Enterprise tactics to manage DNS for remote work

When everyone’s working from home, there are a few network configurations you may want to pay more attention to. Here are some best practices to consider.

Nobody planned for this.  Working from home may have been at the back of everyone’s mind as a glorious utopian state.  Even so, they probably thought of it as five years away, ten years away, or one of those “always on the horizon” kind of things.  Now, suddenly, just about everyone who can work from home is doing it.

Here at BlueCat, we’ve been polling our customers and combing through the data to figure out what this all means for your DNS.  Here’s what we’re seeing and hearing:

Increased use of DNS over HTTPS (DoH):  As outlined in a recent post, use of DoH started to skyrocket over the last two weeks, jumping an astounding 1500% across our user base.  This should be a concern for network administrators, who suddenly lack visibility into DoH-encrypted traffic.

What you should do:  Block existing DoH services through use of a response policy zone (RPZ).  This is a five minute configuration change in our DNS Integrity product.

Split tunnel VPNs:  So-called “split tunnel” VPNs separate internal corporate traffic from external DNS connections.  Internal traffic goes through the VPN as usual, but external traffic is routed through the user’s ISP.  The advantage of a split tunnel VPN is reduced load on corporate networks.  The downside is decreased visibility into external domain traffic, and the inability to block those DNS queries.

What you should do:  To maintain visibility and control over all network activity on corporate devices, admins should consider reconfiguring VPN settings have all queries come through the corporate DNS. They usually do anyway (since you can’t resolve intranet names without corporate DNS), to avoid the risk of a poisoning attack in which an external DNS could mis-direct users into visiting an external site. Fair warning: split tunnels can be a nightmare to manage.

Bandwidth and application performance issues:  As remote workers continue to use VPN connections, the downstream effects on capacity will be significant.  Are there enough networks allocated for VPN users?  Are underlying services like DHCP correctly sized for increased remote usage?  Is latency increasing to an unacceptable level?  You can have all the VPN licenses in the world, but if devices can’t obtain network addresses then they can’t connect anyway.

What you should do:  Network admins should be looking at new choke points for network access and implement strategies to mitigate the risk of scaling in new directions.  That could mean creating new networks to account for expanded VPN usage, and revisiting DHCP allocations to make sure there’s enough capacity.  If you’re not there already, now’s the time to lean on SaaS solutions to decrease latency-inducing connections to the core network.

Business as usual:  Thankfully, the day-to-day management of DNS infrastructure hasn’t actually changed that much over the last month.  The patterns of internal and external DNS queries are probably going to be the same.  Everyone’s still accessing the same internal resources and the same pattern of external websites.  The only difference is that they’re getting to the network through a VPN instead of an in-office connection.

What you should do:  Thank your lucky stars that you aren’t trying to juggle IP address spreadsheets on top of everything else that’s going on.

Dig deeper into recommendations for network configuration in our infrastructure deployment white paper.


An avatar of the author

BlueCat provides core services and solutions that help our customers and their teams deliver change-ready networks. With BlueCat, organizations can build reliable, secure, and agile mission-critical networks that can support transformation initiatives such as cloud adoption and automation. BlueCat’s growing portfolio includes services and solutions for automated and unified DDI management, network security, multicloud management, and network observability and health.

Related content

Micetro 11.1 boosts DHCP management for Cisco Meraki SD-WAN

Learn how BlueCat Micetro 11.1 can help you overcome the limitations of Cisco Meraki SD-WAN devices to manage your distributed DHCP architecture.

Read more
Banner announcing BlueCat's acquisition of LiveAction, displaying both logos and the phrase "We're about to get bigger."

BlueCat acquires LiveAction to drive network modernization and optimization

BlueCat’s acquisition of LiveAction will allow customers to expand their view beyond DNS and dive deeper into the health of their network.

Read more

Simplify NIS2 compliance with DNS management

Learn whether the EU’s NIS2 requirements apply to your organization and about how DNS management and BlueCat can boost your path to compliance.

Read more

Detect anomalies and CVE risks with Infrastructure Assurance 8.4 

The Infrastructure Assurance 8.4 release features an anomaly detection engine for outliers and a CVE analysis engine to uncover device vulnerabilities.

Read more

BlueCat has acquired LiveAction

It’s official! BlueCat has acquired LiveAction’s network observability and intelligence platform, which helps large enterprises optimize the performance, resiliency, and security of their networks.