review

Onega March 2016 Planned Engineering and First Focus on DNS

This is to let you know about some March Planned Engineering and Service Updates - and our fist 'Bono Pastore' Focus area. Please see the background and overview of the program at http://www.onega.net/blog/2016/03/2/bono-pastore if you're not yet aware of this.

Our first best practice focus is going to be on DNS (Internet Domain Name Services) and making sure that clients systems (as well as our own) are in-line with best practice in this area.
 

In business terms:

DNS is the system that allows us to register Internet domains for our organisations and to browse the web and send emails with friendly names like www.bbc.co.uk www.onega.net and fred@onega.net etc. So much uses DNS that we often take it for granted much of the time – and well implemented so we should.

Being such an important system, we want to make sure that client implementations are optimal in three key areas relating to DNS:

Domain Registrations – This is the administration of your domain and the registration of it. We want to help make sure that all the details related to your domains are up to date, correct & appropriate, not due to expire any time soon etc.

Internal Resolution – This is how client and server computing devices carry out Internet resolution so that you can connect to the Cloud quickly, reliably and safely (see  Secure DNS Services for more on this).

External Resolution – This is how people find your organisation and services on the Internet – to know where to send you email, browse your website and communicate via electronic means etc. It is important that this service be provided robustly and reliably.

Our object is to conduct a review to ensure that these aspects of DNS are all well implemented across our client organisations.

The next steps are:

We will be in contact with clients over the coming weeks to ensure that we run through your DNS configuration with you. Don’t worry if you’re not technical – we are happy to take care of those parts. We have a checklist which we’ll complete with you so that we capture the key information about your domains, and identify any areas that need attention so that we (you or us as per preference and can work to resolve these and get them checked off.

For clients under Onega managed services contracts we'll liaise with you and do most of the running on this to help make sure your DNS is good and documented. For clients with whom we have PAYG agreementswe can agree with you who will do what with the aim that we make sure all our your services are robust.

Expect us to be in touch soon then about next steps and starting the process. If you are not under contract with Onega (or not sure) and would like to engage in the DNS best practice review process then please do get in touch and we’ll be happy to add you to the review rosta.

For reference:

Internet DNS Best Practice Policy – http://intwiki.onega.net/index.php?title=Internet_DNS_Configuration_Best_Practice_Policy

Organisational DNS Checklist - http://intwiki.onega.net/index.php?title=Organisational_DNS_Checklist

For information on Secure DNS Services:

http://www.onega.net/blog/2015/6/4/the-importance-of-using-secure-dns-servers

If you don’t have a login for the Onega’s Policy and Procedure wiki then please get in touch and we’ll setup access for you.

Technical changes that will occur on Onega Infrastructure:

Tuesday 22nd March 2016 12:00 (Midday) GMT - We will be changing the configuration of our two legacy DNS servers 81.3.75.71 and 81.3.75.72 to no longer act as recursive resolvers. Thus any computers or servers that are using these servers for DNS will need to be updated to use alternate (eg Secure DNS) servers before this cut off date.

Tuesday 12th April 2016 12:00 (Midday) GMT - We plan to turn off these two DNS servers - thus any zones hosted on these servers will need to be moved before that time.  We have new servers in place to take the zones and migrations will be done as part and in conjunction with the best practice review process – the new DNS servers being more best practice compliant than our legacy servers.

Why are we making these changes?

In short, so that we also comply with our own guidelines for Best Practice, but in more detail:

1) Comply with best practice - Recursive DNS Servers (ones that do lookups for client PCs) should be split off in role from ones that host DNS Zones.

2) For best security and maintain best performance of the service - Recursive resolvers can be abused in DNS Amplfication attacks (see https://deepthought.isc.org/article/AA-00897/0/What-is-a-DNS-Amplification-Attack.html if you're interested to learn more

3) So that we make sure all clients are resolving securely to the Internet and to retire an older Windows Server 2003 DNS Server which is coming towards end of life.

What happens if I don’t have best practice DNS?

We don’t want to scare anyone but if you don’t comply with best practice then you risk (in the worst case):

  1. Losing your domain or having it suspended.
  2. Not being able to access the Internet
  3. Not being able to send or receive email
  4. Clients getting redirected to phishing or competitor’s websites and email going the same way.
  5. Being unprotected at DNS level against infected websites.

The above are worst case scenarios but we aim to greatly reduce the risk of occurrence by complying with best practice with regards to your domains.

Once we've been through the review process with you the outcome should be that we can all sleep easier knowing that the DNS aspect of your IT is in very good order.