Security Insider Interview Series: Chris Roosenraad, Director of Product Management, Neustar

Every business has an on-line presence, and a domain name server (DNS) is a critical component of that presence.


“A DNS is a foundational building block, but if you don’t do it right, you’re building on a foundation of sand.”

Introduction: Every business has an on-line presence, and a domain name server (DNS) is a critical component of that presence. Chris Roosenraad, Neustar’s Director of Product Management offers some ideas and best practices for ensuring an optimal DNS strategy.

How does DNS operate? DNS is a way of mapping a domain name to an IP address; in much the same way the white pages used to be how people looked up phone numbers. You need some way to map a name to a resource. For example, a user wants to connect to a website, so it needs the IP address of that site and DNS is the process that translates names to numbers. DNS is a fundamental building block upon which the Internet is built.

What are the differences of an authoritative versus recursive DNS? They have different roles. You need to publish your IP address, and that’s the authoritative side of DNS. And you need to look up those records to find a web site by its IP address, that’s the recursive aspect of DNS. It’s also sometimes referred to as a caching or resolving server because it caches the results for set period of time. Then the next time someone looks it up, you can publish right from the cache and it’s much faster. There are a lot of implications as to what you put in that answer. Having sub-optimal records can result in a negative customer experience. It’s a delicate balance.

How does a primary and secondary DNS work together and why is it important to have both? This is part of the authoritative or publishing function of DNS. If you only have a single DNS solution and it goes out or lags in performance, you’re sunk. So, when you have a primary and secondary DNS, you are splitting the load between two services, and the primary updates the secondary with your DNS configurations. Should primary have a problem, the secondary can still answer questions. You can also have two primaries provisioned independently of each other. So, you forego the problem of primary and secondary being out of sync. That adds complexity, but again it’s a balancing act.

How can an organization ensure it’s getting the most out of its DNS? Every business has some kind of on-line presence. So, every business can put a dollar value on an Internet outage. Without DNS, your online presence does not exist. And DNS is something you can outsource. Even when you do that, you still need to ensure you’re using best practices on a regular basis—good old spring cleaning. This is where engaging with a professional services partner for things like auditing DNS records can help ensure efficient DNS functions. DNS is something you’re constantly balancing, so you have to perform regular maintenance.

How should an organization best secure its DNS and reduce its risk profile? There’s securing the DNS infrastructure and securing the data within the DNS. The whole point of a DNS is to publish data, but you need to secure the infrastructure. The software is stable, but still needs to be patched regularly. That’s also something for which there’s a strong argument for outsourcing. Securing the data requires regular audits. You have to ensure the DNS exposure you’re giving the Internet is what you want it to be, and best protect your DNS from targeted attacks like DDoS or cache poisoning. Employing the DNSSEC protocols can help, especially with ensuring origin authority and data integrity.

What do you see for the future of DNS? DNS isn’t going anywhere. It’s an incredibly efficient protocol. It’s an example of how the building blocks of Internet were done right. As Internet usage evolves, it’s changing how resources are mapped. With the Internet of Things, there are communications over the Internet without a human involved. There are ways you can modify DNS entries to facilitate that. There’s also full support in DNS now for non-western alphabets. A DNS is a foundational building block, but if you don’t do it right, you’re building on a foundation of sand.


Copyright © 2017 IDG Communications, Inc.