Have you ever really thought about the importance of DNS to your business?
DNS, the Domain Name System, is sometimes called the “phonebook of the Internet.” Just as the phonebook allows you to look up names, addresses, and phone numbers of people and businesses to be categorized and referenced, DNS allows for domain names and their corresponding IP addresses to be organized and easily accessed. For example, a quick DNS query shows that the IPv4 address for networkworld.com is 188.8.131.52 (and there is apparently no IPv6 address!).
But DNS stores much more than just IP addresses. Email protocols rely on DNS extensively to store information about message routing (MX records), policy (SPF records) and digital signatures (DKIM). DNS also houses cryptographic keys for not only its own security uses, but also for email and now even websites (TLSA records). The extensibility, versatility, and ubiquity of DNS makes it an ideal choice for storing all kinds of information. Because so much depends on DNS, it is a critically important service; every time you use the Internet, you’re relying on DNS.
If you have not considered the importance of DNS to your business, it’s time to give it a second thought. Running a smooth DNS operation will not only help your business run with greater efficiency and help ensure you don’t have damaging outages, but will also improve your bottom line. Here are four simple questions IT executives and CIOs should consider to assess the strength of their DNS infrastructure.
How is your domain’s data made available on the Internet?
A web server hosts web content, but for DNS, we say a name server is authoritative for DNS data. Your domain needs authoritative name servers and you can either run them yourself or outsource. If you run your own name servers, you install and configure either commercial or open source name server software on your own hardware. Another option is to buy DNS appliances, a combined hardware/software solution. Many companies also choose to outsource to a Managed DNS provider, handing the responsibility to experts who specialize in the technology day in and day.
How fast are your domain’s name servers?
As I mentioned in my previous post, the speed of your website matters a lot. Users won’t wait for a slow site and will take their eyeballs and wallets elsewhere if your site is not optimized. Speedy DNS resolution allows the browser to start rendering the page that much sooner, so milliseconds matter when it comes to how fast users can look up information in your domain. Often, there are as many as 10 to 20 DNS lookups associated with that website's domains or other domains owned by the organization (e.g. networkworld.com, staticworld.net, idge.staticworld.net, etc.). Each of those DNS requests is an opportunity to improve the end user experience, but can also risk delaying the performance of that web page. While the difference between 20ms DNS responses and 100ms responses doesn't seem like much, it can significantly affect the page load time when there are many requests.
From there, DNS resolution speed is largely determined by round trip network latency, and latency is a function of geographic distance—a point that argues for having more name servers and distributing them throughout the world. It’s also better to number the name servers using a small number of IP anycast addresses. By using anycast, you let the Internet’s BGP routing system determine the optimum route between client and server. Numbering with only unicast might mean requiring your users to query name servers all over the world. An important question to ask when taking this route: does your company have the infrastructure, talent, and budget to run a worldwide distributed network of name servers?
How available and reliable are your domain’s name servers?
Obviously, your name servers need to be up and working properly for users to resolve your site’s domain name. Having more name servers not only helps with performance, as mentioned above, but also improves availability.
Put simply: if one of your name servers fails, it is imperative to have others to pick up the slack. Name servers are a common target for DDoS attacks, so having the tools to mitigate attacks is crucial, as well as the server capacity and bandwidth to withstand them as a last resort. As with any service, you’ll need to monitor availability so you detect outages before your users, and you need the expertise to troubleshoot when something does go wrong.
How secure are your name servers?
There are at least two dimensions of security that are important to understand: the security of the name server software itself and the integrity of the DNS data. If you run your own servers, your company needs to stay on top of your name server vendor’s security patches, just as you do for any other service. But you should also consider the security of the DNS data itself. For a long time there was no way to protect the integrity of DNS data as it traveled from server to client, but that’s changed in recent years with the increasing deployment of DNSSEC, the DNS security extensions. DNSSEC allows you to cryptographically sign your DNS data to protect it both at rest and in transit and allow a client to verify that the data received has not been tampered with. DNSSEC is complicated and requires ongoing maintenance to keep signing data and occasionally rolling keys: if you want to deploy DNSSEC, make sure you have good support from a vendor.
DNS is critical to the Internet and critical to your business. Be sure you’re aware of all the factors that need attention to make DNS run smoothly for you.
This article is published as part of the IDG Contributor Network. Want to Join?