Don’t Mess with your DNS!

“Is Kumar coming over today?” asked my 10-year-old son last Saturday morning.?

As it happens, Kumar is not a friend, relative, or neighbor — but he’s starting to feel like all three.?Kumar is our plumber.

And, thanks to his recent and frequent visits to our house — we’ve had a rash of bad luck related to our dishwasher, garbage disposal, sink, and toilet (actually, two toilets, but who’s counting?) — my kids have started looking forward to Kumar’s arrival. He’s very friendly and always takes a few minutes to chat with them.

The truth is, I look forward to Kumar’s visits too, although not for the same reasons. For me, and while I would certainly prefer that our plumbing issues just magically went away,?Kumar is a trusted, reliable, expert resource… one who shows up quickly whenever there is a problem.

DNS is Like Plumbing

Plumbing is great when it works happily in the background. When it doesn’t, you better have someone like Kumar on speed dial.?The same can be said for DNS (Domain Name System), the directory that tells Internet infrastructure how to route traffic.

Is DNS important? Only if you want emails sent to you to show up in your inbox and those who type in your company URL to land on your home page. That’s DNS at work — like plumbing, you don’t usually notice it until it stops working properly.

Unlike?plumbing, of course, DNS isn’t a physical thing — it doesn’t clog, break, or wear out.?But… if somebody fools with the settings, well-intentioned or not, the mess it leaves can be much worse.

We need only look as far as the?Facebook / Instagram / Whatsapp misstep?from a couple of weeks ago (a six-hour shutdown of all three services, Facebook’s internal employee network, and even the security badges that allow access into buildings on the Facebook campus) to get a sense of the havoc a bad DNS configuration can wreak on an unsuspecting company.

?In other words, DNS is serious!

DNS Touches Many Aspects of Your Business

It would be an overstatement to claim that every small business owner needs to become a DNS expert. That said, I do find myself involved with it on a fairly regular basis. That’s because DNS comes into play when performing a number of common business activities, including…

… changing your web hosting provider

… setting up email marketing or automation tools

… verifying domain ownership with Google, Apple, Microsoft, and others

… tightening up email security with DMARC or SPF

The point is, there are lots of reasons to go into an organization’s DNS settings.?Any reasonably-sized company could expect to make a change or two at least once a year.?

Unfortunately, and because DNS falls under the heading of “fairly mundane, blocking and tackling tech stuff,”?many small companies pay little attention to who has access.?For example:?

• Does your marketing intern have access because it’s his/her job to acquire additional domain names or set up new marketing services?
• Do former employees or contractors still have access to your DNS?
• Do you know which (or even, how many) current employees could change your DNS?
• Do you perform regular access controls reviews?
• Do you know where your DNS records are housed?

I’m not saying all this to scare you (okay, maybe a little). But I do want you to take DNS management seriously.?Three suggestions in that regard:

#1.?Limit the number of people who have access.?

You don’t let anyone and everyone have access to your company bank accounts; you want the same level of vigilance with your DNS. For most medium-sized companies, that means giving access to just three people: two senior technical folks and one other trusted person. Remember that with each additional person that has access, your risk increases?exponentially.

#2.?Turn on Multi-Factor Authentication.

This additional layer of protection helps ensure that the bad guys, of which there are many, can’t get in and that your company stays on the Internet and your business keeps flowing.

#3.?Institute a change management process.?

Whenever making adjustments to DNS settings, it’s critical that change control is in place (i.e., a standardized, systematic process) and that these changes are reviewed by a peer.

Conclusion

As of this writing, it is still unclear what exactly caused the Facebook meltdown, let alone how much money the company lost in those six hours of downtime. Whatever the reason(s), if it can happen to Facebook, it can happen to any of us.?Take steps now to ensure that your DNS management is well thought out and properly controlled!

As for me, and based on how frequently he’s been at the house, I’m thinking I should probably invite Kumar over for Thanksgiving dinner. Let’s just hope he doesn’t send me a bill.

Want to get great cybersecurity content delivered to your inbox??Click here?to sign up for our monthly newsletter, Tales from the Click.

This article was originally published on the Fractional CISO blog.