Experts agree that DNS security is vital yet under deployed in most organizations. Why is this? The reality is, effective DNS security is complex and costly to manage. Cost and complexity form barriers to effective DNS security adoption.
Managing the DNS is so complex and difficult in large part because organizations use multiple DNS service vendors, each with its own proprietary administrative platform and password access regime. Managing hundreds or thousands of domains across dozens of DNS services is inefficient and very difficult to monitor, update, and secure.
Then there are the dozens of resource records (aka zone files) to set up and monitor for each domain. HTTPS encryption is required on each domain, with annually expiring TLS certificates. DNSSEC requires compatibility between each domain registrar, DNS service, and domain registry. Many DNS services don’t support DNSSEC. Domains, DNS, TLS certificates, and DNSSEC with annually expiring DNS digital keys make for a very messy environment — and an easily exploited chain of trust.
To put this problem into perspective, consider the life cycle of a typical domain. Someone in marketing requests the domain, an administrator orders it, someone else sets up the DNS zone files — the resource records — and ideally, a governance group takes responsibility for later updates and monitoring. IT security teams manage the security measures, but when it comes to domains and the DNS, that task often falls on separate network admin teams. That’s a lot of parties making inputs and updates, often without clear coordination or communication.
Take a tour of the corporate domain management journey to learn the compliance risks and strategic opportunities for your enterprise.
In such an environment, errors and oversights can weaken DNS security. Things become even more complicated after you scale this effort to the enterprise level. When thousands of DNS resource records are fragmented across dozens of vendor platforms, it’s almost impossible to manage them effectively.
Unfortunately, complexity causes more than just confusion. It puts your entire online presence at risk. For example, best practices dictate using DNSSEC, yet 87% of private sector companies lack DNSSEC protection — often simply because it hasn’t been configured properly. Finding and fixing DNS security issues like these across the DNS network requires significant effort; that’s why so many companies get by with inadequate DNS security compliance.
Most DNS security vulnerabilities today can be traced back to a few core causes. The first is relying on multiple domain registrars and DNS systems. Managing something as complex as the DNS across multiple disconnected platforms creates openings for DNS compromise.