Domain Name System (DNS): It works, so why change?
If your Domain Name System (DNS) seems to work, why would you change to anything else? Actually, there are plenty of reasons.
Key takeawaysThis key takeaway was generated through LLMs crawling the page and coming up with an overview of the content.The article explains the value of Adaptive DNS for enterprise networks by addressing outages, security risks, and operational complexity that arise when relying on default Microsoft DNS. It describes real-world problems—long, costly outages often caused by human error, widespread DNS-based malware activity with poor monitoring, and sprawling decentralized DNS architectures from growth or acquisitions—and shows how Adaptive DNS consolidates servers, automates error-prone tasks, enforces query-level security policies, and centralizes DDI as a single source of truth. Key outcomes highlighted include faster breach detection and containment, reduced operational risk and complexity, and improved visibility and control across DNS, DHCP, and IP address space for cloud and automation initiatives.
Why is relying on default Microsoft DNS risky for large organizations?
The article notes that Microsoft DNS is a common default because it is free and ‘works,’ but it was not built as a purpose-built DNS solution. As organizations grow or acquire others, the result is often dozens or hundreds of domain controllers running DNS, sprawl of home-grown architectures, conditional forwarding, and delegations that increase operational complexity. That complexity raises the risk of human error—such as accidental record deletions or unauthorized changes—which the article identifies as the most common cause of DNS outages. Adaptive DNS reduces that risk by consolidating servers, centralizing management, and automating repetitive, error-prone tasks.
How does Adaptive DNS improve security and incident response?
According to the article, Adaptive DNS enables applying security policies at the query level and increases visibility into device intent by monitoring recursive DNS traffic, which many organizations do not perform today. Because over 91% of malware leverages DNS, query-level controls allow faster detection of malicious activity and integration of threat information into SIEM systems. The article cites a client that used BlueCat’s Adaptive DNS to detect and contain a TrickBot attack in under a week, illustrating faster breach detection and containment compared with industry averages for time-to-detect and time-to-contain breaches.
What operational benefits does consolidating DNS, DHCP, and IPAM provide?
The article explains that consolidating DNS, DHCP, and IP address management into a centrally managed Adaptive DNS platform creates a single source of truth for DDI, which simplifies updates and reduces maintenance overhead across many servers. This consolidation enables automation and supports cloud initiatives by optimizing network traffic through an architecture based on industry best practices. The operational impact includes fewer manual changes, reduced risk of outages from human error, streamlined administration after mergers or growth, and the ability to leverage centralized controls and automation to maintain a stable core infrastructure beneath new technologies.
There are a few things I’ve learned in my first year of working on Adaptive DNS solutions. I know what it means to provision networks, the difference between recursive and authoritative servers, and the importance of caching layers. I know what a DMZ is, and a whole slew of other acronyms that you could make alphabet soup with.
Most companies use the default Microsoft DNS. It’s “free” and it works. So why change? My biggest take away on that – the default system is challenged with outages, security risks, and unnecessary network complexity.
1. The Outage
DNS (Domain Name System) is a critical part of any organization’s network infrastructure. It’s what a device uses to connect to the network. DNS makes it all happen. DNS is quietly working behind the scenes. Nobody cares about it because it works…until it doesn’t.
A DNS outage can cripple even the most advanced companies. According to the Ponemon 2016 Cost of Data Center Outage Report, the average DNS outage lasts 91 minutes and costs $8,851 per minute. If that organization is in the financial services or manufacturing industry, those numbers can be significantly higher and are measured in dollars per second.
Human error is the most common cause of DNS outages. Accidental DNS record deletion, unauthorized changes, and lack of data validation are all common concerns for a decentralized DNS infrastructure. Adaptive DNS solves these challenges by automating manual, repetitive and error-prone tasks.
2. The Security Risk
DNS goes beyond assigned names and numbers. It is a basic requirement for every network so it’s no wonder that over 91% of malware leverage DNS for their attacks. Surprisingly, 68% of organizations don’t even monitor the data on their recursive DNS servers. According to the Ponemon 2018 Cost of Breach Report, the average time to detect a breach is 197 days and to contain it is 69 days. The average breach can cost an organization around $3.8 million. With these statistics, wouldn’t it make sense to monitor the system that is leveraged by most malware attacks?
With Adaptive DNS, you can apply security policies at the query level, gain greater visibility into the intent of every device, and make sure that important threat information is sent to your SIEM. This allows you to quickly detect malicious activity, contain it, and identify “patient zero”. One of our clients recently experienced a TrickBot attack. Through BlueCat’s Adaptive DNS solutions, they were able to detect the breach and contain it in less than a week.
3. Unnecessary Complexity
Microsoft is not a DNS company. TheirDNS tools are more of an afterthought than a purpose-built tool. As organizations grow (organically or through acquisition), the network naturally becomes more complex. Suddenly, several dozens or even hundreds of domain controllers are running DNS. This can be a nightmare to maintain, and typically result in a lot of home-grown architectures, conditional forwarding servers, or delegation scenarios. This makes your system’s DNS infrastructure complex.
Adaptive DNS helps by consolidating these existing servers and optimizing your network traffic through an architecture based on industry best practices. This gives you a single source of truth for all DNS, DHCP, and IP Address space. Updates can be made for all servers through one centrally managed platform and can be leveraged through automation and cloud initiatives.
Conclusion
All of this is just the tip of the iceberg. Adaptive DNS can provide many more capabilities if an organization knows how to leverage it.
Technology is constantly evolving and changing. Everyday we hear new and exciting buzzwords that could become the next technological revolution like Cloud, Automation, and Software Defined Networks. Companies spend millions of dollars daily to ensure their network is reliable, secure, and on the cutting edge.
For many organizations, new network capabilities take precedence over a stable core infrastructure. Underneath cloud, AI, and machine learning sits an IP Address, a DNS query, and probably a DHCP lease. Are your next gen initiatives sitting on top of an outdated platform?
Want to learn more about BlueCat’s Adaptive DNS capabilities? Learn more about BlueCat’s DDI. Let’s talk!
Published in:
Joshua Hamilton is an Account Executive for BlueCat and has been a part of the team since 2017. He has been in the software industry since 2012 and graduated from the University of North Texas.
Related content
How to map your network with user-defined links in Integrity X
Map your network with user-defined links in Integrity X to define and manage custom relationships, such as dual-stack and NAT environments.
Automate your DDI modernization path by migrating with Micetro
Automate cross-platform DNS and DHCP migration with Micetro to reduce risk, eliminate manual effort, and modernize infrastructure faster.
Your journey to intelligent NetOps begins at Cisco Live
Visit BlueCat’s booth or book a meeting now to learn more about how our solutions can help you build a network that supports constant change.
Replace BIND and ISC with Micetro DNS/DHCP Server (MDDS)
Tired of patching and manually configuring BIND DNS and ISC DHCP? Discover how Micetro MDDS appliances can replace them for modern DDI.