Is Now the Right Time for DNS Diversification?

The Domain Name System (DNS) is a critical internet service that enables the translation of accessible human names like to the IP Addresses hosting services. Collaboration and communication services like e-mail and instant messaging also rely upon the resolution services DNS provides. Over the past several years, the internet has experienced significant DNS hosting outages that have taken some of the largest and most well-known e-commerce and internet platforms offline. The impact of the disruptions is surprising, especially given the resilient nature of DNS. Domains can have multiple name servers, and the DNS service itself has had the concept of authoritative and secondary servers since the original Internet Engineering Task Force (IETF) published RFC 882. So why haven’t more companies taken steps to ensure public DNS service diversification?

For starters, DNS isn’t just a name resolution service anymore. Commercial DNS hosting providers are bundling other services like redirection, global traffic management, and web application firewalls. These bundled services are provider-specific, and do not support the native DNS replication mechanism. The lack of support for native replication mechanisms add friction and act as a vendor lock-in to prevent diversification or easy migration to another provider. If not for the bundled services, organizations could simply configure their domain name servers to leverage two or more providers. To further complicate matters, name server records (NS Records) do not return in a structured or predictable order. In addition, resolution performance across providers is incredibly inconsistent. This can result in a suboptimal user experience based upon the name server record and associated hosting provider. Organizations can leverage the website DNSPerf to gather resolution metrics by provider and geolocation. Finally, the cost of having multiple providers can be prohibitive for some organizations.

The deck appears stacked against DNS diversification, but the question remains, how long can your organization be without e-mail, instant messaging, and web presence? Most of the public provider outages in the past decade last a few hours; however, in 2016 one of the largest DNS hosting providers was knocked offline for over six hours in a single day. The provider continued to have multiple smaller outages for the week after the attack. Organizations that rely upon real-time communications and data flows are particularly susceptible to DNS resolution instability.

Organizations should evaluate how they are using DNS and if they have formally evaluated the risk of using a single provider and accepted the risk at the appropriate organizational levels. The process to evaluate the feasibility of multiple DNS hosting providers is straightforward. The first step is to assess and document the organization’s use cases using the current DNS provider. Next is to evaluate the feasibility of alternatives. For example:

  • HTTP Redirects. Organizations that leverage a DNS provider to perform redirects could consider switching the redirects to cloud services such as Amazon Web Services’ Edge Lambda Functions or Google’s Cloud Functions.
  • Global Load Balancing. Global load balancing and traffic management enable organizations to resolve client requests based on geographical location and direct them to the service endpoint closest to their location. If the organization is already leveraging a Content Distribution Network (CDN) provider, this functionality can be migrated to that platform.
  • Web Application Firewalls. Organizations using bundled web application firewalls face a more complicated road. The good news for these organizations is that when we’ve seen DNS service disruption, the corresponding web application firewall services generally have not been impacted.

Technical feasibility and economics drive most organizations to accept the risk of a single DNS provider. In these situations, it is critical that the team document the corresponding risk to availability, review the risk with for acceptance executive with the leadership team, and create the appropriate business continuity playbooks.

To learn more about Protiviti’s security assessment and vulnerability management offerings, contact us.

Roger Delph

Senior Manager
Technology Consulting - Security & Privacy

Subscribe to Topics

Protiviti is happy to announce that Wendy Luebbe has joined as a Managing Director for the Technology Consulting Solution. Based in Orlando and with over 20 years of experience, Wendy will focus on the Enterprise Data & Analytics segment, specializing in financial services.

Join Protiviti's Scott Laliberte and Andrew Struthers-Kennedy for thoughts on how organizations should discuss and evaluate risks and include emerging technologies as part of risk and audit reviews.

#ITaudit #ProtivitiTech #emergingtechrisks #prowebinars

Consumer #privacy is key. Protiviti recommends focusing on three buckets and eleven requirements that cover what an organization must consider when developing personal #data privacy protections and have a relationship with #digital #identitymanagement.

Protiviti’s Scott Laliberte hosted a panel with three Chief Information Security Officers on July 11th. While all faced their own distinct pandemic-related issues, many common themes emerged during the discussion. Learn more:

#CISO #ProtivitiTech

Reporting and #analytics are critical for #CIOs because they structure #data to guide businesses in strategic decision making. Learn why companies must harness and use information that propels business goals.

#TechTransformation #enterprisetransformation

Load More...