DNS Audits: What You Need To Know

3450 0

Any organization that has online facing assets needs to realize that having a single point of failure is a bad idea. As we saw with the Mirai botnet attack against a managed DNS provider in October, losing a mission-critical service like DNS can be devastating to organizations that are dependent on online access or services for their day-to-day business activities.

Losing your DNS can take down your website, email, apps, and other critical online assets, making your organization unreachable online. In today’s Connected World, seconds of downtime can impact your bottom line and minutes or hours of downtime can start a chain reaction including the cost of customer support calls, PR and marketing responses, and the cost of lost productivity from your internal resources.  Continuing issues begin to reflect badly upon your organization’s reputation and can cause individuals to look elsewhere for a more stable or reliable service.

Protecting Your DNS

When was the last time you took a good look at your DNS? If yours is like most organizations, you set it up once and forget about it, rarely revisiting your DNS strategy. This is why having a professional DNS audit is so important. Things change rapidly, bit by bit, and it’s important to check your DNS just like you would check the oil in your car on a regular basis. It’s about keeping up regular maintenance so you can find and fix the little issues before they become bigger problems.

Here are some best practices for making the most of your DNS audit:

Reduce Email Spoofing With A Properly Configured SPF

The sender policy framework (SPF) helps prevent email spoofing. However, if it is not configured properly, emails can be spoofed, which can damage your organization’s image. Some configuration errors may include invalid syntax or the incorrect use of multiple strings.

Verify Your Negative Caching

Negative caching allows a DNS server to hold the record of a negative response from a lookup. This means when someone requests a name that does not exist and the server has already looked it up, it remembers the last result of the request. It can then respond automatically for a certain period of time without having to look up the information again.

If you set your negative caching too low, it can use too much bandwidth repeatedly retrieving the same information.

Optimize Your TTL Settings

Time to live (TTL) tells a server how long it should wait before it refreshes its DNS information. If the TTL setting is too small, it can increase the load on the DNS server from excessive queries. If it is set to zero, it may not resolve at all. If the setting is too high and you have an error, it can take a long time DNS changes to be utilized by end users. Start with TTL of one hour and adjust the DNS TTL setting rate to meet the needs of your specific applications and business.

Problems with Zone Delegation

Zone delegation is one of the most common problems found when performing a DNS audit. In order to work properly, zones need to be set up correctly so the DNS queries are properly directed. To ensure they are correct, the audit must include reviewing the nameservers and verifying the names are correct and pointing to the proper location.

Remove Internal IP Addresses from External Zones

In theory, you shouldn’t find any internal IP addresses in external DNS zones. In reality, it is more common than expected because of “RFC 1918” (“Address Allocation for Private Internets”) and loopback addresses. These errors can expose information about your internal infrastructure. This is why it is best practice to verify during an audit that internal and external DNS are kept separate and that internal addresses are not found within an external zone.

Clean up Your Inactive Domains

You need to keep track of which domains are active and inactive (i.e. that .whatever domain you registered but never set up fully) and periodically clean up your inactive domains. As new top-level domains (TLDs) are added, it can increase the complexity of your DNS. Potential errors could be caused by typos, a server name change, or out-of-date information.

Test your PTR records

PTR records (pointer records) format an IP address in reverse order. They’re commonly known as reverse lookup because you can use an IP address to find the host name. Normally PTR records reside in the reverse zone, but sometimes they are also found in error in the forward zone. During an audit, you should test PTR record lookups to make sure they reverse the order of the octets in the address correctly.

Implement a Secondary DNS Service

Along with conducting a DNS Audit,  you should also make sure you have a failover DNS service ready with a managed DNS provider, especially for areas where an outage could cause a major disruption (i.e. your e-commerce site). Taking these steps will greatly reduce your risk of downtime due to DNS related issues and will guarantee redundancy for your most mission critical systems.

About Chris Roosenraad
Chris Roosenraad, Chairman Emeritus of MAAWG and director of UltraDNS at Neustar

In this article