DNS Best Practices: Architectures that Work

DNS is a core network service. You’d be hard pressed to think of a service, public or private, that doesn’t rely on DNS at some point.


July 15, 2014

Every Connection Starts with DNS

DNS is a core network service. You’d be hard pressed to think of a service, public or private, that doesn’t rely on DNS at some point. Without reliable DNS your business applications including email, web services, ERP, CRM and VoIP cannot function. A core services outage can also have consequences you might not have considered: for example, if entry and exit to your office is controlled by IP and relies on DNS, employees might not be able to get into the building, or worse, might find themselves locked in the cafeteria.

Whether your network architecture is simple or extremely complex, a solid network design is critical to maintain a reliable, secure and manageable DNS environment. DNS security, performance and availability are fundamental design objectives. Here are a few tips and general guidelines to help you build a core services architecture that works.

Best Practices for Public DNS:

  • Hide Your Valuables – Configure the external primary DNS server as a Hidden Primary. This configuration protects the primary server, provides maximum performance, and increases tolerance to failure. As well, where possible, deploy primary servers in high availability clusters.
  • Spread the Load – Deploy secondary servers in geographically-dispersed data centers to avoid a single point of failure scenario. Placing secondary servers within the corporate demilitarized zone (DMZ) minimizes the types of data traffic to which they are exposed, affording greater security.
  • Restrict Access – Secure zone transfers using access control lists (ACLs) and transaction signatures (TSIGs). These security measures deter potential attackers.
  • Limit Your Exposure – Disable recursion on external servers to eliminate the risk of cache poisoning and other DNS attacks.
  • Go to Jail, Go Directly to Jail – Run DNS in a chroot jail to sandbox potential attacks and minimize damage.
  • Keep it to Yourself – Hide information that indicates the version of DNS server software deployed. This information benefits attackers who can exploit known vulnerabilities.

Best Practices for Private DNS:

  • Keep It Inside – Locate internal DNS servers on the internal network, behind your corporate firewall.
  • Secure Access – Use virtual private networks (VPNs) to connect remote users to internal resources.
  • Lighten the Load – To enhance performance and reliability, consider using a Hidden Primary for the internal primary DNS server.
  • Think Locally – Where possible, deploy secondary servers at local sites to preserve network bandwidth. An analysis of bandwidth requirements – the frequency DNS queries on the local WAN link – can help determine whether small sites warrant secondary servers.
  • Conserve Bandwidth – As alternatives to secondary servers, consider stealth secondary servers or caching-only servers for small sites. These require less network bandwidth.
  • Take Root – The size and complexity of the internal DNS affects your design decisions. Consider deploying internal root servers for large, distributed networks or those with complex namespaces. Internal root servers can enhance scalability, efficiency and control.

Published in:

An avatar of the author

BlueCat provides core services and solutions that help our customers and their teams deliver change-ready networks. With BlueCat, organizations can build reliable, secure, and agile mission-critical networks that can support transformation initiatives such as cloud adoption and automation. BlueCat’s growing portfolio includes services and solutions for automated and unified DDI management, network security, multicloud management, and network observability and health.

Related content

Detect anomalies and CVE risks with Infrastructure Assurance 8.4 

The Infrastructure Assurance 8.4 release features an anomaly detection engine for outliers and a CVE analysis engine to uncover device vulnerabilities.

Read more

Get fast, resilient, and flexible DDI management with Integrity 9.6

With Integrity 9.6, network admins can get support for new DNS record types, architect and configure multi-primary DNS, and automate IP assignments.

Read more

Deepen your security insight with Infrastructure Assurance 8.3

BlueCat Infrastructure Assurance 8.3, with an enhanced analytics dashboard, including interactive widgets and top 10 alerts, is now available.

Read more

Security, automation, cloud integration keys to DDI solution success

Only 40% of enterprises believe they are fully successful with their DDI solution. Learn how to find greater success with new research from EMA and BlueCat.

Read more

Our commitment to Micetro customers and product investment

From CEO Stephen Devito, a word on BlueCat’s ongoing commitment to supporting Micetro customers and Micetro’s evolution as a network management tool.

Read more

Seven reasons to rethink firewall monitoring and boost automation 

With BlueCat Infrastructure Assurance, you can better protect your network with automated alerts and suggested remedies for hidden issues in your firewalls.

Read more