Forget the Tax Man: Time for a DNS Security Audit
Here's a 5-step DNS security review process that's not too scary and will help ensure your site availability and improve user experience.
April 11, 2017
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt38a6a5af48e9b019/64f0d89a3f0a224bfc9e139b/01-audit.jpeg?width=700&auto=webp&quality=80&disable=upscale)
The DDoS attack against DNS provider Dyn that took out large swaths of the Internet put a million-candle spotlight on the issue of the availability, and proved that proper DNS management is not just an IT issue, but a security mandate as well. Maintaining website availability and preventing revenue loss from associated outages depends upon good DNS hygiene, maintenance, and control.
DNS tends to be a set-and-forget type of technology... and that can pose problems several years after everything has been forgotten, according to Chris Roosenraad, director of product management for DNS service at Neustar.
[Check out "Protect Your DNS Services Against Security Threats" during Interop ITX, May 15-19, at the MGM Grand in Las Vegas. To learn more about DNS security, other Interop security tracks, or to register, click on the live links.].
Roosenraad -- who has more than two decades of security, networking and public policy expertise, having previously developed the DNS architecture for Charter Communications and Time Warner Cable -- says that DNS audits sound more foreboding than they actually are. This is not necessarily some big, scary compliance activity. It is just a way of accounting for all of the DNS infrastructure configuration to ensure that things haven't gotten out of sync with changing business realities.
"It's just a process of taking some away from the 30 other multitasking things that we all have in front of us to sit down and say, 'Is this what I really want my Internet presence to be?'" he says.
How to begin the process? Here are five essential steps to conducting a successful DNS audit.
For any given domain, negative caching is essentially a method for a DNS server to hang on to a record of negative response to a record look-up. So if someone requests a domain that's no longer where it's supposed to be, the server will remember that it is bad and automatically respond negatively to subsequent such requests during a certain period of time after the first request. That period of time that it remembers the domain is not there is called the time to live (TTL) and that TTL should be tuned according to business needs and risk tolerance.
"If you set it too short, then if you have something that people are asking for a lot, they're going to ask you for it over and over and over again ... and you're going to get a lot of traffic that way."
Not only will an organization have to pay for that traffic, but it could also potentially open up an attack vector for DDoS attacks.
But setting the TTL for an incredibly long time period could really hurt the business.
"If you set it too long and you make a mistake or you want to publish something out later on, you quite often have to wait for that data to flow through, and depending on what your business is you could be sensitive to those delays," he says, explaining that a DNS audit should consider current business needs and risks to appropriately tune the negative caching. "You need to decide that, if a decision that was made months or potentially years ago is still appropriate for your business and for the entity that we're talking about, here. Because perfectly reasonable decisions made in 2012 may no longer be applicable in 2017."
As organizations start to cross zone boundaries using different TLDs -- for example, registering their corporate or product name with .com, .biz and maybe some international TLDs like .de -- they'll need to keep long-term track over what's active and inactive at any given time.
"You may be doing something with some of these zones and domains today, but a couple years later, say you've decided to retire product because it didn't sell well, or maybe you've rebranded a product," he says. Unless you regularly audit, that information could be sitting out there in ways that you might not realize. "As you add additional TLDs, the complexity can grow. And even if things were perfectly in sync a couple of years ago they can slowly migrate apart. Maybe you've got an individual in one office maintaining one and an individual in another office maintaining the other. Maybe you've hired somebody to come on board and this is part of their job and they only update two out of the three, because they didn't know the third one existed."
Either way, that can be a problem. Not only does it reflect poorly on the brand's presence online but hidden infrastructure that doesn't get updated inevitably opens up an organization to vulnerabilities later on down the road.
"The Internet got really screwy last fall, thanks to the unfortunate incident that happened with Dyn," Roosenraad says. "And a lot of businesses realize that having a single DNS provider was -- you know, a single DNS network was a potential single point of failure."
This may not necessarily be a big deal to brands that have storefronts and primarily do business through other means than online. However, businesses that can measure their Internet downtime in hundreds of dollars lost per minute should recognize that a single point of failure is a very bad proposition.
"And so you need to start thinking, then, about how you go about monitoring the health of DNS infrastructure, and how you put some level of failover into your DNS infrastructure," Roosenraad says. "Is it that you have two DNS providers? Is it that you are monitoring and you have a relatively low TTL so you can fail it somewhere else if you need to? You need to know what the model is that you as a business are using to put some kind of a limit on this risk."
The DDoS attack against DNS provider Dyn that took out large swaths of the Internet put a million-candle spotlight on the issue of the availability, and proved that proper DNS management is not just an IT issue, but a security mandate as well. Maintaining website availability and preventing revenue loss from associated outages depends upon good DNS hygiene, maintenance, and control.
DNS tends to be a set-and-forget type of technology... and that can pose problems several years after everything has been forgotten, according to Chris Roosenraad, director of product management for DNS service at Neustar.
[Check out "Protect Your DNS Services Against Security Threats" during Interop ITX, May 15-19, at the MGM Grand in Las Vegas. To learn more about DNS security, other Interop security tracks, or to register, click on the live links.].
Roosenraad -- who has more than two decades of security, networking and public policy expertise, having previously developed the DNS architecture for Charter Communications and Time Warner Cable -- says that DNS audits sound more foreboding than they actually are. This is not necessarily some big, scary compliance activity. It is just a way of accounting for all of the DNS infrastructure configuration to ensure that things haven't gotten out of sync with changing business realities.
"It's just a process of taking some away from the 30 other multitasking things that we all have in front of us to sit down and say, 'Is this what I really want my Internet presence to be?'" he says.
How to begin the process? Here are five essential steps to conducting a successful DNS audit.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024