A Complete Guide to Improved Management of Domains and the DNS
Corporate domains and the Domain Name System (DNS) have become an increasingly painful area for organizations to manage.
Large organizations with hundreds, even thousands of domains are finding domain management to be complex, costly, and hard for teams to manage. Understanding domain lifecycle challenges makes it easy to identify and solve the problems.
Corporate domain portfolios and the related DNS network are growing as businesses expand their digital footprints by embracing the cloud. Domains, subdomains, redirects, text, and other DNS records must be managed, not just set and forgotten. As portfolios grow, so does the associated work effort.
Domain and DNS management touches stakeholders across the organization. Marketing, product, digital operations, and intellectual property attorneys all register domains. Network operations, IT and infosec teams are responsible for setting up and managing DNS configurations. Every domain in a portfolio generates a permanent lifecycle management burden, yet stakeholders lack a unified view where ownership and governance can be efficiently maintained.
VENDOR COMPLEXITY and SILOS
Adding to domain management workload is the fragmented state of the domain and DNS supplier industry. Vendors include domain registrars, managed DNS services, TLS Certificate Authorities and advisory firms. Most organizations use dozens of vendor/suppliers which operate in silos making the seamless management of domains, DNS and TLS certificates nearly impossible. This can have important consequences to the enterprise in security exposure, compliance gaps, and operational efficiency (Total Cost of Ownership).
Corporate domain portfolios are increasingly the source of cyber security breaches that have seriously damaged prominent brands and their customers. DNS hijacking and man-in-the-middle schemes expose brands and customers to credential and data theft. These exploits are becoming easier to execute because organizations have more domains and extended attack surfaces – all managed with manual processes by more people across more vendors.
TOTAL COST OF OWNERSHIP
Managing domains securely is costly. Organizations often understate their domain management costs measuring only the annual domain renewal fees, possibly including 3rd party domain management professional services. It’s the tip of the iceberg. The true cost must include the combined labor effort of all stakeholder activity through the domain lifecycle. The cost of managing, governing, and securing domains and the DNS over the portfolio lifecycle is significantly understated. IT teams are burdened with unproductive domain management tasks reducing their availability for higher priority work. TCO must consider all three; the hard dollars paid to vendors, the time expended by stakeholders and the opportunity costs of unproductive domain and DNS administration work.
Domain management is much more complex today than it was in the 1990s. Companies own orders of magnitude more domains. Additionally, there are over 1,000 top-level domains to consider and the DNS networks now extend the digital footprint. Business is digital and digital runs on the DNS.
Unfortunately, most domain registrar administration portals and DNS management tools are little different today than they were at the turn of the century. Most organizations operate DNS networks with manual processes lacking end-to-end change management systems or controls. Manual domain management is costly, inefficient, and insecure, yet solutions aren’t easy when overall ownership is unclear and internal stakeholders abound, operating in silos. Further complicating matters, the external vendor ecosystem within enterprises is fragmented. It’s time to take a look at the best practices for end-to-end domain management lifecycle.
The domain lifecycle management journey starts with a business stakeholder who requires a new domain registration – the Originator.
Originators include sales, marketing, product management, intellectual property/brand protection, and other stakeholders. To make sound decisions and prevent errors and omissions along the lifecycle of a domain journey the domain origination process should adhere to a policy but rarely is it monitored for enforcement. The “Approver” role evaluates and decides upon the originator’s request and processes the domain registration.
Once the domain is registered, IT takes over and DNS edits begin until the day, possibly years later, when someone decides it’s time to let that domain expire. What sounds simple is not so. It’s a complex and painful process. Lacking change management systems or clear lifecycle ownership, organizations rely on email threads, a central ticketing system or perhaps a SharePoint “front-end.” Few such processes include an audit record or history of an original domain request or tools to manage DNS security policies. Years after a domain was initially registered, who knows why it was registered or what potential exposures exist on the DNS?
The domain management lifecycle starts with a business originator, but IT owns at least 80% of the journey thereafter.
Effective management of domains, the DNS and associated security for a portfolio of hundreds to thousands of domains can be painful. IT is often operationally siloed from other business groups and domain stakeholders in an organization. Network operations and IT security staff typically operate separately. This creates challenges around clear ownership and responsibility. Grey lines on control, security, and compliance ownership create ideal opportunities for nefarious actors looking for security gaps.
FOUR CHALLENGES FACED BY IT
1. IT Administrators Don’t Control the Registrar Vendor Decisions
Organizations typically use more than one domain registrar and active DNS service. IT has to manage complex network settings across multiple vendor platforms. Each registrar and DNS service has its own administrative interface and password security regime. Some support DNSSEC – others don’t. Few services integrate with each other or the enterprise’s own change management environment. The burden of managing this fragmented, non-integrated vendor environment falls on IT.
2. DNS Security without Automated Change Management
Experts agree that domains and the DNS are vulnerable to growing security risks. DNS hygiene involves much more than implementing registrar lock and TLS certificates. Older versions of TLS are known to be vulnerable. Certificate Authorities have been compromised, and fake certificates have been fraudulently represented in DNS hijacking schemes. Even the most diligent certificate managers fail to encrypt re-directing domains providing an attack vector for nefarious actors. Managing domains, DNS zone files, TLS certificates and DNS security settings such as SPF, DMARC and DNSSEC are all needed. In addition, stale DNS or Lame delegations needs to be eliminated. All of this relies on manual work effort by IT and IT Security teams, whose success is hampered by a lack of visibility and automation tools. Various siloed systems lack consistent permissioned access, change approvals, audit histories and real-time alerts when system changes are made. This exposes organizations to security risk as old, forgotten domains, DNS settings and non-compliant TLS certificates become easy targets. Without end-to-end change management, DNS security and compliance management the DNS is easily compromised, while burdening IT with manual processes.
3. Internal DNS Audits Don’t Happen and Don’t Work
Secure domain, DNS and TLS certificate management requires periodic audits of DNS zone files. Few organizations are aware of the state of their DNS network in real-time or have audit histories required for regulatory compliance. Audits are laborious, manual exercises. They tie up IT resources only to produce reports months after the baseline records have changed – if in fact the audit gets completed at all. Without an audit to first GET control of the DNS network and tools to KEEP control, organizations are especially vulnerable to actors that target large, unmonitored legacy domain portfolios.
IT teams face two issues that make domains and the DNS painful to manage:
- The landscape is complex, constantly changing and increasingly exposed to serious security threats
- The internal team is under-resourced and lack automated, tamper-proof change management systems to easily manage the domain and DNS lifecycle
As global domain and DNS research emphasizes the need for increased enterprise security measures, organizations need to assess whether their internal practices meet a modern standard of compliance. Without automated DNS change management systems to help teams succeed, full compliance is unfeasible. Management must recognize that the DNS lifecycle landscape has dramatically changed. Domain and DNS consolidation and change management system modernization is the only pragmatic solution.
Large portfolios with years – even decades of accumulated legacy domains and DNS configurations create governance and compliance pain for the organization that grows over time.
Domain portfolio governance is a necessary process of continually examining every domain registered by the organization to determine whether it should be renewed or expired upon its registration anniversary date. When hundreds or thousands of domains are involved, expiring monthly on contract terms ranging between one and ten years, it can become a painful and costly area to manage. Without an end-to-end change management system with tamper-proof historical data and audit reports, domain stakeholders have a difficult time knowing which domains are necessary vs. those that can be discarded. Most organizations simply keep domains indefinitely, which creates problems. The bottom line is that if you own a domain you need to manage it. Failure to do so exposes the business to security risk and compliance gaps.
In the absence of an automated DNS management system, necessary domain, DNS zone file, and security settings become manual exercises. Manual audits are laborious and costly. Few enterprises comprehensively examine and report the status of each domain, subdomain, domain redirect, and their associated DNS zone files. A complete audit should minimally answer:
- Does every domain in the portfolio have SoA (start of authority) to mitigate hijacking?
- Is SPF, DMARC and DNNSSEC correctly configured on every domain?
- Is there a valid TLS certificate on every domain and redirect?
- Is the portfolio free from HTTP 400-series response codes?
- Are all resource records checked for orphaned settings that point to unmanaged servers?
- Is there a tamper-proof record of change activity for each domain and DNS setting?
Whether manually conducted or automated via modern control systems, audits are a necessary governance task. Manual audits are insufficient and come with a significant IT cost burden. However, if not done, the business accepts the compliance gap and security exposure.
TOTAL COST OF OWNERSHIP GROWTH
The true cost of ownership of domains and the DNS has multiplied since the 1990s. Organizations tempted to reduce TCO by skipping essential governance tasks such as domain/DNS audits expose the organization to unacceptable security risk. Domains accumulate in over-sized, bloated portfolios. Subdomains and redirection domains expand the corporate digital footprint further, requiring increased, ongoing management and governance. All of this burdens IT, digital, product, infoSec, network operations and other stakeholders with increased work effort.
Effectively managing the domain lifecycle is inefficient and labor-intensive driving unnecessarily high Total Cost of Ownership for domain portfolios.
CONTROL SYSTEM SOLUTION SUMMARY
The domain management lifecycle spans multiple stakeholder roles across years of domain ownership. Over time this area has become increasingly complex. Nefarious actors have recognized that the DNS is a weak point in corporate IT security that is relatively easily compromised.
Only an end-to-end change management system can reliably establish visibility and control over every domain, related DNS hygiene, TLS certificates and DNS security settings to improve enterprise security, compliance, and performance. Essential capabilities of an effective change management system must minimally include:
- Integration between a single, enterprise-grade domain registrar and a primary DNS service, plus secondary backup DNS service
- Access to domain and DNS change management; hierarchically permissioned by approved role and password-secured using MFA or SSO
- A tamper-proof audit log of every change by user
- Automatic communication of all changes to designated management via alerts
Most importantly, the change management system must provide a fully integrated “single pane of glass” view of not only the domain portfolio, but all ancillary services: DNS values, TLS certificates, and all DNS security settings. Extreme ease of use to all stakeholders is essential to promote no-exceptions usership, and 100% error-free compliance.
By placing all domain and DNS-related change management operations under a single control system, domain lifecycle management becomes pain-free. Compliance is automatically enforced via a rules-based system, eliminating human error. Error detection and automatic remediation reduces labor while ensuring flawless domain and DNS operations. System-generated reports such as DNS traffic by domain can help management identify unnecessary domains to reduce overall portfolio size.
Authentic Web is a solutions provider bringing together in a single control system, approval workflow, compliance audit, domain registrar, DNS, and TLS management all dedicated to helping enterprise domain stakeholders.