The Recipe for Successful DNS

How do you run your own DNS infrastructure and guarantee uptime to the business?

By Ken Linscott

DNS is a fundamental building block for every company in today’s digital world. Regardless of what their business may be, implementing reliable DNS can help prevent attacks on their brand from the dark corners of the web.

If your DNS fails, visitors attempting to visit your website simply will not reach their destination. Nor will you be able to send or receive email. If you rely on voice over IP to make and receive phone calls, you’ll have to switch to landlines or mobile devices to reach your customers. And lastly, the ability for remote employees to access your systems via VPN will evaporate, inevitably leaving you short-staffed just at the moment you need your team most!

Naturally, the Holy Grail for DNS is reliable uptime. The problem for businesses lies in vulnerable DNS, which can open up a whole host of risks and threats, as well as the associated costs to mitigate the problem. Enterprise-level providers invest millions of dollars every year to build in the following:

  • Redundancy so that your online presence is always available
  • Capacity to handle the largest DDoS attacks
  • Locations around the globe so that you can relay your content faster to users
  • Resilience to identify, diagnose, and resolve problems fast
  • Security features to protect you and your customers from threats, such as domain shadowing, DNS tunneling, DNS cache poisoning, and zero-day attacks

Because of the growing threats to DNS and mitigation costs, we are seeing companies gradually move from using their own DNS to using enterprise-level DNS providers. In a recent analysis by CSC, we observed a 6% increase in banks and financial institutions using enterprise-level DNS providers, compared to 2017.

However, we also identified that 46% of banks and financial institutions still favor in-house solutions for their DNS, 32% use enterprise-level DNS providers, and 22% use their hosting provider or retail domain provider.

The main reason companies choose to use their own DNS is so they can retain control. In many cases, companies have invested a significant amount of time and money building the infrastructure and expertise they have today. That investment comes with certain processes they are typically reluctant to change. For some, there is also a belief that they are more secure with their own DNS, assuming they will not be collateral damage in the event of an attack against a DNS provider or one of the provider’s customers.

These reasons—control, vested time, money, and security—have varying degrees of merit, and are dependent on each business. So, instead of a DNS discussion focused on replacing current owned DNS with alternatives, a focus on enhancement of the current approach will be more beneficial. And one simple, cost-effective way for a business to enhance their current DNS infrastructure is through secondary DNS.

With secondary DNS, a company can retain their internal approach, but also maintain a copy of the primary DNS zone information on a secondary DNS infrastructure, thereby significantly increasing the redundancy of their approach. Setting up secondary DNS with an enterprise-class provider is a win-win decision for those who wish to maintain the control of their own DNS, primarily because it spreads the risk by increasing bandwidth. Depending on configuration, a “Hidden Master” showing only for example CSC® DNS, could provide additional protection from potential attacks by not revealing the client’s own details.

Having a secondary DNS service with an enterprise-class provider enhances a company’s own DNS infrastructure by providing:

  • Better uptime guarantee
  • Geographic diversity to ensure that systems are highly responsive and resilient against DDoS attacks, natural disasters, and other potential disasters
  • Ability to filter harmful traffic upstream of the organizational network
  • Better risk mitigation
  • Scale to handle the largest and most complex attacks when coupled with a DDoS mitigation solution

To learn more about how you can enhance your DNS infrastructure, request a digital asset audit and consultation here.