A Complete Business Processes Guide for Corporate Domain and DNS Management

Enterprise domain and DNS management is flawed and risk-exposed in almost all large organizations. Stakeholders in IT, marketing, infrastructure, legal, and digital operations recognize that lack of control, visibility, and automation in legacy practices creates exposure. Private and public cyber-security authorities warn of known DNS network security risks. Domain and DNS hijacking, certificate compromises, appropriation of DNS controls, DNS cache poisoning, and other forms of DNS tampering are a href="https://www.zdnet.com/article/icann-there-is-an-ongoing-and-significant-risk-to-dns-infrastructure/" target="_blank">on the rise.

Domain, DNS, and certificate management problems are a direct result of manual processes throughout the end-to-end domain journey. Beginning with an initial corporate domain request, multiple processes are launched that are manual, error-prone, and costly in staff resource effort. Approval steps, DNS network and certificate provisioning, change management, governance and security maintenance typically rely on outmoded manual processes. Multiple stakeholders in the organization must execute scores of process steps on each domain and DNS zone file over its lifecycle. With corporate portfolios of hundreds to thousands of domains, errors and omissions over the domain management lifecycle make security vulnerabilities a certainty.

Domain and DNS security exposure is not a theoretical idea. Hard evidence in the form of DNS network audits conducted by the authors of this article, bolstered by independent 3rd party digital security research firms, confirms that domains and DNS networks are exposed. Forensic tests conclude that large percentages of corporate domains commonly have the following issues:

1. Lack Start of Authority (SoA), making them easy to appropriate for use
2. Orphaned resource records pointing to IPs no longer under IT control
3. TLS encryption missing on redirecting domains
4. Domains lacking correct DMARC and SPF records
5. DNSSEC showing as “signed” yet non-compliant due to expired DSKEYS
6. Domains across multiple registrars without consistent password access controls
7. Multiple DNS service vendors making change management and security compliance difficult
8. Lack of secondary DNS subjecting the organization network DDOS risk

Targeted industries such as finance, healthcare, insurance, telecommunications, tourism, supply-chain dependent manufacturers, and government need to be especially vigilant in managing their domain and related DNS networks. Audit evidence shows they are exposed.

Small businesses or those with only a few domains don’t have to worry much about domain management process. Their DNS networks are uncomplicated and relatively easy to monitor. Large enterprises with strategic digital asset portfolios are entirely different:

• The organization owns hundreds or thousands of domains
• Acquisitions lead to multiple domain registrars and managed DNS providers being in use
• Password management protocols differ across vendors: i.e.: 2FA or SSO
• Digital presence creates hundreds of redirects and subdomains
• DNS zone file resource records on the portfolio number in the thousands, managed in a constant state of change
• DNS security settings such as DMARC, SPF, and DMARC are much harder to manage at scale with manual processes

Many stakeholders manage the corporate domain process across multiple, siloed departments. Single-point accountability for the end-to-end domain management lifecycle is often missing. New domain requests pass through many layers of approval before going to IT network operations for setup. DNS security may be another team entirely. Hundreds of domains with live DNS records renew year over year, many of which have become forgotten. These “orphaned domains” and their associated DNS records are especially vulnerable to compromise.

The step-by-step processes for managing even a single domain in a large organization are complex and extensive. Large domain portfolios managed by multiple stakeholders across several departments demand effective, repeatable process, change management workflow, and audit records. Without these process basics, domain portfolios and their associated DNS networks are inevitably exposed to security risks.

Interviews confirm that large organizations typically lack a systematic workflow process for domains and DNS management. Organizations admit that their domain and DNS management processes are informal and manual. Without structured, systems-based, auditable records for domain change management, errors and omissions are inevitable, especially over the long lifecycle of unmanaged domains.

Organizations have rules and procedures for most IT operations, but domain and DNS change management is often handled via email communications and Excel spreadsheet lists of domains, passed between stakeholders. Some organizations partially automate workflow with centralized ticketing, or SharePoint applications. These systems can be time-consuming to create and manage. They’re often fragmented and lack change management audit capabilities. Internally created workflow systems typically lack integration between the domain registration process and DNS provisioning.

Organizations admit that their internal accountability for domains isn’t clear. Without ownership and accountability, domains and DNS are left unmanaged. Domain portfolios tend to grow, and old domains are rarely culled. Legacy domains can become unnecessary over time along with their associated DNS zone file resource records. DNS security settings for these domains ( DNSSEC, DMARC, SPF, and TLS certificates on redirections) are frequently broken or missing altogether.

Internal process management for domains and the DNS is difficult. Having multiple vendors makes it worse. Many organizations have more than one domain registrar; often the result corporate acquisitions. Having dozens of active, managed DNS services is even more common. Managing effective process over a fragmented domain and DNS supply chain presents other risks:

• Password and access controls are inconsistent: Some support 2FA & SSO – others do not
• Not all managed DNS services support DNSSEC
• Most registrars lack integrated controls to manage zones on preferred DNS networks
• Security policy implementation and compliance is practically impossible
• Human resource costs and constraints create operational inefficiencies
• Change management controls over multiple vendors is difficult
• Internal vendor ownership operating in silos makes oversight difficult

Business stakeholders and network security teams know that domain portfolios and the associated DNS network require ongoing governance and compliance controls. The solution usually implemented is a periodic audit of all domains, DNS zone files, and security settings. Audits are laborious, costly, and rarely establish compliance confidence.

• Domain portfolios and DNS networks are dynamic, ever-changing across multiple registrars and managed DNS providers – any audit is simply a point in time snapshot, rather than a real-time, current assessment
• Most audits are manual, lacking the IT forensic tools to accurately view HTTP status codes on thousands of zone files residing on large server networks

Audits don’t work as a standalone, point in time activity. Only real-time, ongoing processes can effectively establish and maintain control over a dynamic domain/DNS environment. Lacking system-based, automated processes, most domain and DNS audits fail to complete due to the effort required.

Domain, DNS, and certificate management processes are largely unchanged since the explosive growth of domain portfolios in the 1990s. Change management requests are often initiated by email and executed via disparate, non-integrated registrar/DNS administrative portals. DNS settings and security are administered by skilled, costly, and overburdened IT staff resources, unaided by automated tools. Ongoing governance and security compliance are left to periodic audits, powered by Excel, and often incomplete. It is difficult for IT staff to get and keep control of the DNS footprint without systems to efficiently manage the network.

The Domain, Managed DNS, and Certificate Authority service industries have been slow to provide badly needed best-practices solutions. The reason is legacy orientation. Registrars founded and grew exponentially from the 1990’s on a business model that emphasized selling more domains and, in some cases, serving enterprises with a Professional Services business model, i.e., billing their services for activity-based fees. Leading managed DNS services typically don’t offer domain registrar services. Certificate Authorities (CAs) just sell certificates.

These three related vendor categories and their respective business processes are highly interdependent. In the absence of industry-provided, integrated solutions, organizations have been obligated to manage as best they can with manual processes to control these three operational areas. Lacking packaged system offerings from the vendors, organizations have been challenged to invest the necessary time and capital to fully automate and integrate the complex processes of domain, DNS and TLS certificate management on their own.

Enterprise domain, DNS and certificate process management is stuck in a 1990s paradigm. It’s an obsolete model, far behind the demands of modern digital transformation. Manual processes, siloed operations and systems, lack of integration, and legacy vendor business models are perpetuating TCO increases and network security risk.

Increasing enterprise data security regulations make systems-based modernization of domain and DNS management a near-term imperative.

Authentic Web’s DNAM solution addresses this need by delivering system components: integration, workflow, ease of use, change management, security, and compliance. Leading global brands have adopted DNAM as a next generation control system to solve difficult DNS network security and compliance management problems while reducing Total Cost of Ownership by 30% to 50%.