Enterprise tactics to manage DNS for remote work

When everyone’s working from home, there are a few network configurations you may want to pay more attention to. Here are some best practices to consider.


April 6, 2020

Nobody planned for this.  Working from home may have been at the back of everyone’s mind as a glorious utopian state.  Even so, they probably thought of it as five years away, ten years away, or one of those “always on the horizon” kind of things.  Now, suddenly, just about everyone who can work from home is doing it.

Here at BlueCat, we’ve been polling our customers and combing through the data to figure out what this all means for your DNS.  Here’s what we’re seeing and hearing:

Increased use of DNS over HTTPS (DoH):  As outlined in a recent post, use of DoH started to skyrocket over the last two weeks, jumping an astounding 1500% across our user base.  This should be a concern for network administrators, who suddenly lack visibility into DoH-encrypted traffic.

What you should do:  Block existing DoH services through use of a response policy zone (RPZ).  This is a five minute configuration change in our DNS Integrity product.

Split tunnel VPNs:  So-called “split tunnel” VPNs separate internal corporate traffic from external DNS connections.  Internal traffic goes through the VPN as usual, but external traffic is routed through the user’s ISP.  The advantage of a split tunnel VPN is reduced load on corporate networks.  The downside is decreased visibility into external domain traffic, and the inability to block those DNS queries.

What you should do:  To maintain visibility and control over all network activity on corporate devices, admins should consider reconfiguring VPN settings have all queries come through the corporate DNS. They usually do anyway (since you can’t resolve intranet names without corporate DNS), to avoid the risk of a poisoning attack in which an external DNS could mis-direct users into visiting an external site. Fair warning: split tunnels can be a nightmare to manage.

Bandwidth and application performance issues:  As remote workers continue to use VPN connections, the downstream effects on capacity will be significant.  Are there enough networks allocated for VPN users?  Are underlying services like DHCP correctly sized for increased remote usage?  Is latency increasing to an unacceptable level?  You can have all the VPN licenses in the world, but if devices can’t obtain network addresses then they can’t connect anyway.

What you should do:  Network admins should be looking at new choke points for network access and implement strategies to mitigate the risk of scaling in new directions.  That could mean creating new networks to account for expanded VPN usage, and revisiting DHCP allocations to make sure there’s enough capacity.  If you’re not there already, now’s the time to lean on SaaS solutions to decrease latency-inducing connections to the core network.

Business as usual:  Thankfully, the day-to-day management of DNS infrastructure hasn’t actually changed that much over the last month.  The patterns of internal and external DNS queries are probably going to be the same.  Everyone’s still accessing the same internal resources and the same pattern of external websites.  The only difference is that they’re getting to the network through a VPN instead of an in-office connection.

What you should do:  Thank your lucky stars that you aren’t trying to juggle IP address spreadsheets on top of everything else that’s going on.

Dig deeper into recommendations for network configuration in our infrastructure deployment white paper.

Published in:

An avatar of the author

BlueCat is the Adaptive DNS company. The company’s mission is to help organizations deliver reliable and secure network access from any location and any network environment. To do this, BlueCat re-imagined DNS. The result – Adaptive DNS – is a dynamic, open, secure, scalable, and automated DDI management platform that supports the most challenging digital transformation initiatives, like adoption of hybrid cloud and rapid application development.

Related content

Detect anomalies and CVE risks with Infrastructure Assurance 8.4 

The Infrastructure Assurance 8.4 release features an anomaly detection engine for outliers and a CVE analysis engine to uncover device vulnerabilities.

Read more

Get fast, resilient, and flexible DDI management with Integrity 9.6

With Integrity 9.6, network admins can get support for new DNS record types, architect and configure multi-primary DNS, and automate IP assignments.

Read more

Deepen your security insight with Infrastructure Assurance 8.3

BlueCat Infrastructure Assurance 8.3, with an enhanced analytics dashboard, including interactive widgets and top 10 alerts, is now available.

Read more

Security, automation, cloud integration keys to DDI solution success

Only 40% of enterprises believe they are fully successful with their DDI solution. Learn how to find greater success with new research from EMA and BlueCat.

Read more

Our commitment to Micetro customers and product investment

From CEO Stephen Devito, a word on BlueCat’s ongoing commitment to supporting Micetro customers and Micetro’s evolution as a network management tool.

Read more

Seven reasons to rethink firewall monitoring and boost automation 

With BlueCat Infrastructure Assurance, you can better protect your network with automated alerts and suggested remedies for hidden issues in your firewalls.

Read more