>> Hello, we are here On the Ground. This is theCUBE's On the Ground program at Centrify's Headquarters. We go to Cricket Liu, chief DNS officer at Infoblox. Been with the company from the beginning. Great to see you again. Wrote the book on DNS. What year was that? That was between DNS, was like, when I was born. >> Yeah, 1992. September 1992 was when it was published. >> Great to see you. We've done some podcasts together over the years. >> Yeah, good to see you too. >> DNS, now obviously global, ICANN's now global, it's part of the U.N., all different governance bodies, but it's certainly still critical infrastructure. >> Yeah, absolutely. >> Critical infrastructure is now the big conversation as the security paradigm has moved from data center to the Cloud, there's no perimeter anymore. >> Yeah. >> How is that changing the DNS game? >> Well, I think that folks are starting to realize how critical DNS is. In October of last year, we had that huge DDoS attack against Dyn, the big DNS hosting provider in New Hampshire and I think that woke a lot of folks up. A lot of folks realized, holy cow, these guys are not too big to fail as they say. Even though they have enormous infrastructure, widely distributed around the globe, they have such a concentrational power that a huge number of really, really popular web properties were inaccessible for quite sometime, so I think that caused a lot of people to look at their own DNS infrastructure and to reevaluate it and say, well maybe I need to do something. >> Interesting about the stack wars that are going on, that attack, as we've lived through and you've been part of it as chief technical officer in many companies. DNS was always that part where it'd be secure but now you have block change, you have new kinds of infrastructure with mobile computing now over 10 years post iPhone. >> Yep, the critical moment. >> How has infrastructure changed, beyond DNS 'cause it still needs to work together? >> Yeah, well, it's funny because we do have all of these new types of devices. We do have new technologies. But a lot of things have remained the same. DNS is still the same. The remarkable thing is that the latest version in my book is 10 years old, actually 11 years old now, so it's older than the iPhone and people still buy it because the underlying theory is still the same. It hasn't changed. It's a testament, really, to the quality of the original design of DNS that it still works for anything and that it's scaled to serve a network as diverse and as large as the internet is today. >> What's your biggest observation, looking back over the past decade with DNS, about the emergence of virtual machines, now Cloud. Again, the game is still the same 'cause DNS is the plumbing and it provides a lot of the key critical infrastructure for the web and now mobile. What's the biggest observations that you've seen over the decade? >> Well I'd say one of the things that's happened over the last several years that's maybe the most important development in DNS is something that we call response policy zones. Up until now, DNS servers have just been sort of blithely complicit when it comes to, for example, malware. Malware wakes up on a device and it assumes that it has DNS available to it and it uses DNS, for example, to find command to control server, maybe a drop server to exfiltrate data to. In the DNS server, even though it's being asked to look up the address record for CommandAndControlServer.Malware.Org, it just happily goes along with it. A few years ago, Paul Vixie, who I've known for a very long time, came up with this idea called response policy zones which is basically to imbue our DNS servers with resolution policy so that you can tell them, hey if you get a query for a domain name that we know is being used maliciously, don't answer it. Don't resolve it like you normally do. Instead, hand back a little white lie like that doesn't exist and moreover, log the fact that somebody looked it up because it's a good indication that they're infected. >> So bringing policy to DNS is really making it more intelligent. >> Yeah, that's right. >> And certainly as networks grow, I was just watching some of my friends setting up the wireless at Burning Man and the whole new change of how Wi-Fi is being deployed and how networks are being constructed is really coming down to some of the basic principles of DNS to route more, be responsive, and this is kind of a new change. >> Yeah, there's a lot going on in changes to the deployment of DNS. It used to be that most big companies ran all their own DNS infrastructure. At this point, I think most large companies don't bother running, for example, what we'd call their external authoritative DNS infrastructure. They give that to a big hosting provider to do, somebody like Dyn or Verisign or Neustar or somebody like that, so that's a big change. >> Cricket, I want to ask you about the CyberConnect Event going on in New York. Infoblox is involved. Security is paramount, so now an industry event. Centrify is the main sponsor. You guys are involved as a vendor, but it's not a vendor event, it's a industry event. It's a broad category. What's your thoughts on this kind of industry event? Usually in events it's been Black Hat or vendor events pushing their wares and selling their stuff but now security is global. What's your take on this event? >> Well, I'm hoping to be able to spend a little bit of time talking to folks who come to the event about DNS and how it can be used as a tool in their security tool chain. The folks who come to us as Infoblox to our events already know about DNS. They're already network administrators or they're responsible for DNS or something like that. My hope is that we can reach a broader audience through CyberConnect and actually talk to folks who maybe haven't considered DNS as a security tool. Who maybe haven't thought about the necessity to bolster their DNS infrastructure. >> One final question since we're on bonus material time. I've got to ask you about the global landscape. I mean, in my early days involved in DNS when I came was from the '98 to the 2000 time frame. International domain names were Unicode. That's not ASCII. So that technically wasn't DNS, but still, they were keywords. They had this global landscape in, say, China, that actually wasn't DNS so there's all these abstraction layers. Has anything actually evolved out of that trend of really bringing an abstraction layer on top of DNS and certainly now with the nation-states with security are issues, China, Russia, et cetera. How does all that play out? >> Well, international domain names have actually taken off in some areas. And basically it's as you say, you have the ability now to use Unicode labels in domain names in certain contexts, for example, if you're using your web browser you can type in a Unicode domain name and then what the web browser does is it translates it into an equivalent ASCII representation and then resolves it using DNS which is the traditional DNS that doesn't actually know about Unicode. There are actually some very interesting security implications to using Unicode. For example, people can register things that have Unicode, we would say, glyphs in them that look exactly like regular ASCII characters. For example, you could register paypal.com where the A's are actually lowercase A's in Cyrillic. It's not the same code point as an ASCII A. So it's visually. >> Great for hackers. >> Oh yeah. Visually indistinguishable from paypal.com in a lot of contexts and people might click on it and go to a page that looks like PayPal's. >> John: So its a phishing dream. >> Yeah, really dangerous potentially and so we're working out some of the implications of that, trying to figure out, within, for example, web browsers, how do we protect the user from things like this? >> And a lot of SSL out there, now you're seeing HTTPS everywhere. Is that now the norm? >> Yeah, actually, within the internet engineering task force, the IETF, after it became obvious that state-sponsored-- >> John: Attacks. >> Eavesdropping. >> You were smiling. >> Was kind of the norm. >> Got to find the right word. >> Yeah, the IETF embarked on an effort called DPRIVE and DPRIVE is basically a bunch of individual tracks to encrypt basically every single part of the DNS channel, especially that between what we call a stub resolver and the recursive DNS server so that if you're a customer here in the United States and a subscriber to an ISP like Comcast or whomever, you can make sure that that first hop between your computer and the ISP is secured. >> We're getting down and dirty under the hood with Cricket Liu on DNS. I got to ask kind of up level to the consumer. One of the things that kind of pisses me off the most when I'm surfing the web is you see the browser doesn't resolve or you go hit someone's website, oh yeah, something.io, these new domain names, top level gTLDs are out there, .media, all these, and companies have firewalls or whatever their equipment is and it doesn't let it through. Because they're trying to protect the perimeter still, must be, I mean, what does that mean when companies aren't letting those URLs then, it is a firewall issue or is it more they're still perimeter based, they're not resolving it, they're afraid of malware? Somethings aren't resolving in? What does that mean? >> Well I think as often as not it's an operational problem. It could be just a misconfiguration on the part of the folks who are hosting the target website's DNS. It could be that. I don't know a lot of folks who-- >> So it's one of their policies or something, it's just kind of locking down. >> Could be that too. Or it could be, for example, that they have a proxy server and they're trying to limit access to the internet by category. Maybe it does categorization and filtering by-- >> Can you work on that? Can you write some code for that? Well thanks, great to see you, thanks for sharing this conversation here On The Ground at Centrify. >> You're welcome. >> And good luck with the CyberConnect Conference. >> Yeah, nice to see you too. >> Alright, I'm John Furrier with On The Ground here on theCUBE at Centfity's headquarters in Silicon Valley. Thanks for watching.