CybersecuritySecurity

Is Now the Right Time for DNS Diversification?

Roger Delph
September 1, 2020
4 min read

The Domain Name System (DNS) is a critical internet service that enables the translation of accessible human names like www.protiviti.com to the IP Addresses hosting services. Collaboration and communication services like e-mail and instant messaging also rely upon the resolution services DNS provides. Over the past several years, the internet has experienced significant DNS hosting outages that have taken some of the largest and most well-known e-commerce and internet platforms offline. The impact of the disruptions is surprising, especially given the resilient nature of DNS. Domains can have multiple name servers, and the DNS service itself has had the concept of authoritative and secondary servers since the original Internet Engineering Task Force (IETF) published RFC 882. So why haven’t more companies taken steps to ensure public DNS service diversification?

For starters, DNS isn’t just a name resolution service anymore. Commercial DNS hosting providers are bundling other services like redirection, global traffic management, and web application firewalls. These bundled services are provider-specific, and do not support the native DNS replication mechanism. The lack of support for native replication mechanisms add friction and act as a vendor lock-in to prevent diversification or easy migration to another provider. If not for the bundled services, organizations could simply configure their domain name servers to leverage two or more providers. To further complicate matters, name server records (NS Records) do not return in a structured or predictable order. In addition, resolution performance across providers is incredibly inconsistent. This can result in a suboptimal user experience based upon the name server record and associated hosting provider. Organizations can leverage the website DNSPerf to gather resolution metrics by provider and geolocation. Finally, the cost of having multiple providers can be prohibitive for some organizations.

The deck appears stacked against DNS diversification, but the question remains, how long can your organization be without e-mail, instant messaging, and web presence? Most of the public provider outages in the past decade last a few hours; however, in 2016 one of the largest DNS hosting providers was knocked offline for over six hours in a single day. The provider continued to have multiple smaller outages for the week after the attack. Organizations that rely upon real-time communications and data flows are particularly susceptible to DNS resolution instability.

Organizations should evaluate how they are using DNS and if they have formally evaluated the risk of using a single provider and accepted the risk at the appropriate organizational levels. The process to evaluate the feasibility of multiple DNS hosting providers is straightforward. The first step is to assess and document the organization’s use cases using the current DNS provider. Next is to evaluate the feasibility of alternatives. For example:

  • HTTP Redirects. Organizations that leverage a DNS provider to perform redirects could consider switching the redirects to cloud services such as Amazon Web Services’ Edge Lambda Functions or Google’s Cloud Functions.
  • Global Load Balancing. Global load balancing and traffic management enable organizations to resolve client requests based on geographical location and direct them to the service endpoint closest to their location. If the organization is already leveraging a Content Distribution Network (CDN) provider, this functionality can be migrated to that platform.
  • Web Application Firewalls. Organizations using bundled web application firewalls face a more complicated road. The good news for these organizations is that when we’ve seen DNS service disruption, the corresponding web application firewall services generally have not been impacted.

Technical feasibility and economics drive most organizations to accept the risk of a single DNS provider. In these situations, it is critical that the team document the corresponding risk to availability, review the risk with for acceptance executive with the leadership team, and create the appropriate business continuity playbooks.

To learn more about Protiviti’s security assessment and vulnerability management offerings, contact us.

Roger Delph

Senior Manager
Technology Consulting - Security & Privacy

View all posts

You may also like

Subscribe to Topics

Protiviti Technology Follow

Protiviti leverages emerging technologies to innovate, while helping organizations transform and succeed by focusing on business value.

ProtivitiTech
protivititech Protiviti Technology @protivititech ·
12h

Learn more about what GRC Managed Service is and what it can do for SAP S/4HANA and SAP cloud solutions in the latest #SAP Blog post. https://ow.ly/OMaL50RfsHw #ProtivitiTech

Reply on Twitter 1781035159438954997 Retweet on Twitter 1781035159438954997 Like on Twitter 1781035159438954997 Twitter 1781035159438954997
protivititech Protiviti Technology @protivititech ·
17 Apr

Protiviti is a proud sponsor of ServiceNow Knowledge 2024—a three-day conference all about #AI. Stop by our booth (#2503) to visit with our team and learn how the #ServiceNow platform makes business transformation possible. https://ow.ly/qa6p50Rh9wf

Reply on Twitter 1780627914964308382 Retweet on Twitter 1780627914964308382 Like on Twitter 1780627914964308382 Twitter 1780627914964308382
protivititech Protiviti Technology @protivititech ·
16 Apr

What is #DesignThinking? Could it help your organization? Find out how Protiviti uses it to help clients build net new applications and modernize legacy systems. https://ow.ly/fMK550Rfsoi #ProtivitiTech

Reply on Twitter 1780204913663873376 Retweet on Twitter 1780204913663873376 Like on Twitter 1780204913663873376 Twitter 1780204913663873376
protivititech Protiviti Technology @protivititech ·
15 Apr

Join our May 2 webinar designed for privacy and security professionals seeking to navigate the intricate nuances of data governance within the ever-evolving global regulatory landscape. Register today! https://ow.ly/hzrG50R4fTX #ProtivitiTech #DataPrivacy

Reply on Twitter 1779872392535212145 Retweet on Twitter 1779872392535212145 2 Like on Twitter 1779872392535212145 1 Twitter 1779872392535212145
protivititech Protiviti Technology @protivititech ·
12 Apr

The latest Technology Insights Blog post offers insight into the unique risks associated with Large Language Models (LLMs) and how to establish strategies to mitigate them. https://ow.ly/q3w550RfbXm #ProtivitiTech #TechnologyInsights

Reply on Twitter 1778890996282982442 Retweet on Twitter 1778890996282982442 Like on Twitter 1778890996282982442 Twitter 1778890996282982442
Load More