dns

Onega March 2016 Planned Engineering and First Focus on DNS

This is to let you know about some March Planned Engineering and Service Updates - and our fist 'Bono Pastore' Focus area. Please see the background and overview of the program at http://www.onega.net/blog/2016/03/2/bono-pastore if you're not yet aware of this.

Our first best practice focus is going to be on DNS (Internet Domain Name Services) and making sure that clients systems (as well as our own) are in-line with best practice in this area.
 

In business terms:

DNS is the system that allows us to register Internet domains for our organisations and to browse the web and send emails with friendly names like www.bbc.co.uk www.onega.net and fred@onega.net etc. So much uses DNS that we often take it for granted much of the time – and well implemented so we should.

Being such an important system, we want to make sure that client implementations are optimal in three key areas relating to DNS:

Domain Registrations – This is the administration of your domain and the registration of it. We want to help make sure that all the details related to your domains are up to date, correct & appropriate, not due to expire any time soon etc.

Internal Resolution – This is how client and server computing devices carry out Internet resolution so that you can connect to the Cloud quickly, reliably and safely (see  Secure DNS Services for more on this).

External Resolution – This is how people find your organisation and services on the Internet – to know where to send you email, browse your website and communicate via electronic means etc. It is important that this service be provided robustly and reliably.

Our object is to conduct a review to ensure that these aspects of DNS are all well implemented across our client organisations.

The next steps are:

We will be in contact with clients over the coming weeks to ensure that we run through your DNS configuration with you. Don’t worry if you’re not technical – we are happy to take care of those parts. We have a checklist which we’ll complete with you so that we capture the key information about your domains, and identify any areas that need attention so that we (you or us as per preference and can work to resolve these and get them checked off.

For clients under Onega managed services contracts we'll liaise with you and do most of the running on this to help make sure your DNS is good and documented. For clients with whom we have PAYG agreementswe can agree with you who will do what with the aim that we make sure all our your services are robust.

Expect us to be in touch soon then about next steps and starting the process. If you are not under contract with Onega (or not sure) and would like to engage in the DNS best practice review process then please do get in touch and we’ll be happy to add you to the review rosta.

For reference:

Internet DNS Best Practice Policy – http://intwiki.onega.net/index.php?title=Internet_DNS_Configuration_Best_Practice_Policy

Organisational DNS Checklist - http://intwiki.onega.net/index.php?title=Organisational_DNS_Checklist

For information on Secure DNS Services:

http://www.onega.net/blog/2015/6/4/the-importance-of-using-secure-dns-servers

If you don’t have a login for the Onega’s Policy and Procedure wiki then please get in touch and we’ll setup access for you.

Technical changes that will occur on Onega Infrastructure:

Tuesday 22nd March 2016 12:00 (Midday) GMT - We will be changing the configuration of our two legacy DNS servers 81.3.75.71 and 81.3.75.72 to no longer act as recursive resolvers. Thus any computers or servers that are using these servers for DNS will need to be updated to use alternate (eg Secure DNS) servers before this cut off date.

Tuesday 12th April 2016 12:00 (Midday) GMT - We plan to turn off these two DNS servers - thus any zones hosted on these servers will need to be moved before that time.  We have new servers in place to take the zones and migrations will be done as part and in conjunction with the best practice review process – the new DNS servers being more best practice compliant than our legacy servers.

Why are we making these changes?

In short, so that we also comply with our own guidelines for Best Practice, but in more detail:

1) Comply with best practice - Recursive DNS Servers (ones that do lookups for client PCs) should be split off in role from ones that host DNS Zones.

2) For best security and maintain best performance of the service - Recursive resolvers can be abused in DNS Amplfication attacks (see https://deepthought.isc.org/article/AA-00897/0/What-is-a-DNS-Amplification-Attack.html if you're interested to learn more

3) So that we make sure all clients are resolving securely to the Internet and to retire an older Windows Server 2003 DNS Server which is coming towards end of life.

What happens if I don’t have best practice DNS?

We don’t want to scare anyone but if you don’t comply with best practice then you risk (in the worst case):

  1. Losing your domain or having it suspended.
  2. Not being able to access the Internet
  3. Not being able to send or receive email
  4. Clients getting redirected to phishing or competitor’s websites and email going the same way.
  5. Being unprotected at DNS level against infected websites.

The above are worst case scenarios but we aim to greatly reduce the risk of occurrence by complying with best practice with regards to your domains.

Once we've been through the review process with you the outcome should be that we can all sleep easier knowing that the DNS aspect of your IT is in very good order.

The Importance of Using Secure DNS Servers

All good IT administrators know that maintaining a secure, productive and supportable computing environment means considering (and implementing) security at many levels. There is a whole load more to it than just installing a virus scanner on all your computers (though deploying a good antivirus and anti-malware solution is of course one element in this). Ideally you'll have Endpoint protection for AV and Malware on all desktops, laptops and servers (Onega tend to recommend and use Kaspersky, AVG and MalwareBytes depending on use case), but also a secure firewall (e.g. a good Watchguard XTM or similar unit) and external cloud based email filtering to reduce the risk of anything untoward getting into your network in the first place.

One thing we are also now recommending (aside from reminding people about limiting use of full admin rights to a PC - see http://www.onega.net/blog/2015/6/4/are-you-logged-in-with-admin-level-credentials-on-your-computer-right-now ) is to set your external DNS servers to be secure servers.

In QA format - here you are:

Q. What is the difference between Secure and Non-Secure DNS Servers?
A. In this context, the answer is that a standard or non-secure DNS server does a good job of DNS resolution and turning your request for http://www.randomwebsite.com/ into the IP address (143.95.83.184 in IPV4 Land as I type) that hosts the site for your web browser to connect to or your email to be delivered to etc.  The resolution process is simple, fast and robotic and the DNS server will cache entries for fast response or look them up for you recursively from first principles and the Root DNS Servers. When the server has the result then it gives it to you.  A secure DNS Server adds an extra level of security to this process. It will lookup websites and Internet addresses, but before giving you the result, it will check that the IP address is of known good or known bad reputation (or check it with a virus scanner first); such that if the site is deemed clean then your computer is given the IP address in the blink of an eye. If the site is one that you'd probably be glad not to be visiting, then the DNS server will redirect you to a harmless web page which will let you know why you are there.

Q. Put simply, what is the benefit of secure DNS?
A. It helps reduce this risk of accidentally browsing to an undesirable website that might otherwise have tried to install malware or other junk on your computer. Thus you are very likely to save hard money through reduced downtime and lost productivity and also less time to fix (and cost of fix) on a machine otherwise.

Q. Which Secure DNS Servers to we recommend?
A. The two main contenders at the moment for secure DNS are:

Comodo Secure DNS: 8.26.56.26 and 8.20.247.20
(See https://www.comodo.com/secure-dns/index.html )

OpenDNS: 208.67.222.222 and 208.67.220.220 (others are available on premium packages - these are free for public use)
(See https://www.opendns.com/ )

Q. How to we implement Secure DNS?
A. Make note of the DNS server addresses above, and either set these individually on a PC / laptop (if not in an office environment) or else set these servers as the DNS Forwarding servers on a Linux / Windows / Mac Server DNS server in an office environment. DHCP should give out DNS servers that relate to these (or actually give the addresses out if you don't have an Active Directory environment).
.. or just ask Onega of course and we can help configure these for you quickly.

Q. Is there a Cost?
A. If you are a business then it is of benefit to subscribe to one of the premium services which has a modest charge but this is of relatively trivial level and soon, anecdotally, pays for itself. The premium services also give you the confidence of an SLA as well as extra features. On the setup / installation / configuration of secure DNS in your environment, Onega would do this for you, either free if you are under a proactive maintenance agreement with us, or based on our standard PAYG time charges (it would normally take no more than an hour on the average client network servers and firewalls, unless you have a really big system).

Q. What about Google's DNS - is that Service Secure? (8.8.8.8 and 8.8.4.4)
A. No, not in the sense being discussed here. Google being Google, that is likely to change over time.