Tactical Advice

DNS, Your IP Workhorse

Take these six steps to sharpen your Domain Name System.
This story appears in the March 2010 issue of BizTech Magazine.

Everything we do on the Internet — every piece of e-mail, every post to Facebook, every tweet — requires a robust and reliable Domain Name System.

DNS, which translates plain-English names of websites into IP addresses that connect devices over the Internet, is the most utilized, yet underappreciated, service offered by your IT department. Despite the technology’s lack of flashy appeal and minimal support from top management, DNS administrators can implement a few simple measures to help ensure the backbone of their IT service offerings receives the attention it deserves.

1. Be smart about deployment.

When building your infrastructure, do not lose sight of the importance of a robust DNS. Even without purchasing additional hardware, you can buy yourself some redundancy by leveraging your existing infrastructure. Protect your DNS servers by placing them in geographically disparate locations, on separate power feeds and with separate rack switches.

2. Embrace your DNS data.

With the dynamic nature of DNS data and the prevailing desire to properly track it, a database is the easiest way to take your DNS to the next level. Your DNS service gets its data from a flat configuration file that can easily be created from a database. In addition, databases help you store additional information about your data while allowing you more agility in managing it.

3. Keep DNS data secure.

A zone transfer is the mechanism DNS uses to update downstream servers of changes in DNS data. By default, these updates occur in the clear between primary and secondary DNS servers and are initiated by the secondary or client server. This is where problems can occur.

Because clients initiate the zone transfers, a hacker can request a full zone transfer from the primary server, which will provide a full copy of your DNS data — and a complete map of your network infrastructure. To secure this information, it is important to implement Berkeley Internet Name Domain (BIND) access lists. These let you specify the client servers allowed to request zone transfers, and therefore protect your network map from unauthorized access.

4. Service your clients only.

Another critical component of the global DNS infrastructure is the recursive query. This type of query occurs when a host device asks for the IP address of a name for which its DNS server doesn’t know the answer. For example, if you ask your DNS server for the IP address of Google.com, unless you are operating Google.com’s DNS service, your DNS servers will not know the answer and most likely will recursively search for the answer on your behalf.

80% Number of external name servers open to recursion

Source: Infoblox, The Measurement Factory

These types of queries are what allow us to connect to various sites and computing services around the world. The important point is to ensure you are offering recursive services to only your clients. Many DNS infrastructures still allow open recursion, which means anyone can ask their DNS servers to provide recursion. This may seem harmless enough at first, but many exploits, including denial-of-service attacks, are specifically designed to leverage servers with open recursion enabled.

5. Perform periodic network health checkups.

Even though your DNS infrastructure may appear to be functioning properly, it’s important to periodically perform health checks on your infrastructure. These checkups ensure that your systems are optimally configured and performing properly. Many Internet sites offer free DNS health-check tools. Evaluate a few to find one that meets your needs.

6. Avert DNS disaster.

Don’t wait until disaster occurs to figure out how to recover critical services. By now, hopefully, you are convinced of the critical importance of your DNS infrastructure, and perhaps you already have a plan for recovering your environment in case of an emergency. The landscape of DNS technology has changed drastically over the past five years, so be sure to entertain potential options such as cloud-based DNS, appliance-based DNS, virtualized DNS and shared partnerships with peers.

No disaster recovery plan is complete without a way to provide DNS service.

Dan Rousseve is a system architect in operations and engineering at the University of Notre Dame in South Bend, Ind.
Sign up for our e-newsletter


Heartbleed: What Should Your... |
One of the biggest security vulnerabilities has almost every user and every industry...
Why Businesses Need a Next-G... |
Devices investigate patterns that could indicate malicious activity.
Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....


The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Businesses Must Step Careful... |
Slow and steady wins the race as businesses migrate IT operations to service providers,...
Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...


Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Mobility: A Foundational Pie... |
Other technologies rely on mobile computing, which has the power to change lives, Lextech...
Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.

Hardware & Software

Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....
New Challenges in Software M... |
IT trends such as cloud, virtualization and BYOD pose serious hurdles for software...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.