Enterprise Domain Ecosystems and DNS Security Trends
At the end of every year, there are a flurry of prediction articles that we all like to read. Predictions hold the ‘promise of the possible’.
Predictions are subject matter experts sharing trends contextualized as future states. Less Nostradamus, more statistical and behavioural trend analytics.
Here are mine. I hope you find them of value as you plan 2024.
Your enterprise will suffer a domain, DNS, or certificate related disruption
This prediction is a bit too easy but perhaps the most important to know since you will want to take steps to prevent the incident(s).
A key domain will expire, a phishing attack will be executed using one of an enterprise’s own domains, an internal resource will make a DNS edit that will disrupt the business, a certificate will expire, a dangling CNAME will be taken over by a bad actor or a DNS zone resource record vulnerability will result in a DNS hijack. Frankly, likely, most or all of the above.
Blockchain Top Level Domains (TLDs) will proliferate and harden the ‘splinter-root’.
In the vacuum of ICANN not executing the next round application window for new TLDs, blockchain innovations have filled the gap with new TLDs and millions of domains running on alternative blockchain roots, and it is gaining traction as each month passes.
Without the ability to own a new TLD on the trusted IANA root, innovative entrepreneurs and companies will find a way to make things happen.
It is creating a ‘splinter-root’ that for the first time in history will likely become a viable alternative. As more time passes without the IANA root expansion, the more hardened the ‘splinter-root’ will be. That said, these spaces are messy. Expect more lawsuits to be filed as competing TLDs claim first use.
ICANN will announce the next round for new Top-Level Domains (TLDs).
It has been more than a decade since the 2012 ICANN TLD application round. After years of policy development, a final report was approved in February 2021 by the GNSO Council.
In 2022, ICANN kicked off the Operational Design Phase (ODP) that ICANN leadership advised would accelerate the implementation phase. The resulting Operational Design Assessment (ODA) has now been delivered to the ICANN board as of December 2022.
Stay tuned for more developments however, with this work now complete, in 2023, the ICANN Board will approve the final phase to expand the Internet with the next TLD application round. If you are a large enterprise, get ready for it! If, however, the ICANN Board does not approve expansion in a timely manner, see prediction #2
DNS security and compliance will rise in the list of top IT governance priorities.
The DNS is insecure by design, making it highly vulnerable to compromise. Risk is due to the protocol itself combined with hidden DNS misconfigurations. Issues include the absence of resource records such as SPF, DMARC or DNSSEC that permit attack vectors.
Another risk is that enterprise DNS zone file hygiene is largely ungoverned. Teams lack modern vulnerability visibility tools leaving them exposed to unseen vulnerabilities like dangling CNAMEs and orphaned IPs.
This reality and the absence of single pain of glass control system governing domain lifecycle, DNS configurations, and certificates will result in Brand, IT, Infrastructure, DevOps, and InfoSec deciding they need to up their game on DNS related change controls.
DNSSEC adoption by enterprise will grow.
Until recently, DNSSEC adoption over the past decades was slow. One of the historical challenges was the need to roll keys annually. Leaving that process to internal manual processes limited the adoption.
Over the past years, adoption has dramatically increased as this key rollover function has been automated by some advanced registrar provider systems that integrate DNS controls.
DNSSEC prevents recursive server DNS cache poisoning that can result in DNS hijacks. DNSSEC is the best tool to ensure your audiences, customers, and partners do not end up at malicious destinations where malware can be distributed and/or users fall victim to credential theft.
SPF and DMARC adoption by enterprise will continue apace.
SPF and DMARC are the resource records that protect against malicious use of domain names to proliferate phishing using a company’s own domain names.
Many organizations only set SPF and DMARC records on domains that are actively used for mail. However, a security vulnerability exists with the 80-90% of owned domains that are only parked.
Best practice use of SPF and DMARC is to set up these records on all enterprise domains controlling what mail servers are authorized to send mail. SPF can also be an effective InfoSec control tool to prevent shadow IT from setting up new mail systems not approved by InfoSec.
DNS vulnerability tools will become a ‘must have’ for vulnerability management.
If your enterprise team is unable to see the DNS vulnerabilities in your zones, they cannot mitigate the exposures.
As the digital surface area continues to expand, and withrising cyber security risks, enterprise leaders are seeking to improve their vulnerability management capabilities and reporting. It is not good enough to include a few ‘flagship’ domains into an existing endpoint monitoring tool. Enterprises need to see specific DNS vulnerabilities across their entire domain portfolio. If you own it, you must manage it.
Systems that make it easy for teams identify and mitigate DNS vulnerabilities will be adopted beyond the ‘innovator’ and ‘early adopter’ cohorts and enter the ‘early majority’. Those in the ‘late majority’ and ‘laggard’ cohort will increasingly be targeted as easy pickings.
Domain, DNS, and certificate management will remain painful for IT Directors.
Managing this area is a pain for IT, Infrastructure, and DevOps teams. It is a constant hassle and time consuming exercise chasing logins to registrars and DNS providers, dealing with departing employees who had access and/or managed domains and DNS in a shadow IT environment.
Accounts without full privileges, resolving a broken DNS record, renewing an expired certificate, coordinating the transition of infrastructure timed with DNS updates, inability to see and understand zone files, etc. It is just a pain and time-consuming area.
It will only become worse as more domains and growth in the digital surface area continues. It is particularly challenging for companies with multiple operating entities and teams who manage domains through various siloed systems.
Where shadow IT has production domains live and when there is an issue, the suffering IT team must determine how to solve it.
Domain Asset and DNS network audits will be embedded into M&A due diligence
Before, during and after a M&A deal, the acquirer must understand the domain assets and the scope of a target company’s DNS infrastructure.
For the sellers, these intangible assets are increasingly valuable assets that enhance the valuation of the business. Pre-deal audits and management process reviews will emerge as a core due diligence item in M&A.
In the past, domains and DNS were an afterthought, but in today’s world, BUSINESS IS DIGITAL, and DIGITAL DEPENDS ON THE DNS.
The brand assets and the DNS surface area must be enumerated. Post-deal plans to consolidate and ensure controlled transition is a key integration function to ensure business continuity and to protect the valuable brand identity/domain assets within the acquisition and risk valuation equation.
Brand TLD Opportunity Hits the Enterprise Strategy Priority List.
Of all the predictions, this is the most interesting. A Brand TLD strategy addresses many problem areas including brand trust, cyber security, IT management pain, total cost of ownership, and digital communications. All of them add value to the authentic brand entity.
The Internet is still young. Its birthday is often stated as January 1983 when TCP/IP was created to allow computers to connect. It went mainstream in the mid to late 1990s. Let’s say the Internet starting its mass market adoption curves with domains about 25-30 years ago. Since then, the .com TLD has ruled. It will stay like that for a while but to think that is the long-term position, ignores innovation reality.
Consider the history of music playback. Vinyl records became commercially available in 1930, cassettes in 1964, CDs in 1976, MP3 players in 1997 and entering 2023 streaming on demand rules the world. Vinyl had a long run and then with some innovations for 60-70 years but that run is over, aside from niche collectors, as new, better, and different technologies emerged.
A Brand TLD is an inevitable, natural evolution for digital brand identities for all major or aspiring brands.
Owning a proprietary brand space ensures trust and security for your audience, customers, company, and partners.
As the ICANN announcement enters the ether, enterprise strategists, brand, compliance, IP, and InfoSec officers will prioritize a future brand digital identity strategy to own their proprietary Brand TLD that is authentic, controlled as the long-term platform for innovation, and future expansion of the surface area.
Need some guidance about the enterprise domain and DNS security outlook or why you need to own a Brand TLD, Book a briefing call.
I’ll provide you with guidance on DNS vulnerabilities and what to do about it and/or why and how your brand will be better positioned by owning your brand authentic Top-Level Domain!