DNS is now critical to the operation of nearly every non-trivial networked application. DNS has also become dauntingly complex, both in theory and in its implementations. And unfortunately, hackers increasingly target DNS infrastructure. This confluence of factors isn’t unprecedented—it’s the same combination that drove IP routing, network storage, and firewalls to appliance implementations, because only appliances could deliver the requisite simplicity of management, reliability, and security.
These DNS Appliances, like other network appliances, are purpose-built and as such are both hardware and software configured for ease of management, security, and performance. Common OS servers cannot match the tuning that these appliances offer. DNS appliances benefit from all the same advantages that other network appliances do, including but not limited to unnecessary ports, limited driver requirements, to limiting other network chatter on interfaces to maximizing RAM availability – these appliances win in every area.
These appliances with their targeted purpose and requirements can offer a far superior high availability. This can often just include a database and system configuration synchronization. Appliances are well suited to high availability standards such as VRRP (Virtual Router Redundancy Protocol) and even proprietary strategies. While DNS offered protocol-level high availability, adding a layer of hardware redundancy can improve performance drastically as the times for hardware redundancy are often considerably faster than that of protocol redundancy, and even more importantly are not dependent on the client configuration.
By choosing a single appliance-based solution with a central management component you only have one interface to navigate to manage your entire architecture and no longer need to manage each DNS server in your architecture independently. This leads to the biggest savings appliances offer, and that is to the customer’s time. While this is sometimes hard to calculate and therefore can often be overlooked when analyzing costs, ease of management is the single largest gain a centralized and purpose-built appliance solution can offer. And as network administration and security jobs go unfilled – and a majority of organizations report understaffing on both network and security teams – the ability to save time and allow your resources to spend more of their valuable time on important tasks than on day-to-day management of core protocols cannot be ignored.
Administrative Control and Authentication
We can now control who has access to what portions of our DNS namespace, as well as what managerial approvals are required architecture wide. Add audit logging, the ability to track who took what action on which server at what time in a central interface, and the ability to more easily gather forensic tracking information, and it all adds up to your teams being able to monitor and react much more rapidly.
Most centrally managed appliance solutions offer architecture-wide upgrade and maintenance. This can be a huge advantage over having a solution comprised of individual servers. Additionally, common management tasks such as back up, logging and reporting can also now be driven on a single interface instead of having to be performed on each individual server. Additionally, other tasks that commonly need to happen on a per-server basis – as simple as changing an NTP server IP or pointing to a new logging device – can now be done on single interface and often applied to all servers in the architecture.
Having a DNS architecture leveraging purpose-built appliances means that the OS can be stripped of all unnecessary drivers, applications and protocols, thus drastically decreasing its attack surface. Due to the targeted functionality, security aspects such as monitoring and logging can focus on the specific services and protocols provided. Additionally, tasks like user administration, change tracking and audit logging can be targeted and greatly enhanced relevant to the targeted functionality.
We have long known the advantages of appliances when it comes to traditional network protocols, and as we see DNS more and more as part of the network and less as just a client service we need to apply those security enhancements to our DNS architecture.
Select content in the DNS Security Resource Center is based on Infoblox’s DNS Security for Dummies – Infoblox Special Edition ebook, ©2018 John Wiley & Sons Inc.