Domain Name System services interpret domain names into IP addresses, making it an important service that can’t go down. DNS-based attacks are on the rise, and as such, organisations need to designer these services to be more protected.
Building a safe and solid DNS infrastructure doesn’t require a lot of revenue, investment or resources, but it does take some strong planning and appropriate design.
Follow these five tips to design a more secure DNS
1. Different DNS Service from DNS Resolution
DNS service illustrates the name-to-address mappings and reveals them locally or to the Internet. DNS resolution navigates the Internet’s tree of name servers to look up those mappings. The most important step in dependable DNS design is to understand the dissimilarity among DNS service and resolution in order to keep those functions on independent servers.
Every network requires DNS resolution and the most appropriate way to offer it is with a pair of small, dedicated virtual machines (VMs) that executes nothing other than DNS resolver configuration. Plan for minimal customization and configuration to decrease the price of maintaining these servers.
If you have several safety zones within a building, such as Internet and visitors against the internal users, you can drop pairs of DNS resolvers in each security zone. Your support and issuing prices are minimal if you build on simple and small resolver VMs. Also, the organisation gains automatic fight from mischievous clients and intentional denial of service (DoS) attacks.
2. Agreement with Active Directory
Active Directory presents a wrinkle. The reason is that it works better just when workstations in a domain use the related server for name server as well as name resolution.
Although IT managers can set domain workstations to point to a separate name resolver from the Active Directory DNS servers, this configuration makes many attentive because it takes them out of the Microsoft ease zone and away from the most standard configuration.
Deal with Active Directory DNS and domains by keeping a strict separation. Any names stored in Active Directory, such as workstation pointers and names to domain controllers, should be strictly maintained in the world of Active Directory DNS, and kept separate from other DNS names, whether public or private.
Users who are inside the network may need to use separate names than when they are at home or on the road, so it’s best to have a regular set of names to reduce user uncertainty. That is why it is a good idea to generally avoid using the .lcl domain for local domains as those names would not work on the common Internet.
ALSO READ: Boost Productivity using Cloud Tools, ROI
3. Different Name Service as Much as Achievable
As mentioned above, keep name service detach from name resolution. If you do not make routine changes to your organisational DNS, you can shift this completely to a cloud-based service or to your own Virtual Machines running in a cloud data centre.
Name Service must be Internet reachable because it serves names toward Internet clients. This generates questions of scalability along with DoS flexibility. Pushing that name service offsite to a large cloud provider is a simple way to address those issues at a low price.
4. Pick the Appropriate Platform
When selecting the right platform for your requirements, there are multiple business DNS products to choose from. IT managers usually find they will require using Microsoft DNS with Active Directory as a resolver and server; but, on the other hand, for other actions, products from makers such as BlueCat Networks and Infoblox offer enterprise-class authority and simplicity to use.
5. Select Several Views
A large number of organisations have a “split-brain” DNS service, which provides the single set of outputs to users within the network and a separate set of users outside the network. It is a good practice to put those on different servers, but this increases long-term maintenance headaches because several servers have to be modernised for every modification in a name.
The best strategy is to use a DNS server tool, such as ISC BIND, that provides several views. BIND can deliver the single set of answers to inside users while a different set of answers goes to other ones. This decreases the number of databases that must be maintained while providing a high level of scalability and security.