You know the drawer we’re talking about. It started out being the place where you kept tape, and maybe scissors. Now you can find old paperclips (some bent to restart electronics), a ball of rubber bands with questionable stretch, a Leatherman that won’t open, a set of dried-up markers, a box of matches with the striker worn off, business cards for companies that are no longer in business, and an open packet of gum that’s been there since you moved in.
What’s not there? Tape.
DNS, on the other hand, is a mission critical service responsible for keeping your business accessible and available. So how could those things be alike?
Simple. Because DNS is foundational, it is likely that your DNS setup has been around as long as your business has. Over that time, your business may have tried a number of different strategies, each of which may have resulted in DNS implications. For example, your company may have run a promotion to a microsite at one point, and not removed the files from DNS. You may have had a joint site with a partner that doesn’t exist anymore, or a pointer to a provider with servers that got orphaned.
Another factor that can contribute to the mess that DNS can become is staff turnover. Once again, because DNS is bedrock, it is possible that there are issues with configurations that have been passed down over time. No one may actually remember why a configuration is set up as it is, but as long as the system is working, admins are understandably reluctant to change things.
The fact is, your DNS may be working… but that doesn’t mean that it is working WELL, or that it isn’t opening your business to vulnerabilities that you won’t see coming until they hit you.
Periodically you do clean that junk drawer, usually when you’re looking for tape. You need to do the same with your DNS. Good DNS hygiene is essential to a smooth-running business. Potential implications associated with neglecting DNS hygiene include:
DNS can be one of the simplest ways into an organization, because of how the system is designed. DNS is an open protocol, and it runs in clear text by default. It also requires unfettered communication across the firewall, between external resources and internal assets.
Attackers doing reconnaissance love DNS because it is a rich source of information. With DNS, bad actors can gather a domain’s subdomains to accurately map a target. Easily available tools can find hidden servers and reveal a host of different prospective targets. Because these techniques are passive, meaning that they are not actually attacking your infrastructure but instead gathering information about it, you will never know that these actions are taking place.
It is surprisingly easy for DNS records to become out of sync, which can lead to a myriad of potential vulnerabilities. Once such issue is a case where there is a nameserver mismatch between a child zone and the parent. Such mismatches can occur in a variety of ways; for example, when an organization changes registrars, but forgets to change nameservers. In the most benign case, some percentage of your traffic could be pointing to old nameservers. But such a mismatch can also be a golden opportunity for attackers, who can then insert fake servers of their own, redirect users down other paths or simply watch the old servers and harvest credentials.
Another potential security risk that is posed by poor DNS hygiene is the inability of a zone to be DNSSEC enabled. DNSSEC brings authentication and a data integrity check to DNS, allowing users to validate that messages came from a genuine server, and not from a spoofed one. The inability to sign a zone with DNSSEC can open your company to issues that include DNS cache poisoning.
Operational and maintenance issues
As we all know, maintaining a DNS infrastructure is a lot of work. That means that it is important that the infrastructure that you are working to maintain – and secure – is essential and in-use, which may not be the case if you have orphaned servers or resources that you are no longer using. It is important to remember that it is often the old parts of the system that are overlooked. That means that you may be paying more than you need to, opening up security vulnerabilities with these untouched resources, and possibly making it more difficult for users to get an optimal response.
Those old promotions you ran – they could still be active somewhere on orphaned microsites or pages. They still have your brand attached. Not only could they confuse customers with outdated branding or messaging, but they may also legally obligate you to honor offers that no longer make sense. An old, outdated offer could do tremendous damage to your brand.
What can you do?
Just like that kitchen drawer, the first thing that you need to do is realize that there is a problem. Unlike the kitchen drawer, of course, poor DNS hygiene could cause much bigger issues than dried up gum or a lack of tape. There are a number of ways that you could approach the issue:
Consider a managed service
Most DNS managed services will ensure that your infrastructure is running, but many leave the day-to-day task of zone management to you. It can make it difficult to know where to begin, but some managed services offer tools that help you keep good DNS hygiene. At Neustar, we’ve taken steps to help. Our recently implemented HealthCheck feature will check your zones against standards and best practices to point out issues that might exist and offer recommendations to help make things right. While the feature doesn’t automatically correct any issues for you, it makes it easy to see how you might begin.
Bring in an expert
Another, more comprehensive fix is to enlist the help of outside DNS experts. Having the system looked at by someone who is not a member of your team or even in your company will help to ensure that infrastructure is viewed with perspective. While there is typically a charge for these services, it is useful to consider how much you could save in eliminating unneeded services, securing what you are using, and protecting your brand.
Don’t wait until spring to start doing the cleaning. Tools like Health Check from Neustar Security Services make it easier to see critical issues where they exist before someone else takes advantage of them. Ultimately, your DNS – and more importantly, your customers - will thank you.