The how and the why: carrying out a comprehensive DNS audit
The how and the why: carrying out a comprehensive DNS audit

An alarming number of organisations are still leaving themselves wide open to cyber-crime and Distributed Denial of Service (DDoS) attacks, by not prioritising domain name system (DNS) security.

DNS is used by every single business on the internet, so it is perplexing that so few have full visibility or control over their DNS performance, security and stability. It's also why attacks are so keenly felt and recognised around the world because they usually play out in the public domain.

A recent Quocirca study commissioned by Neustar showed that a staggering 92 percent of UK businesses have limited visibility of the impact of DNS performance on their staff, users of their websites and online resources.

Your DNS is your brand's digital identity

Gaining full visibility across all areas of DNS is vital. When a website's DNS is compromised the whole system collapses, bringing email, apps and other services down with it.

To put it as simply and as bluntly as possible, a business's DNS is its digital identity. And having a safe and secure DNS is crucial. Any organisation that relies on any form of online assets for day-to-day activities cannot afford to have their DNS compromised.

So if you are responsible for IT security in your organisation, a regular and thorough DNS audit is necessary to minimise the effects of issues such as server overloads from negative caching or low set time-to-lives (TTLs), before they become a major problem.

A piecemeal approach is no approach at all

Using a piecemeal “set and forget” approach to maintaining your DNS security puts your business at risk of cyber-attack. It is akin to closing the vault door, but not checking that it has actually been locked!

A DNS environment can change rapidly, which is why it must be checked and audited regularly. Otherwise, you are presenting pretty low-hanging fruit to cyber-criminals who are constantly innovating and finding new ways to attack organisations.

If there is one positive outcome of the Mirai botnet DNS attack – and all those that have followed in the last year or so – it is that DDoS crime is firmly on the radar.

What follows is a series of key considerations you need to factor in when carrying out a comprehensive DNS audit, and maintaining the day-to-day health of the DNS.

Prevent email spoofing

Your sender policy framework (SPF) helps to prevent email spoofing within the organisation. If you don't configure it properly, then cyber-criminals can act as if they are sending emails from your business domain, which can be incredibly damaging if your clients and customers end up opening malicious emails that you didn't send. Configuration issues such as the incorrect use of multiple strings or invalid syntax errors need to be regularly monitored are fixed.

Don't overload with negative caching

Negative caching is where a DNS server holds the record of negative responses from a search in addition to positive ones. However, if you set your negative caching time too low, it can easily overload your server and cause downtime due to repeatedly retrieving the same information and thus using too much bandwidth.

Configure TTL correctly

Time-to-live (TTL) is the mechanism that sets time limits for recursive servers to refresh their DNS cache. When the TTL value you've set expires, the name server sends a fresh DNS query and updates the cache. If you set the TTL too low you risk overloading the server with excessive queries. But if you set it too high, you risk inflexibility in the event of any needed configuration change.

Zone delegation set up

Incorrect zone delegation is one of the most common problems that is found during a DNS audit. Zones have to be set up correctly in order to properly redirect DNS queries. You have to regularly reviewe name servers and check that names are pointing to the proper locations.

Manage internal IP addresses properly

Another fairly common problem that risks exposing information to outsiders about your business is internal IP addresses in external DNS zones. So any audit must include checking internal and external DNS are kept fully separated.

Check inactive domains

Check which of your domains are active and inactive. These may be, for example, a .biz domain that you registered but never fully set up. And then frequently clean up your inactive domains.

Test your pointer records

Pointer (PTR) records, also known as reverse lookup, format an IP address in reverse order and let you use an IP address to find the host name. Any audit should test PTR record lookups to ensure they reverse the order of the octets in the IP address appropriately.

Along with a DNS audit the risk of downtime can be greatly reduced, through the deployment of a secondary (or failover) DNS service. This guarantees redundancy, particularly for mission-critical systems where any outage could cause a major disruption.

Contributed by Anthony Chadd, Director of EMEA, Neustar

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.