March 23rd, 2017

Here’s How to Get The Most Out of Your DNS Day 3: DNS as Defense and Why You Should Hire a DNS Service

Early in 2016, we wrote a blog asking if “DNS is the Rodney Dangerfield of Your Cybersecurity Strategy.” The blog, although a bit tongue-in-cheek, sought to raise awareness of DNS’ utility as it relates to improving cybersecurity and a company’s overall network performance.

Turns out the blog could have used some airtime in the United Kingdom.

According to a recent Quocirca study of 100 senior IT decision makers in the U.K., a whopping 92% of respondents have limited visibility of the impact DNS’s performance and availability has on their users. Since DNS is the cornerstone of Internet transactions and availability, we decided to dig a bit deeper into the findings.

Over the past two days, we reviewed some key findings from the survey.  Namely:

Day 1: DNS complexity and self-management 

Day 2: Traffic management via authoritative DNS

Today we’ll look at how DNS can augment your existing security posture and why you might be better off hiring a DNS provider. 

As a pioneer in the DNS community and chief architect of UltraDNS and the DNS Shield Network, Rodney Joffe, a Senior Fellow at Neustar knows a thing or two when it comes to DNS. Joffe recently remarked: “[DNS] can defend the frontline in the fight against cyber-attacks. And as the threatscape continues to widen and shift, every organization needs to maximize their DNS’s potential to use an all-hands-on-deck approach to cybersecurity.”

But, as you might imagine, that isn’t happening.

If used wisely, recursive DNS can block a number of threats from entering the network. To double-down on the benefits of recursive DNS management, Quocirca writes, “All end-points connected to a given network are covered without any additional software needed on the devices themselves. Sites that are known to harbor threats such as ransomware or phishing scams can be blocked.” 

However, findings from the study reveal that only a slight majority (51%) are currently using their recursive DNS to protect themselves from threats and malware – assuming they’re correctly provisioning recursive DNS.  That same number is also using recursive DNS to block their network’s users from accessing unwanted content, while 46% reported using DNS to block websites (Figure 12, below).


 But the biggest area where recursive DNS is being underutilized is in the area of DNS security extensions (DNSSEC). DNSSEC is used to ensure that the information provided by DNS servers is accurate and authenticated via digital signatures.

As it says in the study, “DNSSEC protects against DNS cache poisoning or spoofing, where recursive DNS records are overwritten with false information, directing users to dangerous websites.” Quocirca predicts that DNSSEC’s capabilities and functionalities will soon make it likely to become as necessary as DNS, itself.

But DNSSEC can be a double-edged sword. If it isn’t properly applied and maintained, it can be repurposed and turned into a DDoS magnifier - the exact opposite of its initial intention.

Which is part of the reason why the study recommends using a DNS service.

Most reputable DNS service providers have years of experience provisioning and managing DNS to fit companies’ capabilities and specifications. As Quocirca says, “Working with DNS service providers should ensure high quality, especially if the same provider is used for both authoritative and recursive needs.”

As a leading provider of network security solutions, Neustar has invested heavily in building advanced DNS security solutions that protect organizations from all types of threats, including DDoS attacks, ransomware and data theft.  Neustar is also in the process of building out a global DDoS protection network that, when complete, will represent one of the largest DDoS protection networks in the world. The network is dedicated to protecting both of Neustar’s authoritative and recursive DNS networks.

Thousands of organizations rely on Neustar for authoritative DNS protection as their primary or secondary managed DNS service. Our UltraDNS solution represents a highly sophisticated, scalable and secure DNS protection system that includes ultra-high availability, low latency query responses and built-in DDoS protection. UltraDNS also features Neustar DNS Shield™, a privatized DNS network between Neustar and its partners, which directly links partner recursive servers to Neustar UltraDNS and thus avoiding general internet connectivity for enhanced security and lower latency.

When it comes to DNS, the stakes couldn’t be any higher. From ensuring a seamless website experience for your customers to serving as a safety net against malware and viruses, DNS is responsible for your digital footprint, but it’s capable of doing so much more.  To learn how Neustar can help take your DNS to the next level, schedule to speak with a representative now

Let's Connect

Find out how Neustar can help you succeed in the connected world.

Contact Us   Give us a call 1-855-898-0036