Andy Davis has been virtually touring the country recently providing advice and guidance to Heads of IT groups on DNS resilience, so I’ve asked him to share his top ten tips:
(1) Keep your nameservers patched and running on supportable DNS platforms (OS and DNS application).
(2) Review your Business Continuity Plans (BCP) – Do you know what records were in your zone files?
(3) Don’t put all your nameservers in the same subnet on your network, also consider the physical environment (diverse power sources, different racks…).
(4) Look at the use of off-site secondary nameservers. Would the use of an off-site secondary help during outages/attacks?
(5) Check zone transfers are happening regularly and especially if any firewall rules have been changed.
(6) Ensure that the SOA expire time is set to a level that meets your organisation’s BCP requirements.
(7) How can logging help you – https://www.ncsc.gov.uk/blog-post/logging-made-easy (see point 8).
(8) Monitor – has your primary nameserver gone off-line? You don’t want to disappear if your primaries fail without you noticing.
(9) Audit DNS on an annual basis.
(10) Make use of Jisc and the NCSC – subscribe to CISP Academia and the UK-Security Jiscmail list (contact firstname.lastname@example.org if you need sponsoring to join CiSP or to join the UK-Security mailing list).
Jisc provides free DNS services for members. Talk to your Account Manager or visit the following links for more information:
Primary nameserver service (https://www.jisc.ac.uk/primary-nameserver) Holds and maintains the primary source of domain name information for Janet Network connected organisations.
Secondary nameserver service (https://www.jisc.ac.uk/secondary-nameserver) An off-site secondary source of top-level domain name information for organisations on the Janet Network.
Janet Network resolver (https://www.jisc.ac.uk/janet-network-resolver) JNRS includes Response Policy Zone (RPZ) enhanced DNS resolution to protect users and organisations by preventing a user’s web request from being directed to known compromised or dangerous web sites (for example, as a result of phishing or related attacks).