In-Depth
Enterprises on Thin Ice with DNS
A simple and affordable change you can make today can mitigate the risks of the DNS layer.
by Georges Smine
Do you remember the days when the talk of IT was about having a “Web” strategy and how to address it? Things have changed, and now the Web is fundamental to any enterprise IT strategy, not to mention the enterprise business itself.
Having a Web presence is no longer a matter of having an online storefront or a mere marketing presence in cyberspace. The Web is critical to every enterprise operation since everything is tightly integrated between front-end (Web-facing) and back-end systems, and Web technologies have become the core framework of most IT applications.
The Web broke the traditional silos of application development and operations evolving them into distributed and interdependent sets of functions. A quick look at the cross section of today’s technology, ranging from storage and security to Web servers, leads to a very important technology layer that weaves the entire IT fabric together: the Domain Name System (DNS). Yet, many enterprises don’t pay attention to the DNS or give it its due consideration.
DNS is at the Heart of Every Transaction
Every transaction or operation in IT starts with the DNS, whether connecting to an authentication server for network access, establishing secure VPN connections, or interworking APIs across distributed applications. With the advent of cloud services such as SaaS (software-as-a-service) or IaaS (infrastructure-as-a-service), enterprise computing becomes increasingly dependent on the DNS for a myriad of functions and transactions. Given that cloud services often sit outside the boundaries of the traditional enterprise network, they are not under the full control of one authority and gaps can be easily exploited, disrupting the trust placed in the overall network.
At the same time, IT and networking personnel are grappling with massive challenges as well. Security and reliability concerns about the DNS should keep any IT manager awake at night because, one way or another, their application or infrastructure depends on it. The URL (e.g., www.mydomain.com) has become the centerpiece of Internet navigation, transactions, and now cloud computing. Any cloud-based application requires that DNS abides by the highest level or reliability, performance, and security to help it achieve parity with a traditional in-house IT application.
Walking on Thin Ice
Enterprises organize their DNS in a simple dichotomy: internal and external. The common nomenclature for internal and external DNS is caching and authoritative DNS respectively, which are the attributes of the functions each server performs. This is an important distinction because caching and authoritative DNS each has unique nuances with a different set of parameters to manage and resources to protect.
A weak external DNS can lead to increased exposure to DDoS (distributed denial-of-service) attacks that impact one domain and cause a ripple effect across a multitude of applications worldwide. For example, a simple glitch in the domain of a vital cloud service can disrupt the flow of IT applications dependent on functions that get invoked from the domain in numerous environments. Poisoning the cache of an enterprise DNS server that directs the domain of popular CRM applications (e.g., www.myEnterpriseApp.com) jeopardizes confidential corporate and customer data.
Growing numbers of both DDoS and cache poisoning attacks made front-page news over the last year, despite protection and patching efforts following the widely publicized Kaminsky DNS vulnerability in July of 2008 (see http://www.nytimes.com/2008/08/09/technology/09flaw.html). This brings added overhead for enterprise IT personnel in managing their existing DNS infrastructure, not to mention the risks and liabilities of outages or identity theft.
Increased Dependency on DNS
The need for a robust DNS infrastructure is paramount for any online presence or IT environment. This need is magnified as enterprises migrate to cloud services, since security and reliability -- according to several industry experts and analysts -- remain two of the biggest hurdles to cloud services adoption. To overcome these challenges, enterprises require a well-established DNS service that has the necessary technology to fend off all threats, attacks, and meet end users’ needs as well as IT’s demands.
In an ever-changing world, end users and enterprises face more Internet risks than ever before. DNS needs to be the bedrock of the Internet and not its weakness. With the accelerated adoption of cloud services, every enterprise needs to examine its DNS infrastructure in order to ensure it has the security, stability, and reliability needed to make the quality and experience of a distributed cloud environment equal to, if not better than, those of traditionally closed IT networks.
Taking Steps to Secure DNS
Enterprises typically have two choices for securing their external DNS. They either decide to manage it on their own, or delegate the DNS administration to the same company hosting their Web site. In the past, DNS wasn’t considered an important part of an enterprise’s online security strategy. Today’s DNS security occupies a bigger mindshare with IT staffers, especially as we gear up for adoption of DNSSEC (DNS Security Extensions).
Companies inclined to continue managing their external DNS themselves may choose to do so because of the existing linkage between the teams working on the internal DNS infrastructure. Having said that, we strongly recommended enterprises treat external DNS as a separate function and evaluate the needed approach accordingly because external DNS is exposed to public traffic.
Although companies may continue on the same DNS modus operandi, they now have a third choice, and can acquire DNS cloud services that can offload the burden of dealing with a DNS infrastructure that continuously involves maintenance and emergency patches in the face of frequent security risks. It is critical, however, that network professionals ask their DNS provider what technology they are using for their DNS. Not all DNS services are equal. Some use freely downloadable DNS software; other cloud-based DNS providers rely on commercial-grade DNS software. Customers must ask about the type of DNS technology powering such services and verify their track record against attacks and vulnerabilities.
Every DNS provider should have the expertise on staff and adhere to industry best practices to afford the requisite level of DNS protection for end users and enterprises. They should be able to scale to handle the ever-increasing DNS traffic in an efficient manner.
Ignoring the vital DNS layer may lead to serious repercussions and fallout of epic proportions, not to mention missed opportunities. If you could make one simple and affordable change today to mitigate those risks and protect your enterprise IT investments, why wouldn’t you?
Georges Smine heads marketing for Nominum’s SKYE business unit, a cloud-based DNS services solution. Georges was previously responsible for Nominum’s VoIP product line prior to taking on his current role. He has over 19 years of product marketing and engineering experience in the high-tech industry. Previously, Georges held senior positions at Tellme Networks and Ecrio. You can contact the author at smine.georges@nominum.com