Last updated: 
4 days 7 hours ago
Blog Manager
We are the Computer Security and Incident Response Team (CSIRT) for the Janet network. Part of Jisc's Security Operations Centre, our mission is to safeguard the current and future network security of Janet (steering the security policies for all Janet connections) and of our customers, creating a secure environment to conduct your online activities. Our primary function is monitor and resolve any security incidents that occur on the Janet network, with specialists tracking a range of platforms, including Unix, Linux and Windows.

Simple ways to improve your DNS resilience and security: #1 Redundancy

Tuesday, June 24, 2014 - 13:52

When providing DNS nameserver services a degree of redundancy is needed. In most cases the DNS records for a particular domain will be hosted by at least two nameservers, but is that enough by itself?

When building a resilient system the risks involved with the failure modes of the system need to be considered and weighed up against the associated costs and overheads. As a common example - does having both DNS servers on the same local network segment provide you with protection against network failure? Probably not.

How about hosting the two nameservers on different network segments but at the same site? Would that protect you against a catastrophic environmental threat such as flooding? Is it actually important to your organisation that DNS services are continued in the face of such an event? With an increasing number of business functions such as e-mail and finance being provided as cloud services, your nameservers might be a key piece of infrastructure for services that would otherwise run independently of your physical operations.

You could think about moving nameservers to geographically disparate sites connected by a site-to-site link. This can create it's own problems with reliance on a small number of connections to provide Internet connectivity to the outside world. It may make more sense to host secondary nameserver services on someone else's network, perhaps on a like-for-like basis with another institution, or with an external service provider.

At the extreme end, an Anycast based DNS infrastructure can automatically route DNS queries to the user's nearest nameserver. Combined with virtualised nameservers hosted around the world, this can provide a highly resilient and responsive DNS service.

More information on the DNS services that Janet provides, including primary and secondary nameserver services, can be found on the Janet website or by contacting the service desk.