Evaluating DNS providers: 4 key considerations

The Domain Name System (DNS) is showing signs of strain. Attacks leveraging DNS protocols used to be fairly predictable and limited to the occasional DDoS floods. Now attackers use more than a dozen , including cache poisoning, tunneling and domain hijacking.

The latest 2019 Global DNS Threat Report from IDC shows that the vast majority of respondents have suffered a DNS-related attack in the past two years. An average of nearly ten attacks per company were reported, affecting almost half of the respondents’ websites.

DNS pioneer Paul Vixie has bemoaned the state of DNS and says that these attacks are just the tip of the iceberg. This is why you need to get more serious about protecting your DNS infrastructure and various vendors have products and services to help. You have options; here’s how to sort them out.

Leverage your ISP provider’s DNS

The first step is to use the DNS your ISP provides. For many of us that is the beginning and end of any DNS discussion. While this is the path of least resistance, you don’t get much in the way of protection, filtering or threat monitoring services.

Use a public DNS provider that supports DNSSEC

A better choice is to replace your ISP’s DNS with one of the public DNS providers that supports Domain Name System Security Extensions (DNSSEC). DNSSEC support is nice, but it’s no guarantee that you will be safe from potential attacks. In 2016, attackers figured out how to use this protocol for DDoS amplification attacks.

Besides DNSSEC, the public providers also have easy-to-remember IP addresses such as 1.1.1.1 (Cloudflare), 8.8.8.8 (Google) or 9.9.9.9 (Quad9) for their DNS server locations. These services are useful for smaller businesses and for users who travel frequently and want an additional layer of security for their laptops. The following vendors offer free DNS services that support DNSSEC or a similar protocol, but keep in mind you get what you pay for: 

• AdGuard DNS (filtering, DNSCrypt, DNS over HTTPS and TLS)
• Alternate DNS (filtering and ad blocking)
• CleanBrowsing (filtering, also paid management plans, DNSCrypt, DNS over HTTPS and TLS)
• Cloudflare (DNS over HTTP)
• Google Public DNS (DNS over HTTPS and TLS)
• Cisco OpenDNS (filtering, also paid management plans)
• Quad9 (filtering, DNSCrypt, DNS over HTTPS and TLS)
• Verisign (paid plan also)

Review your cloud provider’s DNS offerings

The next step for any decent-sized enterprise network is to examine what your cloud provider offers beyond the basics. Google has its Cloud DNS, Amazon has AWS Route 53 and Microsoft has Azure DNS.  Free trials are available, and each has a complex pricing scheme that is based on the volume of queries to its cloud servers. The cloud providers do bring more security but aren’t appropriate if you want a single DNS source across your entire enterprise.

Consider a DNS specialty provider

The next step is to consider a DNS specialty provider. You’ll get a lot more protection than the built-in options from the IaaS providers. These providers offer more resiliency because they have numerous DNS server locations around the world. This also offers better performance by reducing the latency times as your packets traverse the internet. Specialty providers also offer better attack monitoring and prevention because of their traffic volume. They tend to see exploits sooner and stop them faster.

The four most popular ones are Akamai’s Enterprise Threat Protector, NS1 Domain Security Suite, OpenDNS/Cisco Umbrella and Cloudflare. If you already use either Akamai’s or Cloudflare’s content delivery networks, then you’re probably using their DNS tools. Even if you aren’t and won’t ever go with their content networks, it still makes sense to look at one of them.

How to evaluate your DNS provider

1. Understand your network bottlenecks and DNS problems

First, see where you have network bottlenecks and what (if any) DNS problems you need to solve. Some free or inexpensive tools and online services can help here. For example, DNSPerf shows you various metrics over the last month that are assembled by testing each provider every minute from 200 locations around the world. You’ll see that Cloudflare’s queries are answered (on average) in less than 12 msec, while GoDaddy’s take more than 47 msecs. (Cloudflare also comes up at or close to the top on other metrics, too.) Tools such as DNSBlast can load test your current DNS server, and DNSBenchmark can do performance testing on Windows.

Once you have all this data, you can better understand how your traffic will flow from a chosen DNS provider to your ultimate website visitors and other internet applications. If all your customers are in the U.S., then you are probably covered with any of the vendors. Some have more resources worldwide, which comes in handy if you have a lot of traffic originating in these locations. You should be able to know where in the world is the providers’ DNS servers are physically located. (Some vendors are coy about answering this.)

If you have a particularly complex network that spreads across numerous geographies, you might want to look at Dyn’s Internet Intelligence tool. (This is one of the Dyn tools that was sold to Oracle and is still being supported.)

2. Review the DNS management dashboard

Next, examine the vendors’ management dashboards to see if you understand what it tells you, what actionable data it displays, and what your vendor monitors. These are the key questions to answer:

• Do you see odd traffic in near real time?
• Can you add geofencing rules to prevent the gross-level phishing attacks?
• Do you see which locations (both yours and theirs) are experiencing outages or slowdowns?
• Is there an API that can work with your cloud or SaaS providers to integrate them into your DNS coverage?
• Is there any load balancing or other traffic optimization tools available?

Cisco

3. Match your needs to the vendor’s offering

You need to match your needs with what the provider offers. For example, Cisco’s Umbrella comes in four different bundles. The most expensive “platform” series is the only one that offers threat enforcement, but if you don’t need that you can use one of the lesser plans that offers just about everything else.

4. Get an accurate price quote

Finally, you’ll want a price quote. It is hard to calculate fees, unless you have a handle on your overall network traffic volumes or the number of users or endpoints that you are protecting. Of course, no vendor offers complete transparency on fees. (See my above comment on complex pricing schemes.)