The Domain Name System (DNS) is a critical internet service that enables the translation of accessible human names like www.protiviti.com to the IP Addresses hosting services. Collaboration and communication services like e-mail and instant messaging also rely upon the resolution services DNS provides. Over the past several years, the internet has experienced significant DNS hosting outages that have taken some of the largest and most well-known e-commerce and internet platforms offline. The impact of the disruptions is surprising, especially given the resilient nature of DNS. Domains can have multiple name servers, and the DNS service itself has had the concept of authoritative and secondary servers since the original Internet Engineering Task Force (IETF) published RFC 882. So why haven’t more companies taken steps to ensure public DNS service diversification?
For starters, DNS isn’t just a name resolution service anymore. Commercial DNS hosting providers are bundling other services like redirection, global traffic management, and web application firewalls. These bundled services are provider-specific, and do not support the native DNS replication mechanism. The lack of support for native replication mechanisms add friction and act as a vendor lock-in to prevent diversification or easy migration to another provider. If not for the bundled services, organizations could simply configure their domain name servers to leverage two or more providers. To further complicate matters, name server records (NS Records) do not return in a structured or predictable order. In addition, resolution performance across providers is incredibly inconsistent. This can result in a suboptimal user experience based upon the name server record and associated hosting provider. Organizations can leverage the website DNSPerf to gather resolution metrics by provider and geolocation. Finally, the cost of having multiple providers can be prohibitive for some organizations.
The deck appears stacked against DNS diversification, but the question remains, how long can your organization be without e-mail, instant messaging, and web presence? Most of the public provider outages in the past decade last a few hours; however, in 2016 one of the largest DNS hosting providers was knocked offline for over six hours in a single day. The provider continued to have multiple smaller outages for the week after the attack. Organizations that rely upon real-time communications and data flows are particularly susceptible to DNS resolution instability.
Organizations should evaluate how they are using DNS and if they have formally evaluated the risk of using a single provider and accepted the risk at the appropriate organizational levels. The process to evaluate the feasibility of multiple DNS hosting providers is straightforward. The first step is to assess and document the organization’s use cases using the current DNS provider. Next is to evaluate the feasibility of alternatives. For example:
- HTTP Redirects. Organizations that leverage a DNS provider to perform redirects could consider switching the redirects to cloud services such as Amazon Web Services’ Edge Lambda Functions or Google’s Cloud Functions.
- Global Load Balancing. Global load balancing and traffic management enable organizations to resolve client requests based on geographical location and direct them to the service endpoint closest to their location. If the organization is already leveraging a Content Distribution Network (CDN) provider, this functionality can be migrated to that platform.
- Web Application Firewalls. Organizations using bundled web application firewalls face a more complicated road. The good news for these organizations is that when we’ve seen DNS service disruption, the corresponding web application firewall services generally have not been impacted.
Technical feasibility and economics drive most organizations to accept the risk of a single DNS provider. In these situations, it is critical that the team document the corresponding risk to availability, review the risk with for acceptance executive with the leadership team, and create the appropriate business continuity playbooks.
To learn more about Protiviti’s security assessment and vulnerability management offerings, contact us.