Without the Domain Name System, the internet would simply close for business.
As the not-so-distant DNS attack on Dyn shows, even good DNS management cannot guard against large-scale, distributed denial of service attacks and outages. So what’s a company to do to keep its DNS servers, both internal and external, running even in the face of an aggressive attack?
Here are six pointers to help keep your business safe. And, in this case, more is frequently better.
1. Separate Internal from External DNS Servers
The DNS servers that tell the world how to find you should not overlap with the servers that support your internal users in their browsing and other network services.
Build a robust internal DNS infrastructure, but keep it separate from the DNS that advertises services to the outside world. The data can overlap — it’s a common misconception that they need to have different information — but the servers that answer end-user queries on the internet should not be the same as those for your own internal users.
If someone brings a huge fire hose to bear on your external DNS servers, you still want your internal users to be able to work.
2. Separate Domain Name Registrar and DNS Service Provider
When registering domain names, be sure to pick a registrar with a solid reputation, with telephone support (in case of emergencies) and with a strong security capability.
If you can enable two-factor authentication on your registrar account, do so. You don’t want someone to do an end-run around you if they can guess your IT or security chief’s password, birthday or dog’s name.
3. Use at Least One, if Not Two, DNS Service Providers
Don’t try to do this yourself, unless your business is very small. You don’t need to go overboard with 10 DNS servers, especially because most DNS service providers make multiple clusters look like a single server.
But you should have three or four DNS servers from one or two different providers handling external domain names.
Like most cloud services, DNS service is inexpensive, so having two providers will not break the bank.
The DNS servers shouldn’t be colocated; each one should be in a separate data center, and geographic separation helps as well. If your service provider gives you DNS servers with IP addresses in the same subnet, you probably aren’t getting what you need.
4. Use DNS Protocols to Speed Updates and Maintain Control
Avoid using providers that require you to log in to a web-based control panel to update your configuration. Instead, set up a DNS server that can be a “hidden primary” (one the service provider pulls data from, but which is not advertised to the outside world), and have the DNS service provider do a DNS zone transfer to update your information.
This approach will give you the agility to quickly change names locally and keep things synchronized. If a server goes offline, you can always fall back to the web-based control panel. And once more with emphasis: Do not forget the two-factor authentication.
5. Separate Public Domains from Internal-Use-Only Domains
If your external domain is example.com, then grab a related domain to use for your own users, such as exampleusa.com or example.us. Then, for services that are not really anyone’s business, use the second domain.
Good examples might be your web mail, Internet Message Access Protocol and virtual private network servers. Put them at mail.example.us, not mail.example.com.
The goal here is reliability: If there’s an attack on your main example.com domain, employees will still be able to get to mail to find out what is going on and lend a hand.
6. Monitor for DNS Server Outages Often
Find a third-party monitoring service to check the status of each external DNS server every 5 to 15 minutes and alert you to any extended outages. You can also use your own monitoring infrastructure if it’s set up to perform DNS testing.
Check the response-time graphs and make sure that you are getting consistent and fast answers. (A response time of 50 milliseconds is a good goal.)
It’s also not a bad idea to periodically check your domain name with one of the free “scan my DNS” services on the internet. You can get a lot of noise in those scans, so if you’re not sure what you’re looking at, ask an expert to help you interpret the results.