You are here

Giving DNS Its Due

These six suggestions can sharpen your Domain Name System, the workhorse of your IP network.

Everything we do on the Internet -- every piece of e-mail, every post to Facebook, every tweet -- requires a robust and reliable Domain Name System.

The DNS, which translates plain-English names of websites into IP addresses that connect devices over the Internet, is the most utilized, yet underappreciated, service offered by your IT department. Despite the technology's lack of flashy appeal and minimal support from top management, DNS administrators can implement a few simple measures to help ensure the backbone of their IT service offerings receives the attention it deserves.

1. Be smart about deployment.

When building your infrastructure, do not lose sight of the importance of a robust DNS. Even without purchasing additional hardware, you can buy yourself some redundancy by leveraging your existing infrastructure. Protect your DNS servers by placing them in geographically disparate locations, on separate power feeds and with separate rack switches.

2. Embrace your DNS data.

With the dynamic nature of DNS data and the prevailing desire to properly track it, a database is the easiest way to take your DNS to the next level. Your DNS service gets its data from a flat configuration file that can easily be created from a database. In addition, databases help you store additional information about your data while allowing you more agility in managing it.

3. Keep your DNS data secure.

A zone transfer is the mechanism DNS uses to update downstream servers of changes in DNS data. By default, these updates occur in the clear between primary and secondary DNS servers and are initiated by the secondary or client server. This is where problems can occur.

Because clients initiate the zone transfers, a hacker can request a full zone transfer from the primary server, which will provide a full copy of your DNS data -- and a complete map of your network infrastructure. To secure this information, it is important to implement Berkeley Internet Name Domain (BIND) access lists. These let you specify the client servers allowed to request zone transfers, and therefore protect your network map from unauthorized access.

4. Service your clients only.

Another critical component of the global DNS infrastructure is the recursive query. This type of query occurs when a host device asks for the IP address of a name for which its DNS server doesn't know the answer. For example, if you ask your DNS server for the IP address of, unless you are operating's DNS service, your DNS servers will not know the answer and most likely will recursively search for the answer on your behalf.

These types of queries are what allow us to connect to various sites and computing services around the world. The important point is to ensure you are offering recursive services to only your clients. Many DNS infrastructures still allow open recursion, which means anyone can ask their DNS servers to provide recursion. This may seem harmless enough at first, but many exploits, including denial-of-service attacks, are specifically designed to leverage servers with open recursion enabled.

5. Perform periodic network health checkups.

Even though your DNS infrastructure may appear to be functioning properly, it's important to periodically perform health checks on your infrastructure. These checkups ensure that your systems are optimally configured and performing properly. Many Internet sites offer free DNS health-check tools. Evaluate a few to find one that meets your needs.

6. Avert DNS disaster.

Don't wait until disaster occurs to figure out how to recover critical services. Hopefully by now you are convinced of the critical importance of your DNS infrastructure, and perhaps you already have a plan for recovering your environment in case of an emergency. However, the landscape of DNS technology has changed drastically over the past five years, so be sure to entertain potential options such as cloud-based DNS, appliance-based DNS, virtualized DNS and shared partnerships with peers. No disaster recovery plan is complete without a way to provide DNS service.

Feb 02 2010