Enterprise tactics to manage DNS for remote work

BY Ben Ball

Nobody planned for this.  Working from home may have been at the back of everyone’s mind as a glorious utopian state.  Even so, they probably thought of it as five years away, ten years away, or one of those “always on the horizon” kind of things.  Now, suddenly, just about everyone who can work from home is doing it.

Here at BlueCat, we’ve been polling our customers and combing through the data to figure out what this all means for your DNS.  Here’s what we’re seeing and hearing:

Increased use of DNS over HTTPS (DoH):  As outlined in a recent post, use of DoH started to skyrocket over the last two weeks, jumping an astounding 1500% across our user base.  This should be a concern for network administrators, who suddenly lack visibility into DoH-encrypted traffic.

What you should do:  Block existing DoH services through use of a response policy zone (RPZ).  This is a five minute configuration change in our DNS Integrity product.

Split tunnel VPNs:  So-called “split tunnel” VPNs separate internal corporate traffic from external DNS connections.  Internal traffic goes through the VPN as usual, but external traffic is routed through the user’s ISP.  The advantage of a split tunnel VPN is reduced load on corporate networks.  The downside is decreased visibility into external domain traffic, and the inability to block those DNS queries.

What you should do:  To maintain visibility and control over all network activity on corporate devices, admins should consider reconfiguring VPN settings have all queries come through the corporate DNS. They usually do anyway (since you can't resolve intranet names without corporate DNS), to avoid the risk of a poisoning attack in which an external DNS could mis-direct users into visiting an external site. Fair warning: split tunnels can be a nightmare to manage.

Bandwidth and application performance issues:  As remote workers continue to use VPN connections, the downstream effects on capacity will be significant.  Are there enough networks allocated for VPN users?  Are underlying services like DHCP correctly sized for increased remote usage?  Is latency increasing to an unacceptable level?  You can have all the VPN licenses in the world, but if devices can’t obtain network addresses then they can’t connect anyway.

What you should do:  Network admins should be looking at new choke points for network access and implement strategies to mitigate the risk of scaling in new directions.  That could mean creating new networks to account for expanded VPN usage, and revisiting DHCP allocations to make sure there’s enough capacity.  If you’re not there already, now’s the time to lean on SaaS solutions to decrease latency-inducing connections to the core network.

Business as usual:  Thankfully, the day-to-day management of DNS infrastructure hasn’t actually changed that much over the last month.  The patterns of internal and external DNS queries are probably going to be the same.  Everyone’s still accessing the same internal resources and the same pattern of external websites.  The only difference is that they’re getting to the network through a VPN instead of an in-office connection.

What you should do:  Thank your lucky stars that you aren’t trying to juggle IP address spreadsheets on top of everything else that’s going on.

Dig deeper into recommendations for network configuration in our infrastructure deployment white paper.

Ben Ball

Ben Ball is the Director of Strategy and Content Marketing at BlueCat. Ben served for ten years as a Federal employee, with three tours as a Foreign Service Officer (Saudi Arabia, Turkey, Jordan), and five years at the Department of Homeland Security, where he focused on immigration issues. A graduate of the Fletcher School of Law and Diplomacy and Pitzer College, Ben lives in the San Francisco Bay Area.

View more articles by Ben Ball