), we could potentially lose 16 DNS root servers in one stroke of bad luck. I see this as a problem that can easily be fixed by moving at least six (6) of the servers out of California. Alternative locations could include Oregon, Washington (besides the one that is already there), Phoenix (Arizona), Santa Fe (New Mexico), Salt Lake City (Utah), Denver (Colorado), Boise (Idaho), or Billings (Montana). There are no DNS root servers located in the Mountain Time Zone - that is ridiculous.

There are four (4) DNS root servers in Chicago, one in Dallas, and one in San Antonio. Move three (3) of the DNS root servers out of Chicago and one of the DNS root servers out of Texas into alternative locations such as Madison (Wisconsin), Minneapolis (Minnesota), Lincoln (Nebraska), Oklahoma City (Oklahoma), St. Louis (Missouri), or Little Rock (Arkansas).

In regards to the Eastern Time Zone, Atlanta having two (2) DNS root servers is OK, but Miami having four (4), hello hurricane! One DNS root server in Columbus, Ohio, is good but five (5) in the New York City metropolitan area is negligence - move those servers somewhere else.

Don't get me started on the nine (9) DNS root servers located in the greater Washington DC / Balitmore area. In my opinion, there should be no DNS root servers near Washington just like there should be no DNS root servers near New York City. Move those servers to places like Columbia (South Carolina), Asheville (North Carolina), Lexington (Kentucky), Indianapolis (Indiana), Detroit (Michigan), and Pittsburgh (Pennsylvania).

The goal of this is to geographically disperse America's DNS root servers so they aren't vulnerable to natural disasters (such as earthquakes in California or hurricanes in Miami) or physical attack (such as someone popping a nuke in the DC area). One of the original goals of the Internet (as a mode of communication) was its dispersed nature and ability to survive an attack. The DNS root servers are critical parts of the national infrastructure and must be protected. This is important stuff.

Rob Hiltbrand, MS, CISSP

No comments: