Winning the domain game: unlocking DNS’s full potential

Recent headlines and news coverage have highlighted one well-known fact – the internet can be a dangerous place. Organizations are increasingly coming under attack from “big” threats such as massive Distributed Denial of Service (DDoS) attacks, and data theft.  Botnets for hire make it easy for criminals to automate the job and further exploit the target using ransomware to disrupt business and/or extort payment. 

To combat this, many organisations are spending a significant amount of time and money on cyber security. But to be effective, that investment must rely on the most fundamental and critical building block of any Internet defense strategy - a solid and well-managed DNS infrastructure.  A beautifully designed building will not survive on a weak foundation.  

A security infrastructure will not as effectively withstand attacks when built on a weak Domain Name System (DNS) setup. DNS is also the front line when it comes to the online user experience, yet a recent study by independent research company, Quocirca, into UK businesses’ provisioning of DNS servers and services uncovered the fact that 92% of UK organisations are unaware of the impact DNS performance and availability has on Internet users.   

Today, downtime of websites, applications and slow response times are unacceptable to users. The most obvious factors affecting performance and availability appear to be: failure of web servers, web traffic over-load, network access issues, geographic remoteness and problems due to denial of service attacks. The truth is, any of these issues could arise due to a problem with DNS.

The study also revealed that about one third of organisations recognise that at least some of the time the cause of the performance problems is due to a problem with their own DNS infrastructure. Many reported ‘internet’ problems are DNS-related.  So if an organisation doesn’t have complete visibility, it can be difficult to be sure of the contribution DNS has made. 

Visibility is hampered by complexity, nearly all organisations use some in-house DNS servers but these are complemented by a range of third-party services. 45% of organisations have as many as eight different ways of provisioning aspects of their DNS requirements. For businesses to understand how their DNS is being managed it’s necessary to understand the functions of the two basic types of DNS servers. 

Authoritative DNS is the back-end of the DNS lookup process – the place where the owner of a domain publishes the definitive IP addresses for his/her systems and server. This is where the authoritative answer lies. 

Recursive DNS servers are in the front line of the DNS lookup process; they receive requests from users to access websites and other systems, such as mail systems, their job is to search the Internet for the appropriate Authoritative DNS server for those systems, retrieve the answer, and provide that answer to the requester – the Internet visitor. 

Authoritative DNS plays an important role beyond simply supporting a website. It provides information for a range of online assets including web applications and IoT devices. 

DNS complexity 

The piecemeal approach to provisioning DNS requirements can create a patchwork of DNS servers and appliances combined with various external services. Often this results in recursive and authoritative requirements being managed in different ways. In most cases DNS capabilities are managed by organisations in-house, either exclusively or with some outside help, and with only 8% of organisations relying completely on third parties for DNS management.   

When complexity prevents the delivery of efficiency and security benefits, businesses need to sit up and take notice. With the majority of UK organisations using a combination of ISPs, managed hosting providers and Internet registrars for their DNS provisioning, the management continues to increase in complexity. For these third party organisations, their DNS provisioning services are a spin off from other services, and are generally bundled in with the other services provided, generating no additional revenue, and therefore receiving commensurately little focus and attention. Obviously specialist DNS service providers have the expertise and focus, but even within those providers there can be critical differences. But in most cases it is these specialist providers who are able to deal with the complexities and sophistication of what was originally designed to be a very simple and reliable mechanism ostensibly doing one thing: converting website names that humans understand to IP addresses that Internet computers need to find each other. 

An unfocused approach to DNS management can impact incoming requests to access online resources and given the fact that only 35% of organisations claim that that they have in-depth expertise for managed DNS, this poses a potential problem. One of the biggest downfalls of this lack of knowledge is that many of the benefits of advanced DNS capabilities are never realised. 

Advanced DNS management 

Advanced features such as DNS Security Extensions (DNSSEC), Load Balancing, Failover Rerouting, Optimized Directional Resolution, and central management are bread and butter for specialist DNS service providers and should be built into any high quality architecture. In most cases the scale of any third-party DNS service is likely to surpass that of the internal deployments of the organisations they serve and consequently are more robust and secure. 89 percent of respondents claim to be using a specialist DNS service provider, but just 15 percent have committed to using it for both internal and external DNS purposes to provide advanced features such as mitigation against DDoS attacks, reducing infrastructure load and central management tools to improve visibility. This likely indicates that they are with a limited provider or misunderstand the capabilities of a specialist DNS service provider.   

DNSSEC ensures the information provided by DNS servers can be trusted through the use of digital signatures and protects against DNS cache poisoning or spoofing, where recursive DNS records are overwritten with false information, directing users to dangerous websites. Quocirca’s research indicates that this is the least used advanced recursive feature with only 38% currently benefiting from it. With DNS increasingly seen as a way to undermine many aspects of Internet security, DNSSEC is a capability that is likely to become as necessary as DNS itself. 

Unlock your business’s full DNS capabilities 

An organisation’s DNS infrastructure can do so much more than simply acting as a directory of web resources; it can also act as a front line in the online security battle, maximise the use of back-end resources, ensure governance, and be a rich source of data for marketing teams. 

Many organisations are yet to benefit from advanced DNS features, mostly because by relying on multiple non-specialized providers, the resulting complexity makes such features hard to implement across different systems. Those that are getting the best from their DNS infrastructure are those that have reduced complexity by working with a specialist DNS service provider for both their authoritative and recursive needs. 

Rodney Joffe, SVP & Fellow, Neustar 

Image Credit: Mopic / Shutterstock