Why You Need a Secondary DNS

How long can your business afford to be offline? 

Last month, a large Canadian telecommunications provider suffered a catastrophic outage for more than 18 hours. Many Canadians found themselves disconnected when cellular networks and the internet failed to respond—at home or at work. Businesses turned away customers because they couldn’t process debit or credit payments. In some cases, emergency services like 911 were unavailable. One analyst pegged the cost to the economy at almost $150 million. 

According to Gartner, a network outage can cost the average enterprise about $5,600 per minute. That price tag can balloon to hundreds of thousands of dollars per hour. DNS is part of the mission-critical network infrastructure for enterprises. A resilient and secure external DNS infrastructure is a crucial component in preventing outages and downtime. But that’s only possible if it’s properly configured.

In a traditional primary DNS server setup, your company has all its eggs in one basket. If your DNS provider fails, those eggs are out of reach and your website vanishes from the internet. Imagine the damage to your company’s reputation and its bottom line. Secondary DNS is your primary server’s understudy. It learns the role of your primary DNS server and can replace it in the event of an outage. Maybe you’ll never need it. But it offers peace of mind in a pinch—ensuring access to your network in the aftermath of a cyberattack or service outage. 

Secondary DNS is important for security, but its key feature is resilience. Most customers expect reliability and uninterrupted service. For that reason, many enterprises have configured secondary DNS. However, a not-insignificant number of enterprises have only one DNS server, putting those companies at greater risk of a system failure.

Configuring a secondary DNS can ensure your business stays online. The most common architecture is to have a primary DNS on-premises with a secondary DNS in the cloud. In case of an outage or latency issues, users have another path to your network. But a secondary DNS is not enough. 

With a secondary DNS in place, you will need to manage your data across multiple DNS servers. Remember, we’re not just talking about ensuring your website is online anymore. You may have an e-commerce site, mobile apps, APIs and other services that your customers need to access. Some of those services may be hosted in the cloud or hybrid cloud environments. And some of those cloud environments might have different DNS providers, each with varying capabilities. 

And that leads to the main source of insomnia for network and risk teams: Very few teams know where all their external DNS is hosted. 

The tangled mess of servers and externally hosted DNS has created a new complexity challenge. Fortunately, there’s a way to tackle it: Network observability. 

Companies need to understand what’s happening across their network. Without network observability, the foundation of enterprise networks will founder, hindering growth, productivity and efficiency.

Keeping Your DNS Configuration Secure 

Knowing where your external DNS is hosted is a start. Cyberattacks are a serious threat, but misconfiguration—changes or additions to your enterprise network—is the root cause of most outages. Improving network observability allows enterprises to assess risks and mitigate those risks to ensure network resilience.

Resilience and reliability may be top of mind, but security is always on the periphery. Proper DNS configuration requires that every enterprise consider a few actions items to improve its security stance:

Enable Domain Name System Security Extensions (DNSSEC)

DNSSEC authenticates DNS queries and responses using cryptographic digital signatures. When enabled, it validates responses to DNS queries before they reach the client device. Is this the actual website that the client device wants to visit? If no credential is presented—or if it appears tampered with—no access is provided. DNSSEC can prevent hackers from routing users to a spoofed website, where they may submit personal or financial information.  

So why haven’t many enterprises enabled DNSSEC? Deploying it is complicated and misconfigurations can cause outages. Some providers use automation to simplify the process because DNSSEC plugs a known security gap. 

Embrace Two-Factor/Multifactor Authentication 

Only use domain name registrars that offer two-factor authentication, period. And make sure it’s turned on. If a hacker can pry their way into your registrar, they can steal your domains, change your records or use other mechanisms of hijacking like cache poisoning.

Ensure your external DNS providers also have multifactor authentication and that it’s turned on.

Making External DNS Infrastructure More Resilient and Secure

Networks are more complex than ever. That complexity has enabled enterprise-level digital transformation while creating further chaos for network administrators. To make the most of your network, centralize and automate DNS management to increase resilience and protect your network. Doing so will help your company leverage DNS data for increased visibility, control and compliance—taming the complexity and harnessing it in a way that empowers your business to meet escalating demands for today and tomorrow.

Avatar photo

Andrew Wertkin

Andrew Wertkin leads BlueCat's overall strategy, especially on all things cloud. He’s opinionated, passionate, and he was previously our Chief Product & Technology Officer, which means he knows our solutions (and enterprise DNS) very well. He also hosts the Network Disrupted podcast, which helps technology leaders make sense of network disruption.

andrew-wertkin has 1 posts and counting.See all posts by andrew-wertkin