DNS: It works, so why change?

BY Joshua Hamilton

As I'm finishing up my first year working on Enterprise DNS (commonly referred to as DDI) solutions, I have learned quite a bit. I've learned what it means to provision networks, the difference between recursive and authoritative servers, the importance of caching layers, what a DMZ is, and a whole slew of acronyms that you could make alphabet soup with.

The biggest thing I've come to understand is why companies change their DNS in the first place. Most organizations that I've spoken with are using the default Microsoft DNS. It's “free” and it works. So why would anyone want to bother with the effort of changing out DNS? The short answer is that the built in Microsoft DNS faces many challenges that can lead to outages, security risks, and unnecessary complexity within your network.

1. The Outage

DNS (the Domain Name System) is a critical part of any organization's network infrastructure. It's what all of our devices use to connect us to where we want to go on the network, whether that is checking out what your friends did on Instagram over the weekend, or finding some critical piece of information on your company's intranet. DNS is what makes it all happen. DNS is quietly working behind the scenes and nobody thinks about it because it works...until it doesn't.

A DNS outage can cripple even the most technologically advanced companies. According to the Ponemon 2016 Cost of Data Center Outage Report, the average DNS outage lasts 91 minutes and costs $8,851 per minute. If that organization is in the financial services or manufacturing industries, those numbers can be astronomically higher and measured in dollars per second.

Human error is the most common cause of DNS outages. Accidental record deletion, unauthorized changes, lack of data validation, and traceability are all common concerns for organizations with a decentralized, Microsoft-based DNS infrastructure. Enterprise DNS solves these challenges by automating traditionally manual and error-prone tasks.

2. The Security Risk

Since DNS is required in every area of the network, it's no wonder that over 91% of malware leverages DNS for their attacks. The surprising thing is that 68% of organizations don't even monitor their recursive DNS data. According to the Ponemon 2018 Cost of BreachReport, the average time to detect a breach is 197 days and the average time to contain a breach is 69 days. That report goes on to say that an average breach can cost an organization around $3.8 million in damages on average. If a breach can be that costly and take that long to identify and contain, wouldn't it make sense to monitor the system that most malware leverages to attack?

With Enterprise DNS, you can apply security policies at the query level, gain greater visibility into the intent of every device in your network, and make sure that important threat information is sent to your SIEM. This allows you to greatly reduce the amount of time it takes to detect malicious activity, contain it, and identify “patient zero”. One of our clients recently experienced a TrickBot attack on their network, and through BlueCat’s Enterprise DNS solutions they were able to detect the breach and contain it in less than a week.

3. Unnecessary Complexity

Microsoft is not a DNS company, and as such their DNS tools are more of an afterthought than a purpose-built tool. As organizations grow either organically or through acquisition, the network naturally becomes more and more complex. Suddenly, several dozen or even hundreds of domain controllers are running DNS. This can be a nightmare to maintain, and typically results in a lot of home-grown architectures, conditional forwarding servers, or delegation scenarios.

Enterprise DNS helps by consolidating these existing servers and optimizing your network traffic through an architecture based on industry best practices. This gives you a single source of truth for all DNS, DHCP, and IP Address space so updates can be made for all of your servers through one centrally managed platform and can be leveraged for your automation and cloud initiatives.


All of this is just the tip of the iceberg. Enterprise DNS is capable of providing so many capabilities if an organization knows how to use it.

As we all know, technology is constantly evolving and changing. Every day we hear new and exciting buzz words that could become the next technological revolution like Cloud, Automation, and Software Defined Networks. There are millions of dollars being spent every day by companies trying to keep up and make sure that their network is reliable, secure, and on the cutting edge.

For many organizations, it’s tempting to rush after these new capabilities while neglecting the core infrastructure which sits beneath them.  One of the most important things to remember as you plan these projects, is not to forget the foundation of the entire network. Underneath the cloud, AI, and machine learning sits an IP Address, a DNS query, and probably a DHCP lease. Make sure your next generation initiatives aren’t sitting on an out of date platform.

Want to learn more about BlueCat’s Enterprise DNS capabilities?  Contact us today. We’d love to have the conversation with you.

Joshua Hamilton

Joshua Hamilton is an Account Executive for BlueCat and has been a part of the team since 2017. He has been in the software industry since 2012 and graduated from the University of North Texas.

View more articles by Joshua Hamilton