Is Now the Right Time for DNS Diversification?

The Domain Name System (DNS) is a critical internet service that enables the translation of accessible human names like to the IP Addresses hosting services. Collaboration and communication services like e-mail and instant messaging also rely upon the resolution services DNS provides. Over the past several years, the internet has experienced significant DNS hosting outages that have taken some of the largest and most well-known e-commerce and internet platforms offline. The impact of the disruptions is surprising, especially given the resilient nature of DNS. Domains can have multiple name servers, and the DNS service itself has had the concept of authoritative and secondary servers since the original Internet Engineering Task Force (IETF) published RFC 882. So why haven’t more companies taken steps to ensure public DNS service diversification?

For starters, DNS isn’t just a name resolution service anymore. Commercial DNS hosting providers are bundling other services like redirection, global traffic management, and web application firewalls. These bundled services are provider-specific, and do not support the native DNS replication mechanism. The lack of support for native replication mechanisms add friction and act as a vendor lock-in to prevent diversification or easy migration to another provider. If not for the bundled services, organizations could simply configure their domain name servers to leverage two or more providers. To further complicate matters, name server records (NS Records) do not return in a structured or predictable order. In addition, resolution performance across providers is incredibly inconsistent. This can result in a suboptimal user experience based upon the name server record and associated hosting provider. Organizations can leverage the website DNSPerf to gather resolution metrics by provider and geolocation. Finally, the cost of having multiple providers can be prohibitive for some organizations.

The deck appears stacked against DNS diversification, but the question remains, how long can your organization be without e-mail, instant messaging, and web presence? Most of the public provider outages in the past decade last a few hours; however, in 2016 one of the largest DNS hosting providers was knocked offline for over six hours in a single day. The provider continued to have multiple smaller outages for the week after the attack. Organizations that rely upon real-time communications and data flows are particularly susceptible to DNS resolution instability.

Organizations should evaluate how they are using DNS and if they have formally evaluated the risk of using a single provider and accepted the risk at the appropriate organizational levels. The process to evaluate the feasibility of multiple DNS hosting providers is straightforward. The first step is to assess and document the organization’s use cases using the current DNS provider. Next is to evaluate the feasibility of alternatives. For example:

  • HTTP Redirects. Organizations that leverage a DNS provider to perform redirects could consider switching the redirects to cloud services such as Amazon Web Services’ Edge Lambda Functions or Google’s Cloud Functions.
  • Global Load Balancing. Global load balancing and traffic management enable organizations to resolve client requests based on geographical location and direct them to the service endpoint closest to their location. If the organization is already leveraging a Content Distribution Network (CDN) provider, this functionality can be migrated to that platform.
  • Web Application Firewalls. Organizations using bundled web application firewalls face a more complicated road. The good news for these organizations is that when we’ve seen DNS service disruption, the corresponding web application firewall services generally have not been impacted.

Technical feasibility and economics drive most organizations to accept the risk of a single DNS provider. In these situations, it is critical that the team document the corresponding risk to availability, review the risk with for acceptance executive with the leadership team, and create the appropriate business continuity playbooks.

To learn more about Protiviti’s security assessment and vulnerability management offerings, contact us.

Roger Delph

Senior Manager
Technology Consulting - Security & Privacy

Subscribe to Topics

Join Protiviti's Paul Kooney and Stephen Nation as they discuss how to set up trust in an organization in tomorrow's Tech Talks at the TrustWeek 2022 Conference.

#ProtivitiTech #TrustWeek #privacy #security #dataprivacy

Evolving #dataprivacy laws and updates in the #OneTrust system call for a closer look at #privacy systems and processes. Join #ProtivitiTech Ismail Ali and Sam Reiter at #TrustWeek to learn how to take your OneTrust deployment to the next level.

Protiviti is pleased to be a Platinum Sponsor at the #TrustWeek 2022 conference. Join #ProtivitiTech and discover best practices to protect #privacy, #data #security, act sustainably and build trust with clients and within your company.

Embedded analytics have rapidly become one of the new “art of the possible” scenarios. Learn how platform's such as @SAP's BI Launchpad continue to develop data analytics, and enables continued organizational growth:

#ProtivitiTech #SAP #DataAnalytics

We spend a lot of time thinking about how CISOs can prioritize their earliest actions and advising clients who happen to be new in their CISO roles. By taking the right steps, new CISOs can convey confidence. Read more:

#ProtivitiTech #TechnologyInsights

Load More...