DNS Audits: What You Need To Know
If the recent Mirai botnet attack that took down a managed DNS provider taught us anything, it’s that losing a service like DNS can be devastating for organizations that rely on online assets for their day-to-day activities. Having a single point of failure not only makes your organization vulnerable in the event of an outage or industry event, but it also impacts your bottom line by cutting off communication to and from your mission-critical systems. Losing access to online assets can also impact your customer support channels, PR and Marketing efforts, and may lead to productivity loss from your internal resources that rely on online assets to perform their duties.
Protecting Your DNS
If your DNS strategy is like most organizations’, you set up your DNS once and forgot about it, expecting it to never change. But that’s precisely why having a professional DNS audit is so important. Your DNS environment changes rapidly bit by bit, and it’s important to check your DNS just like you would the oil in your car engine — on a regular basis. It's about keeping up regular maintenance so you can find and fix issues like server overloads from negative caching or low-set TTLs, before they become a bigger problem.
Here are some best practices for making the most of your DNS audit:
Stop Email Spoofing With a Properly Configured SPF
The sender policy framework (SPF) helps prevent email spoofing. However, if it’s not configured properly, emails can be spoofed. This could damage your brand’s image by allowing your audiences to receive vulnerable emails on your behalf that you didn’t send. Some configuration errors may include invalid syntax or the incorrect use of multiple strings.
Verify Your Negative Caching
Negative caching allows a DNS server to hold the record of a negative response from a lookup. This means when someone requests a name that does not exist and the server has already looked it up, it remembers the last result of the request. It can then respond automatically for a certain period of time without having to look up the information again.
If you set your negative caching too low, it can use too much bandwidth by repeatedly retrieving the same information, thus overloading the server and potentially experiencing downtime as a result.
Is Your TTL at Its Optimal Setting?
Time to live (TTL) tells a server how long it should wait before it refreshes its DNS information. If the TTL setting is too small, it can increase the load on the server from excessive queries. If it is set to zero, it may not resolve it all. If the setting is too high and you have an error, it can be difficult to change. Best practices dictate 1 hour as the optimal TTL setting to help reduce the load on your DNS servers.
Problems with Zone Delegation
Zone delegation is one of the most common problems found when performing a DNS audit. In order to work properly, zones need to be set up correctly so the DNS queries are properly directed. To ensure they are correct, the audit must include reviewing the nameservers and verifying the names are correct and pointing to the proper location.
Remove Internal IP Addresses from External Zones
In theory, you shouldn’t find any internal IP addresses in external DNS zones. In practice though, this is fairly common because of “RFC 1918” (“Address Allocation for Private Internets”) and loopback addresses. These errors can expose information about your internal infrastructure. This is why part of your audit should include checking that internal and external DNS are kept separate and that internal addresses are not found within an external zone.
Clean Up Your Inactive Domains
You need to keep track of which domains are active and inactive (i.e. that .biz domain you registered but never set up fully) and periodically clean up your inactive domains. As these top-level domains (TLDs) are added, it can increase the complexity of your DNS. Potential errors could be caused by typos, a server name change, or out-of-date information.
Test your PTR records
PTR records (pointer records) format an IP address in reverse order. They're commonly known as reverse lookup because you can use an IP address to find the host name. Normally PTR records reside in the reverse zone, but sometimes they are also found in error in the forward zone. During an audit, you should test PTR record lookups to make sure they reverse the order of the octets in the address correctly.
Implement a Secondary DNS Service
Along with conducting a DNS Audit, you should also make sure you have a failover DNS service ready with a managed DNS provider, especially for areas where an outage could cause a major disruption (i.e. your e-commerce site).
Taking these steps will greatly reduce your risk of downtime due to DNS-related issues and will guarantee redundancy for your most mission-critical systems.