Nobody planned for this. Working from home may have been at the back of everyone’s mind as a glorious utopian state. Even so, they probably thought of it as five years away, ten years away, or one of those “always on the horizon” kind of things. Now, suddenly, just about everyone who can work from home is doing it.
Here at BlueCat, we’ve been polling our customers and combing through the data to figure out what this all means for your DNS. Here’s what we’re seeing and hearing:
Increased use of DNS over HTTPS (DoH): As outlined in a recent post, use of DoH started to skyrocket over the last two weeks, jumping an astounding 1500% across our user base. This should be a concern for network administrators, who suddenly lack visibility into DoH-encrypted traffic.
What you should do: Block existing DoH services through use of a response policy zone (RPZ). This is a five minute configuration change in our DNS Integrity product.
Split tunnel VPNs: So-called “split tunnel” VPNs separate internal corporate traffic from external DNS connections. Internal traffic goes through the VPN as usual, but external traffic is routed through the user’s ISP. The advantage of a split tunnel VPN is reduced load on corporate networks. The downside is decreased visibility into external domain traffic, and the inability to block those DNS queries.
What you should do: To maintain visibility and control over all network activity on corporate devices, admins should consider reconfiguring VPN settings have all queries come through the corporate DNS. They usually do anyway (since you can’t resolve intranet names without corporate DNS), to avoid the risk of a poisoning attack in which an external DNS could mis-direct users into visiting an external site. Fair warning: split tunnels can be a nightmare to manage.
Bandwidth and application performance issues: As remote workers continue to use VPN connections, the downstream effects on capacity will be significant. Are there enough networks allocated for VPN users? Are underlying services like DHCP correctly sized for increased remote usage? Is latency increasing to an unacceptable level? You can have all the VPN licenses in the world, but if devices can’t obtain network addresses then they can’t connect anyway.
What you should do: Network admins should be looking at new choke points for network access and implement strategies to mitigate the risk of scaling in new directions. That could mean creating new networks to account for expanded VPN usage, and revisiting DHCP allocations to make sure there’s enough capacity. If you’re not there already, now’s the time to lean on SaaS solutions to decrease latency-inducing connections to the core network.
Business as usual: Thankfully, the day-to-day management of DNS infrastructure hasn’t actually changed that much over the last month. The patterns of internal and external DNS queries are probably going to be the same. Everyone’s still accessing the same internal resources and the same pattern of external websites. The only difference is that they’re getting to the network through a VPN instead of an in-office connection.
What you should do: Thank your lucky stars that you aren’t trying to juggle IP address spreadsheets on top of everything else that’s going on.
Dig deeper into recommendations for network configuration in our infrastructure deployment white paper.
Subscribe to our blog
GAO report shows how difficult IPv6 migrations really are
How difficult are IPv6 migrations? A recent GAO report on DOD’s transition plan provides some sobering conclusions.
Manage compute seamlessly with the BlueCat OpenStack Adaptive Plug-In
The BlueCat OpenStack Adaptive Plug-In provisions compute to support updates for DNS name resolution across the enterprise.
Drive DNS automation with the BlueCat Ansible module
The BlueCat Ansible module makes it easy to use playbooks to provision DNS, DHCP, and IPAM resources.
BlueCat adds new capabilities to its DNS automation offering
With its new automation offering, BlueCat is rolling out new ways to orchestrate network functions and increase efficiency.
Customer Care Portal
Looking for more in-depth information on our products and services? Come get some.
(You’ll also find multi-channel support from our team of experts and your fellow BlueCat customers.)
Are there some gaps in your DNS knowledge?
Not in ours.
From the basics to the not-so-basics, our Training Portal contains everything a NetOps team needs to know.