Why Is DNS So Hard to Manage?

No IT professional would argue against the idea that DNS security is a critical component of an organization’s security posture. Yet the DNS is more vulnerable to attack than ever, despite well-known best practices intended to prevent DNS compromise.

Why is this the case? The reality is, DNS is hard to manage. Common DNS management practices create more DNS weaknesses than they solve. Here are three situations IT security teams need to avoid:

Managing a Fragmented DNS Ecosystem

Organizations seem to collect DNS services like baseball cards. However, using more than two DNS services is too many. Managing multiple DNS services, domain registrars, and TLS certificate authorities on your network creates vendor fragmentation and unnecessary complexity.

The end result is compromised security. Every DNS service provider has its own administrative portal, each with its own login credentials and access controls. For the IT security custodian, it’s like having a ring with dozens of keys on it. DNS is much easier to secure with a single, multi-factor access regime.

Using multiple DNS providers has another major security issue: Domain Name System Security Extensions. DNSSEC is universally recommended to authenticate your online traffic, mitigating the risks of DNS and domain hijacking. It’s a high-priority best practice for security.

The difficulty is that DNSSEC’s functionality requires close integration with each and every domain registrar and DNS service. Using multiple DNS services virtually guarantees that DNSSEC will not work across your domain portfolio — and if it does, it’s because your staff is burdened with inefficient manual administration processes. Using multiple DNS and domain providers can leave your DNS network dangerously exposed.

Download our security and compliance checklist to find out what your organization is doing right and what is putting it at risk.

Operating Without a Unified View of the DNS

When domains, DNS, and SSL certificates are managed across multiple vendor platforms, it’s not possible to maintain clear visibility over your domain management. DNS security requires administrators to constantly collect information from multiple sources, which is inefficient to the point of being ineffective.

Each and every new and existing domain name an organization has requires multiple settings and parameters to ensure DNS security and compliance. DNS zone file settings, domain administration details, SSL certificates, and DNS security settings — DNSSEC, DMARC, and SPF — are all handled separately. Managing this environment across multiple vendors means lacking a “single source of truth,” and it’s a reliable formula for IT security risk and vulnerability.

Managing DNS security across multiple vendors in the absence of a unified control point sounds chaotic, but the problems it creates are more serious than that. One threat is the risk of orphaned domains being hijacked. In 2018, more than 600 global brands including Mastercard, Hilton International, and ING Bank lost control of over 4,000 domains to hackers who exploited orphaned domains. These bad actors hijacked DNS routing to misdirect customers to fraudulent web destinations.

Their respective owners’ lack of visibility over these domains were the root cause of the DNS breach. Without a single source of truth to reference, important DNS information becomes fragmented and siloed. DNS security inevitably suffers.

Letting Change Create Chaos

One inevitable fact about any DNS network is change. Hundreds or thousands of domains with tens of thousands of zones file settings along with SSL certificates and DNS security policies dictate that change management will be a constant, real-time occupation. When changes are made across multiple vendor platforms, each with its own password access and controls, change management gets gnarly. Without an integrated view and controlled process, DNS security is at risk.

Change management should have automated, tamper-proof audit trail records and an alert system in place to prevent changes going unnoticed. Organizations that rely upon manual change processes — think email threads, Excel spreadsheets, and SharePoint forms — are preferred targets for DNS hackers. Most DNS security compromises take place without the knowledge of the DNS network owner. Opaque change management processes make these attacks easier to execute and harder to detect.

Any corporate domain portfolio with a few hundred domains and several thousand attendant resource records is at risk. If any one of these records is compromised, either accidentally or intentionally, it can jeopardize your entire digital operation. Common DNS issues range from disabled webpages to hijacked DNS traffic redirecting users to malicious websites.

One defense is to manually review the security status of every domain, DNS setting, and SSL certificate in the entire network. Some organizations mandate this process, but that’s hugely impractical given the scope of the effort. In any case, it’s rarely executed successfully. An audit is at best a one-time snapshot of your security posture. What’s needed is real-time monitoring.

There is good news: When DNS management becomes easier, DNS security becomes stronger. Integrating everything into a single vendor platform makes administering domains, DNS, and SSL encryption clear, consistent, and comprehensive. In the process, it closes the security gaps that are a certain consequence of overly complex DNS management.