Domain Name System (DNS): It works, so why change?

There are a few things I’ve learned in my first year of working on Adaptive DNS solutions. I know what it means to provision networks, the difference…

There are a few things I’ve learned in my first year of working on Adaptive DNS solutions. I know what it means to provision networks, the difference between recursive and authoritative servers, and the importance of caching layers. I know what a DMZ is, and a whole slew of other acronyms that you could make alphabet soup with.

Most companies use the default Microsoft DNS. It’s “free” and it works. So why change? My biggest take away on that – the default system is challenged with outages, security risks, and unnecessary network complexity.

1. The Outage

DNS (Domain Name System) is a critical part of any organization’s network infrastructure. It’s what a device uses to connect to the network. DNS makes it all happen. DNS is quietly working behind the scenes. Nobody cares about it because it works…until it doesn’t.

A DNS outage can cripple even the most advanced companies. According to the Ponemon 2016 Cost of Data Center Outage Report, the average DNS outage lasts 91 minutes and costs $8,851 per minute. If that organization is in the financial services or manufacturing industry, those numbers can be significantly higher and are measured in dollars per second.

Human error is the most common cause of DNS outages. Accidental DNS record deletion, unauthorized changes, and lack of data validation are all common concerns for a decentralized DNS infrastructure. Adaptive DNS solves these challenges by automating manual, repetitive and error-prone tasks.

2. The Security Risk

DNS goes beyond assigned names and numbers. It is a basic requirement for every network so it’s no wonder that over 91% of malware leverage DNS for their attacks. Surprisingly, 68% of organizations don’t even monitor the data on their recursive DNS servers. According to the Ponemon 2018 Cost of Breach Report, the average time to detect a breach is 197 days and to contain it is 69 days. The average breach can cost an organization around $3.8 million. With these statistics, wouldn’t it make sense to monitor the system that is leveraged by most malware attacks?

With Adaptive DNS, you can apply security policies at the query level, gain greater visibility into the intent of every device, and make sure that important threat information is sent to your SIEM. This allows you to quickly detect malicious activity, contain it, and identify “patient zero”. One of our clients recently experienced a TrickBot attack. Through BlueCat’s Adaptive DNS solutions, they were able to detect the breach and contain it in less than a week.

3. Unnecessary Complexity

Microsoft is not a DNS company. TheirDNS tools are more of an afterthought than a purpose-built tool. As organizations grow (organically or through acquisition), the network naturally becomes more complex. Suddenly, several dozens or even hundreds of domain controllers are running DNS. This can be a nightmare to maintain, and typically result in a lot of home-grown architectures, conditional forwarding servers, or delegation scenarios. This makes your system’s DNS infrastructure complex.

Adaptive DNS helps by consolidating these existing servers and optimizing your network traffic through an architecture based on industry best practices. This gives you a single source of truth for all DNS, DHCP, and IP Address space. Updates can be made for all servers through one centrally managed platform and can be leveraged through automation and cloud initiatives.


All of this is just the tip of the iceberg. Adaptive DNS can provide many more capabilities if an organization knows how to leverage it.

Technology is constantly evolving and changing. Everyday we hear new and exciting buzzwords that could become the next technological revolution like Cloud, Automation, and Software Defined Networks. Companies spend millions of dollars daily to ensure their network is reliable, secure, and on the cutting edge.

For many organizations, new network capabilities take precedence over a stable core infrastructure. Underneath cloud, AI, and machine learning sits an IP Address, a DNS query, and probably a DHCP lease. Are your next gen initiatives sitting on top of an outdated platform?

Want to learn more about BlueCat’s Adaptive DNS capabilities? Learn more about BlueCat’s DDI. Let’s talk!

Heading into the cloud?

See how your network can thrive in the complexity of the cloud.

Find answers to all your cloud-related questions.

Access cloud resources

Read more

Everything you need to know about shadow IT

When users implement their own solutions behind the IT team’s back, that’s shadow IT. Learn about the risks and how to manage and reduce it with BlueCat.

Read more
How an agency IT chief innovated amid bureaucracy

Government IT innovation isn’t easy, but Chad Sheridan did it at the USDA by removing silos, earning top-level buy-in, and moving to a product mindset.

Read more
Lexmark CIO & CTO on recognizing the right use cases for AI

Lexmark CIO & CTO Vishal Gupta wades through the murk surrounding AI, explaining what tech organizations should know when deciding whether to adopt it.

Read more
NSA and CISA: Protective DNS key to network defense

U.S. cyber agencies now point to protective DNS as a defense strategy, confirming what BlueCat already knew: DNS is critical to detecting network threats.

Read more

Products and Services

From Core Network Services to multicloud management, BlueCat has everything you need to build the network you need.

Learn more