 Hello, we are here on the ground. This is theCUBE's on the ground program at Central Fires headquarters. We have Cricketloo, chief DNS officer at Infoblox, been with the company from the beginning. Great to see you again. Wrote the book on DNS. What year was that? I mean, DNS was like, when it was born. Yeah, 1992, September 1992 was when it was published. Great to see you. We've done some podcasts together over the years. Yeah, good to see you too. DNS now obviously global, ICANN is now global. It's part of the UN, all different governance bodies, but it's certainly still critical infrastructure. Yeah, absolutely. Critical infrastructure is now a big conversation as the security paradigm has moved from data center to the cloud. There's no perimeter anymore. Yeah, yeah. How is that changing the DNS game? Well, I think that folks are starting to realize how critical DNS is. In October of last year, we had that huge DDoS attack against Dyn, the big DNS hosting provider in New Hampshire. And I think that woke a lot of folks up. A lot of folks realized, holy cow. These guys are not too big to fail, as they say. Even though they have enormous infrastructure, widely distributed around the globe, they have such a concentration of power that a huge number of really, really popular web properties were inaccessible for quite some time. So I think that caused a lot of people to look at their own DNS infrastructure and to reevaluate it and say, wow, maybe I need to do something. Interesting about the stack wars that are going on in the tech industry. We've lived through them. You've been part of it. It's the chief technical office or any companies. DNS was always that part where we had to be secure. Now you have blockchain, you have new kinds of infrastructure with mobile computing. Now we're 10 years post-iPhone, the critical moment. How has infrastructure changed beyond DNS because it still needs to work together? Yeah, it's funny because we do have all of these new types of devices. We do have new technologies, but a lot of things have remained the same. DNS is still the same. The remarkable thing is that the latest version of my book is 10 years old, actually 11 years old now. So it's older than the iPhone and people still buy it because the underlying theory is still the same. It hasn't changed. It's a testament really to the quality of the original design of DNS that it still works for anything and that it's scaled to serve a network as diverse and as large as the internet is today. What's your biggest observation looking back over the past decade with DNS? Wow, the emergence of virtual machines, now cloud. Again, the game is still the same as DNS is the plumbing and provides a lot of the key critical infrastructure for the web and now mobile. What's the biggest observation that you've seen over the decade? Well, I'd say one of the things that's happened over the last several years that's maybe the most important development in DNS is something that we call response policy zones. Up until now, DNS servers have just been sort of lifely complicit when it comes to, for example, malware. Malware wakes up on a device and it assumes that it has DNS available to it and it uses DNS, for example, to find a command and control server, maybe a drop server to exfiltrate data to. In the DNS server, even though it's being asked to look up the address record for commandandcontrolserver.malware.org, it just happily goes along with it. A few years ago, Paul Vixie, who I've known for a very long time, came up with this idea called response policy zones, which is basically to imbue our DNS servers with resolution policy, so that you can tell them, hey, if you get a query for a domain name that we know is being used maliciously, don't answer it. Don't resolve it like you normally do. Instead, hand back a little white lie like that doesn't exist, and moreover, log the fact that somebody looked it up because it's a good indication that they're infected. So bringing policy to DNS is really making it more intelligent. Yeah, that's right. And certainly as networks grow, I was just watching some of my friends setting up the wireless at Burning Man, and the whole new change of how the Wi-Fi is being deployed and how networks are being constructed is really coming down to some of the basic principles of DNS, to route more, be responsive, and this is kind of a new change. Yeah, there's a lot going on in sort of changes to the deployment of DNS. It used to be the most big companies ran all their own DNS infrastructure. At this point, I think most large companies don't bother running, for example, their external, what we'd call their external authoritative DNS infrastructure. They give that to a big hosting provider to do. Somebody like Dyn or Verisign or Newstar, somebody like that. So that's a big change. Quick, I want to ask you about the CyberConnect event going on in New York. Infoblos was involved. Security is paramount. Now, an industry event, Centrify, is the main sponsor you guys were involved as a vendor, but it's not a vendor event, it's an industry event. It's a broad category. What's your thoughts on having this kind of industry event? Usually, events have been like Black Hat or vendor events pushing their wares and selling their stuff, but now security's global. What's your take on this event? Well, I'm hoping to be able to spend a little bit of time talking to folks who come to the event about DNS and how it can be used as a tool in their sort of security tool chain. The folks who come to us as Infoblocks to our events already know about DNS. They're already network administrators or they're responsible for DNS or something like that. My hope is that we can reach a broader audience through CyberConnect and actually talk to folks who maybe haven't considered DNS as a security tool, who maybe haven't thought about the necessity to bolster their DNS infrastructure. One final question, since we're on bonus material time, I got to ask you about the global landscape. I mean, in my early days involved in the DNS when I came, I was formed in 98 through the 2000 timeframe. International domain names were unicode. That's not ASCII, so that technically wasn't DNS, but still they were keywords. They had this global landscape in, say, China that actually wasn't DNS, so there's all these abstraction layers. Has anything actually evolved out of that trend of really kind of bringing an abstraction layer on top of DNS and certainly now at the nation states with security are issues, China, Russia, et cetera? How has all that played out? Well, international domain names have actually taken off in some areas and basically it's, as you say, you have the ability now to use unicode labels and domain names in certain contexts. For example, if you're using your web browser, you can type in a unicode domain name and then what the web browser does is it translates it into an equivalent, yeah, equivalent ASCII representation and then resolves it using DNS, which is the traditional DNS that doesn't actually know about unicode. There are actually some very interesting security implications to using unicode. For example, people can register things that have unicode, we would say glyphs in them, that look exactly like regular ASCII characters. For example, you could register PayPal.com where the A's are actually lowercase A's and Cyrillic, which is not the same code point as an ASCII A, so it's visually indistinguishable from PayPal.com in a lot of contexts and people might click on it and go to a page that looks like PayPal. What's a fishing dream, big time. Yeah, yeah, really, really dangerous potentially and so we're working out some of the implications of that, trying to figure out within, for example, web browsers, how do we protect the user from things like this? And a lot of SSL out there, now you're seeing HTTPS everywhere. Is that now the norm? Yeah, actually within the Internet Engineering Task Force, the IETF, after it became obvious that state-sponsored eavesdropping was kind of the norm. The IETF embarked on an effort called D-PRIVE, and D-PRIVE is basically a bunch of individual tracks to encrypt basically every single part of the DNS channel, especially that between what we call the stub resolver and the recursive DNS server. So that if you're a customer here in the United States and a subscriber to an ISP-like Comcast or whomever, you can make sure that that first hop between your computer and the ISP is secured. We're getting down and dirty under the hood with cricket-loo on DNS. I gotta ask kind of up level to the consumer. And one of the things that kind of pisses me off the most when I'm surfing the web is you see the browser doesn't resolve or you go hit someone's website, oh yeah, it's something.io, these new domain names, top-level GTLDs are out there, .media, all these things. And companies have firewalls or whatever their equipment is and it doesn't let it through because they try to protect the perimeter still, must be. I mean, what does that mean when companies aren't letting those URLs in? Is it a firewall issue or is it more they're still perimeter-based, they're not resolving it, they're afraid of malware, some things aren't resolving in, what does that mean? Well, I think as often as not, that's an operational problem. It could be just a misconfiguration on the part of the folks who are hosting the target website's DNS. It could be that. I don't know a lot of folks who... So, spoiler policies are something that's kind of locking down? Could be that too. Or it could be, for example, that they have a proxy server and they're trying to limit access to the internet by category. Maybe it does categorization and filtering by... Can you write some code for that? Well, thanks, great to see you. Thanks for sharing this conversation here on the ground, Centrify. And good luck with the CyberConnect conference. Yeah, nice to see you too. All right. I'm John Furrier with On the Ground here on theCUBE at Centrify's headquarters in Silicon Valley. Thanks for watching.