How long can your business afford to be offline?
Last month, a major Canadian telecommunications provider suffered a catastrophic failure for more than 18 hours. Many Canadians found themselves disconnected when cellular networks and the internet went unresponsive, at home or at work. Businesses turned away customers because they couldn’t process debit or credit payments. In some cases, emergency services like 911 were not available. One analyst put the cost to the economy at almost $150 million.
According to Gartner, a network outage can be costly to medium business about $5,600 per minute. This price can reach hundreds of thousands of dollars per hour. The DNS is part of the strategic network infrastructure of companies. A resilient and secure external DNS infrastructure is crucial to preventing outages and downtime. But this is only possible if it is properly configured.
In a traditional primary DNS server configuration, your business has all its eggs in one basket. If your DNS provider goes down, those eggs are out of reach and your website disappears from the internet. Imagine the damage done to your company’s reputation and bottom line. Secondary DNS is the understudy of your primary server. It learns the role of your primary DNS server and can replace it if it fails. Maybe you’ll never need it. But it provides peace of mind in the blink of an eye, ensuring access to your network following a cyberattack or service outage.
Secondary DNS is important for security, but its main feature is resiliency. Most customers expect reliable, uninterrupted service. For this reason, many companies have configured secondary DNS. However, a significant number of companies have only one DNS server, which puts these companies at increased risk of system failure.
Setting up a secondary DNS can ensure your business stays online. The most common architecture is to have a primary DNS on premises with a secondary DNS in the cloud. In the event of an outage or latency issues, users have an alternate path to your network. But a secondary DNS is not enough.
With secondary DNS in place, you will need to manage your data across multiple DNS servers. Remember, it’s not just about making sure your website is live anymore. You may have an e-commerce site, mobile apps, APIs, and other services that your customers need to access. Some of these services may be hosted in cloud or hybrid cloud environments. And some of these cloud environments may have different DNS providers, each with different capabilities.
And that leads to the main source of insomnia for network and risk teams: very few teams know where all their external DNS is hosted.
The tangle of externally hosted servers and DNS has created a new complexity challenge. Fortunately, there is a way to tackle it: network observability.
Businesses need to understand what is happening on their network. Without network observability, the foundation of enterprise networks will crumble, impeding growth, productivity, and efficiency.
Securing your DNS configuration
Knowing where your external DNS is hosted is a start. Cyberattacks are a serious threat, but misconfiguration (changes or additions to your corporate network) is the root cause of most outages. Improving network observability enables enterprises to assess risks and mitigate those risks to ensure network resilience.
Resilience and reliability may be priorities, but security is always on the edge. Proper DNS configuration requires every business to consider a few action items to improve their security posture:
Enable Domain Name System Security Extensions (DNSSEC)
DNSSEC authenticates DNS queries and responses using cryptographic digital signatures. When enabled, it validates responses to DNS queries before they reach the client device. Is this the actual website that the client device wants to visit? If no credentials are presented, or appear to be tampered with, no access is provided. DNSSEC can prevent hackers from routing users to a spoofed website, where they can submit personal or financial information.
So why haven’t many companies enabled DNSSEC? Its deployment is complicated and configuration errors can cause outages. Some vendors use automation to simplify the process because DNSSEC closes a known security hole.
Adopt two-factor/multi-factor authentication
Only use domain name registrars that offer two-factor authentication, period. And make sure it’s on. If a hacker can break into your registrar, they can steal your domains, alter your records, or use other hacking mechanisms like cache poisoning.
Make sure your external DNS providers also have multi-factor authentication enabled.
Make external DNS infrastructure more resilient and secure
Networks are more complex than ever. This complexity has allowed the enterprise level digital transformation while creating additional chaos for network administrators. To get the most out of your network, centralize and automate DNS management to increase resiliency and protect your network. It will help your business leverage DNS data for increased visibility, control, and compliance, taming complexity and leveraging it in ways that enable your business to meet the growing demands of today and tomorrow. .
