event on private vs. public DNS. In this clip we cover: Why would an organization need a private DNS? Is it valuable for companies of all sizes? Who would manage it and how does it enable your uptime and security?
So BlueCat really does one thing and they do it really well, and that's help you build a private DNS. Now why? Why DNS? Why? Why is that something important? Well, if we're doing what we just did with those other companies, if we're putting our data everywhere, if we're allowing you to do VPNs everywhere, you have to know where everything is. So is another part of this puzzle is DNS tells us where it is and I bet you and I take DNS for granted almost every day, right? Do you type in your URL? DNS resolves.
Mike Matchett: [00:39:34] It's a global service. You know, it doesn't really become unreliable too much. It's there. There's a lot of backup for it. It's almost bulletproof in terms of reliability. It turns out, though, that it is not totally secure from misconfiguration. I think is what we're going to find out when we talk to Andrew here. You might want, as you grow it, a bigger and bigger enterprise, Dave, to control your own DNS so that you can control where things are known to be. So it can't be hijacked. It can't be fractionalized, it can't be vulnerable. You don't have. I think the problem is like having master data management. You can have multiple copies of a DNS within a company, all pointing in different directions and depending on where the person is sitting, depending which DNS server they're accessing, they may or may not be able to see everything. I would say that DNS configuration misconfigurations and problems are almost near and dear to the root cause of a lot of big outages in services that we see today. And I'm not going to point names at Facebook or Matt or whatever they're called today. But you know, if your DNS goes down and nobody can actually find the servers where the things are running, it's not going to, it's not going to work even if those services are completely operational. So this is interesting interview I did with Andrew. We should roll the tape because I met DNS isn't the first thing I thought of that you need to be securing. But the longer we talk, the more I became totally convinced that it's got to be part of a security plan.
Dave Littman: [00:41:00] Okay, cool. Let's go to the tape and we'll come back. We'll finish up with a couple of questions and do the giveaway.
BlueCat Networks: [00:41:06] It's a brave new world out there for CEOs as they look to technology to transform their business. Infrastructure and application delivery has evolved, accelerated by network virtualization, cloud and automation. Users need access whenever, however, wherever. While the network team is challenged with enabling all this, the security team needs visibility and heightened control for many organizations. DNS often presents roadblocks instead of solutions. Legacy DNS infrastructure is fractured, complicated and susceptible to failures. Changes to DNS or manual time consuming and risky plus DNS is a favorite target for cyber attacks on corporate networks. At BlueCat, we know the answer lies in adaptive DNS. It brings DNS into the modern world of software and digital transformation, allowing organizations to quickly respond to changing business needs. Adaptive DNS is centralized, scalable, automated through policy. And because DNS data signals intent, it is the connecting thread between network and security teams using adaptive DNS cybersecurity teams can identify and assess threats and proactively block them before they reach business critical applications or data. Gain visibility. Assert control. Automate everything. That's BlueCat Adaptive DNS.
Mike Matchett: [00:42:42] We have got an expert here today in DNS, Andrew Wertkin, who is CPO, CTO of BlueCat Network. Welcome, Andrew. Pleased to be here. I know it was quite an introduction. Tell us a little bit. I know we talked offline a little bit, but tell us a little bit about DNS and why that can actually be a problem. Let's just start with that. Why can that doesn't DNS just work? Don't just the network internet's take care of it for us, right?
Andrew Wertkin: [00:43:06] It just it just, you know, the amazing thing, by the way, about about public DNS, about the internet's DNS is is it works amazingly well. I mean, this is conceived so many years ago, never with the thought that that the internet would would turn into what it is today. And and so the scale and breadth of of the DNS, it's it's pretty incredible in most of the times. It does just work. When it doesn't work, it's a real problem. And and work or not work, you know? You know, rarely trying to remember when, if you know, you rarely as DNS just down in the world of public DNS, but rather there's a problem with what you're trying to get to. You know, like, this record isn't resolving correctly. You can't get to this application or this website or, you know, some major SaaS system is down. And, you know, they publicize later that we found the problem and the root cause was some DNS issue. And there's this big joke. It's always DNS. So it's not whether the whole system is up and down. It's the complexity of figuring out why it's in this case, not working just for users over there or just during these times, during the day or whatever.
Andrew Wertkin: [00:44:21] And and oftentimes it it's, you know, people go on these journeys to figure out what's what's working or not working in the world of public DNS. Same thing on the private side, because keep in mind, you know, you know, the DNS is used so that companies can communicate with other companies that people can buy stuff online. So I mean, you know, it facilitates everything on the internet, but obviously it does so inside the company's private network as well. And in that case, this massively scalable public infrastructure in this wonderful system of trust and delegation doesn't understand what's going on inside of your network. So, so large companies need to build their own DNS or what we call private DNS inside the company as well. And and that can suffer from all of those things that can go wrong on the internet as well. And more, you know, and so, so so it can often be the source of a lot of issues.
Mike Matchett: [00:45:15] So not necessarily about breaking or being down or unavailable as much as I would guess you would say, misconfigured or configured to not work the way you expect it to work.
Truth in IT: [00:45:24] The majority of the time a DNS outage has a simple cause misconfiguration. It's most likely to occur as a result of changing or adding something in your enterprise network. Of course, it's more likely that a novice will make a configuration mistake, but experienced DNS admins can make them too. We are all human, after all. Sometimes equipment failures or malicious attacks can direct the blame elsewhere. But human errors are by far the most common culprit.
Mike Matchett: [00:45:56] There are lots of people that use cloud services, right? And and cloud service providers. You know, Azure, Google say I have DNS offerings, don't they? I mean, when it wouldn't someone just be doing well by themselves to just go use their DNS offering if they need that private?
Andrew Wertkin: [00:46:11] Yeah, they have DNS offerings on the public side and private side, and in companies that build their own DNS off often use some of that as well. Those DNS are. Let's just talk about the private side. I mean, you know, the public side, it's public DNS. On the private side, all of those DNS are very focused on enabling what's being deployed in the cloud and very tied in in some some cases, some very special and fundamental and important ways to things like, you know, platform application load balancers, for instance, you know, so. So it's going to be part of the story. Your customers are going to use that sort of stuff, but it's not intended. Nor is it suited to be the broad DNS inside of a company that's connecting users to printers and users, to applications and data centers. And, you know, having your front end web server on this data center. This edge location over there, speaking to the back end database server and just an overly simplistic or, you know, enabling Kerberos or all these other use cases, it's not intended for that and it doesn't have all the capabilities. And so it's not. And that's not even I'm not saying, hey, it's not good enough. It's just it's really good at doing what it the requirement it is fulfilling, you know? But but it can lead to some real issues because it will be used.
Andrew Wertkin: [00:47:32] And now, you know, from a BlueCat on the private DNS side, you know, our goal and our customers goals have always been lined, which is to create a central control plan for DNS. So now, essentially, I can manage DNS on the private side for everything inside of my company, have all visibility to service, operational health and everything else and and and the state I came from before I had BlueCat, I had, I had different open source and other servers all over the place, all these silos of DNS and and I had to have all these Band-Aids in there. So this can talk to that. And now I've sorted it all. And if all of a sudden all of this cloud DNS starts getting launched, you stand the chance of getting back there, especially if the people using the Azure DNS or the AWS DNS are doing it in in their own silo. You know, they don't care. They're pushing stuff. They're. So, you know, they're going to create a new zone up there, and it ends up that that zone name is fundamentally used for something else. Well, nothing stops them from doing it. So now you have multiple authorities for the same zone and you can really run into some problems, get
Mike Matchett: [00:48:35] Some race conditions and some different things going on. So let's let's look at a couple of minutes here. Let's just look at what you guys do at BlueCat. So you mentioned you have this ability to help someone really organize their DNS services. How long have you how long is BlueCat been doing this? And and what are some of the ways someone should think about, you know, bringing BlueCat in and standing it up? Sure.
Andrew Wertkin: [00:49:01] Yeah, the BlueCat's been doing this for 20 years and and and we have a phenomenal global customer base. It's something I'm super proud about. We we look we're focused on on DNS, DHCP and IPAM. DDI, an acronym of acronyms. These these three things fundamentally go together and manage them together makes a great deal of sense. And so, yeah, we provide a a massively scalable, highly automatable system for for doing that across these different domains cloud on premises, campuses, branches, whatever the case might be. But it's not just about ensuring the service is up. You know, we've invested very heavily both in making sure that the service can be changed, like we have to be able to rapidly change stuff. That's the way it works today. So how can we, you know, enable that, that that, you know, huge amount of change in a very small period of time? And then also DNS is highly relevant to cybersecurity. Anything trying to communicate to the internet, for instance, something installed on on some person's laptop is is is trying to get command and control, for instance, get instructions. What should do it? It's communicating to the internet. If you're exfiltrating data, you're communicating to the internet and and DNS is used, sort of, of course, because that's how you build scalable things going to the internet. But also there's some attack vectors that go through DNS like like DNS tunneling, for instance, or the one I just mentioned command and control. You can use DNS to go find the command control server, or you can actually embed the command and control instructions in a DNS query, and lots of people aren't even looking there. So. So so we're very focused on on on the sort of the networking side. Make this stuff work across these different domains and the security side. Add in a positive way to the security posture of an organization.
Mike Matchett: [00:50:52] And that's, you know, sounds increasingly important. I know we've had a lot of other folks in recently talking about ways to protect their SAS applications, ways to protect their just plain data protection, you know? How do you fortify against ransomware and lots of different things like that? But you know, there's some core things here that many people are overlooking, which is their DNS story. Sure. If we start the fundamentals, right?
Andrew Wertkin: [00:51:15] Yeah. If you can't look up the address, then you can't get there and it ends up. It's an amazingly efficient way to stop things. You know, once you know it's a small little query, it gets blocked. You can't connect done.
Mike Matchett: [00:51:31] So, you know, without being a security company, you guys are just really impacting security right now, and that's just definitely a hot button. I would think even just for the organizational efficiency, eventually outside of a security argument, there's a lot to be said for owning your own DNS resolver and being in charge of your own ability to point things out where they need to go. 100 percent OK. So if someone's more interested in learning about this and there's a lot more to dove into, I'm sure. What would you suggest they start with?
Andrew Wertkin: [00:52:02] BlueCat Networks dot com, and and I'll add this one thing right now where we've we're doing these cloud workshops that would do a specifically for enterprises to really help customers think through how things are working and not working on the cloud. And so we definitely have some some information and offers on the on the website as well. But yeah, that's the that's the best way to get to learn more.
Mike Matchett: [00:52:26] All right. So even if you're not a networking engineer, you should know something about DNS because we all use it every day. No matter where we're at and you type in that URL, it gets resolved at something and points somewhere about it and definitely take a look at BlueCat Networks. Thank you, Andrew, for being here today and explaining that to it for us.
Andrew Wertkin: [00:52:42] I enjoyed it very much.
Dave Littman: [00:52:45] All right, Mike, you know, pretty interesting stuff. You know, BlueCat's been at this a while and it's pretty clear that, you know, Dennis is the kind of thing where you don't really think of it as being a problem until there's a problem
Mike Matchett: [00:53:00] And it is such a core part of the internet. We just really take it for granted that it's going to work. And, you know, fortunately, there's just so many opportunities for it to be misconfigured and and blown apart on us. And when DNS doesn't work, nothing else will. It's just the core thing that you really should own your own future around. And the thing the BlueCat does nice is that you don't have to have your own DNS level engineers. You don't have to have somebody who understands core internet networking globally on your staff because it's a service they offer you to help you deliver your own private DNS implementation so they'll be your own private DNS contractor, right? Which is, which is which is a great checkmark if you're if you're a CIO and a CISO.
Dave Littman: [00:53:44] So it sounds like it makes it accessible for almost any size company.
Mike Matchett: [00:53:48] Right. And of course, you know, the more DNS entries you have, the more important it is. So the bigger you are, the more important it gets to keep everything configured straight. But even in small company, you know you've got one business server. You've got to make sure that's correct. So you know, it might be worth looking into depending on how much money you've got riding on those few servers.