- BY Ben Ball

Secure, cloud-managed network services through DNS

The cloud offers a whole new world of flexibility and functionality.  But like every IT system, it comes with some tradeoffs.  For all its advantages and promise, the cloud is yet another system that administrators have to manage and secure. 

Reducing complexity

Decentralized or parallel management of DNS infrastructure between on-prem and cloud environments can result in a situation where the advantages of automation, DevOps, and other high-level functions actually become harder to achieve.  If you’re using a default option for DNS such as Microsoft or BIND, managing resources in the cloud will only result in more custom work-arounds and Rube Goldberg solutions.

Complexity quickly becomes a significant issue when assets and compute are managed across different cloud platforms or between cloud and on-prem environments.  Keeping track of overlapping zones and routing rules in particular can be an operational challenge.  More often than not, administrators create a tangle of pathways to keep DNS up and running in the cloud, even if those pathways come with downsides for compliance or network efficiency. 

That’s why BlueCat has a flexible, intelligent DNS resolution service to manage routing of cloud assets.  Here’s how it works:  within BlueCat’s DNS Edge, each data source is a DNS namespace. When DNS Edge is the first hop, it simply checks each source in whichever order the administrator chooses. If the answer isn’t returned from the first namespace, DNS Edge forwards the query to the next namespace in the priority order – this continues until an answer is found.

Easing integration

Another challenge is finding a solution which integrates well with your cloud provider(s) of choice.  While some DNS companies pick a cloud partner to the exclusion of all others, BlueCat recognizes that most large enterprises use an “all of the above” approach to the cloud.  That’s why our DNS management tools are available and certified on AWS and Azure, with Google Cloud Platform coming very soon.  We also work with many of the major providers of private clouds, allowing our customers to manage their DNS infrastructure wherever they please.

Implementing security

Security is a paramount concern for any network administrator, and the cloud adds yet another layer of infrastructure to worry about.  Have you ever tried to implement DNSSEC using decentralized management through BIND or Microsoft tools?  It’s not easy.

Implementing DNSSEC in BIND requires a series of onerous command-line changes to configure each server. Generating the DNSSEC keys, attaching them to the relevant machines, and testing the infrastructure takes a lot of time. Then you have to do it for every parent and child server in the network.  When those parent and child servers cross multiple clouds, this can become an enormous task.

In Windows, implementing DNSSEC is similarly work-intensive. First, you sign a zone and verify that the signing scheme is operating correctly. Then you use “trust anchors” to distribute that signing scheme to the child zones. Unfortunately, those “trust anchors” won’t automatically adjust themselves when the parent zone is re-signed, requiring network administrators to constantly re-distribute “trust anchors” to the child zones when the parent signatures change.  Again, doing this across parallel cloud and on-prem assets is very work-intensive.

In contrast, BlueCat’s enterprise approach to DNS makes implementation of DNSSEC ridiculously simple – in the cloud or anywhere else. In BlueCat’s unified DNS Integrity system, you check a box, and the DNSSEC scheme automatically populates throughout the zone. No command lines, manual distribution of trust anchors, or wondering whether it’s actually working.  It just happens for the parent and child zones in one click.

Securing and managing DNS assets from the cloud doesn’t have to be difficult.  With a centralized, automated, secure management platform, DNS can actually become an asset for your cloud deployment rather than a drag on functionality.

Learn more about BlueCat’s approach to DNS in the cloud here.

Ben Ball

Ben Ball is a Government Market Manager at BlueCat, handling business development and marketing outreach in the Federal, State, and local government markets. Ben served for ten years as a Federal employee, with three tours as a Foreign Service Officer (Saudi Arabia, Turkey, Jordan), and five years at the Department of Homeland Security, where he focused on immigration issues. A graduate of the Fletcher School of Law and Diplomacy and Pitzer College, Ben lives in the San Francisco Bay Area.

View more articles by Ben Ball