Domain Name System (DNS): It works, so why change?

BY Joshua Hamilton

There are a few things I’ve learned in my first year of working on Adaptive DNS solutions. I know what it means to provision networks, the difference between recursive and authoritative servers, and the importance of caching layers. I know what a DMZ is, and a whole slew of other acronyms that you could make alphabet soup with.

Most companies use the default Microsoft DNS. It's “free” and it works. So why change? My biggest take away on that - the default system is challenged with outages, security risks, and unnecessary network complexity.

1. The Outage

DNS (Domain Name System) is a critical part of any organization's network infrastructure. It's what a device uses to connect to the network. DNS makes it all happen. DNS is quietly working behind the scenes. Nobody cares about it because it works...until it doesn't.

A DNS outage can cripple even the most advanced companies. According to the Ponemon 2016 Cost of Data Center Outage Report, the average DNS outage lasts 91 minutes and costs $8,851 per minute. If that organization is in the financial services or manufacturing industry, those numbers can be significantly higher and are measured in dollars per second.

Human error is the most common cause of DNS outages. Accidental DNS record deletion, unauthorized changes, and lack of data validation are all common concerns for a decentralized DNS infrastructure. Adaptive DNS solves these challenges by automating manual, repetitive and error-prone tasks.

2. The Security Risk

DNS goes beyond assigned names and numbers. It is a basic requirement for every network so it's no wonder that over 91% of malware leverage DNS for their attacks. Surprisingly, 68% of organizations don't even monitor the data on their recursive DNS servers. According to the Ponemon 2018 Cost of Breach Report, the average time to detect a breach is 197 days and to contain it is 69 days. The average breach can cost an organization around $3.8 million. With these statistics, wouldn't it make sense to monitor the system that is leveraged by most malware attacks?

With Adaptive DNS, you can apply security policies at the query level, gain greater visibility into the intent of every device, and make sure that important threat information is sent to your SIEM. This allows you to quickly detect malicious activity, contain it, and identify “patient zero”. One of our clients recently experienced a TrickBot attack. Through BlueCat’s Adaptive DNS solutions, they were able to detect the breach and contain it in less than a week.

3. Unnecessary Complexity

Microsoft is not a DNS company. TheirDNS tools are more of an afterthought than a purpose-built tool. As organizations grow (organically or through acquisition), the network naturally becomes more complex. Suddenly, several dozens or even hundreds of domain controllers are running DNS. This can be a nightmare to maintain, and typically result in a lot of home-grown architectures, conditional forwarding servers, or delegation scenarios. This makes your system’s DNS infrastructure complex.

Adaptive DNS helps by consolidating these existing servers and optimizing your network traffic through an architecture based on industry best practices. This gives you a single source of truth for all DNS, DHCP, and IP Address space. Updates can be made for all servers through one centrally managed platform and can be leveraged through automation and cloud initiatives.

Conclusion

All of this is just the tip of the iceberg. Adaptive DNS can provide many more capabilities if an organization knows how to leverage it.

Technology is constantly evolving and changing. Everyday we hear new and exciting buzzwords that could become the next technological revolution like Cloud, Automation, and Software Defined Networks. Companies spend millions of dollars daily to ensure their network is reliable, secure, and on the cutting edge.

For many organizations, new network capabilities take precedence over a stable core infrastructure. Underneath cloud, AI, and machine learning sits an IP Address, a DNS query, and probably a DHCP lease. Are your next gen initiatives sitting on top of an outdated platform?

Want to learn more about BlueCat’s Adaptive DNS capabilities? Learn more about BlueCat’s DDI. Let’s talk!

Joshua Hamilton

Joshua Hamilton is an Account Executive for BlueCat and has been a part of the team since 2017. He has been in the software industry since 2012 and graduated from the University of North Texas.

View more articles by Joshua Hamilton