The Dreaded Domain and DNS Audit
There must be a better way to stay compliant and secure…
Every digital manager and IT professional understands the importance of maintaining a healthy domain portfolio and DNS infrastructure. Everything that is digital depends upon domains and their mission critical zone files. We all know this infrastructure should be carefully monitored; yet the vast majority of enterprises struggle to effectively keep tabs on this area. They rely on periodic, internal DNS audits that aren’t frequent enough, or sufficiently thorough.
The consequences of a “set it and forget it” domain/DNS operation can be disastrous. There is an abundance of best practices advice compelling us to watch over our domain and DNS operations carefully.
Performance optimization requires monitoring of negative caching, TTL settings, and zone delegation. Many companies lack a secondary DNS service for failover.
Security policies require us to confirm SPF settings to minimize email spoofing – as well as DMARC, DNSSEC and DKIM settings where applicable. Inactive domains and stale IP addresses are magnets for nefarious actors seeking to compromise network security.
Ensuring compliance can be an ongoing struggle between your well-intended policies and the reality of fallible human behavior. This explains the habitual “audit and clean up” activity surrounding domains and DNS.
Domain (and subdomain) portfolios are growing, along with their underlying DNS, i.e. resource records. The attack surface is expanding at a faster rate. A typical enterprise portfolio of 1,000 domains can easily have 15,000 or more resource record settings that change frequently. This is the worst scenario for a once-or-twice per year periodic audit.
This year we’ve interviewed senior domain/DNS stakeholders from Fortune 500 companies in banking/finance, media, industrial manufacturing and telecommunications. Candid admissions about their own periodic, internal audits from these organizations were very revealing:
- Domain and DNS audits are infrequent and ad hoc, sometime occurring only once per year, if at all
- Audits are laborious and often get put on hold when new priorities arise
- Audits generate unwieldy amounts of data with no clear indication of suggested management action
- A completed audit is quickly forgotten, leaving long intervals of under-monitored operation.
Periodic domain/DNS audits are simply not an effective way to manage your mission-critical digital assets. They are costly, too infrequent and lacking in real-time remediation. There is a better way!
A modern approach to digital operations demands that domains, DNS and associated services such as SSL certificates reside under an effective management system. Placing domains and DNS under a tamper-proof, automated, change-management system eliminates the need for periodic audits. Domains and DNS should be self-monitoring 24/7, with remediation capabilities.
Enterprise policies governing security, compliance and performance are easily managed when left to a system that self-reports. Internal audits should be constant, captured in real-time and automatically disseminated via scheduled digests to designated authorities.
A modern and effective domain/DNS management system should at minimum provide the following capabilities:
- Secure, permissioned access with SSO and/or MFA and IP whitelisting, to prevent unauthorized access
- Tamper-proof change management audits and digests that instantly communicate DNS changes to delegated authorities
- Configurable work-flow from “cradle-to-grave” for all domains and associated DNS settings
- Enforced system-based compliance, such as mandated DNS security settings (SPF, DNSSEC, DMARC, etc.)
- Dashboard-based, real-time performance views of critical domain and DNS functions – with one-click remediation
A system-based approach to managing domains and DNS changes the paradigm from periodic, static management by people to always on, real-time governance of digital assets and operations.
Domains and the DNS are too important to be left to periodic internal audits. It’s high time that enterprises locked this area down with a systems-based approach.
Authentic Web helps organizations bring enhanced security, compliance and performance to their domain portfolio and DNS network. Read our whitepapers or see how our free domain/DNS audit can help you assess your current state.