Loyal to a Fault: Why Your Current DNS May Be Exposing You to Risk

Ask seasoned IT professionals what they dislike most about their infrastructure, and they'll answer in unison: Change.

shutterstock 502765339
Shutter stock

Ask seasoned IT professionals what they dislike most about their infrastructure, and they’ll answer in unison: Change. IT, network and security professionals all rely on tried-and-true products to keep the business humming along, but is doing so exposing them to new risks? This post looks at some hidden risk factors present in many of today’s DNS environments, and what enterprises should be doing now to ameliorate them.

There are very few organizations more change-averse than enterprise IT professionals – especially their network and security teams. With network stability (read uptime) at the heart of their existence, reliance on known products and services can become a crutch – and a blindfold, limiting the ability to objectively consider new infrastructure solutions. As the advent of cloud came upon IT, many organizations needed to fight the ‘server-huggers’, who insisted that their sacred server or device located in the datacenter was the only way to run a specific application or perform a specific business function.

The cloud also has brought automation to the data center. As organizations move towards software defined wide area networks (SDWAN), there is an expectation of instant provisioning of newly requested services for both DevOps and production, and so the move to self-service is afoot, leveraging automation to be able to keep pace with rapidly evolving infrastructure. Here again, DNS plays a fundamental role as facilitator. As a result, most IT professionals have now seen the light, and (sometimes grudgingly) embrace at least a hybrid IT environment if not a cloud-first one.

Are there network and security infrastructure “huggers” as well? Consider the huge number of organizations that completely rely on Microsoft server infrastructure – including their Active Directory and DNS/DHCP. Where many IT pros may say they can’t have AD without Microsoft DNS, enterprises with a large number of AD forests can flummox poorly configured MS DNS services, leading to serious problems.

Legacy DNS often has outlived the enterprise’s original network designers, leading to a black-box approach for newer IT professionals who aren’t quite sure how the DNS system is actually configured. Dust off an old manual and find the 2005 plans for migrating DNS from domain controller to separate DNS server? Not as unusual as it sounds, in a world where Netmarketshare found 140 million computers still running Windows XP as of 2017[1], 15 years after its introduction.

The benefits of BlueCat Enterprise DNS will grow with the business, serving as the central point for administration and enabling orchestration and automation initiatives.

Although it may appear outwardly that legacy DNS systems are performing as they should, there are reasons to revisit enterprise DNS strategy even if all seems well.

As an increasing number of cyberthreats target DNS, infrastructure thought to be adequate may end up falling short. In particular, advanced persistent threats (APTs) and network lateral movement, are designed to take advantage of DNS’ central role in the network.

Legacy DNS implementations are also at risk for DNS amplification attacks, which leverage recursive name servers to increase the strength of DDoS attacks by spoofing the source address on DNS queries to match the target’s address. Poor DNS server configuration can also lead to cache poisoning, another way to reroute users to fake websites to do untold damage.

It’s unsurprising that cyber-bad-guys have put a target on DNS’ back, since almost all networking software conducts DNS requests for everything from internal email and intranet access to streaming video to browsing the web. Get in the middle of that, and you can respond to every request with phishing-friendly websites instead of valid ones.

To avoid these worst-case scenarios, many organizations are adopting enterprise DNS, managed, distributed, and hardened DNS services designed to eliminate these risks. That’s just a part of what BlueCat does.

About BlueCat

BlueCat is the Enterprise DNS Company™. The largest global enterprises trust BlueCat to provide the foundation for digital transformation strategies such as cloud migration, virtualization and security. Our innovative Enterprise DNS solutions portfolio, comprised of BlueCat DNS Integrity™ and BlueCat DNS Edge™, enables the centralization and automation of DNS services and the ability to leverage valuable DNS data for significantly increased control, compliance and security. For more information, please visit www.bluecatnetworks.com.

Copyright © 2018 IDG Communications, Inc.