MoinQ:

https://news.ycombinator.com/item?id=11353864 DNS is hard. Very hard.

https://news.ycombinator.com/item?id=36909427 Why is DNS still hard to learn? (jvns.ca)

I don't agree with this article.

I think DNS is something few people take the time to learn, but it's not actually hard to learn. 

One of the great things about DNS is that the system itself will tell you about it's internal state in response to queries.

It's very easy to inspect a DNS server for a known zone and understand how it works, and there's very good tooling that's free and widely available to do this (like dig).

It's always been a big surprise to me that my DNS expertise is what seems to be most memorable for a lot of folks I've worked with through my career, when I don't believe I know anything mystical or special.

DNS is extremely well standardized, the most common server and client implementations rigorously follow the standard, and it's very easy to inspect with free tooling. It just takes some effort and time to learn, but it's not really hard. }}} わかったつもりのひとのようだ。

1. hard to manage

https://authenticweb.com/domains-dns-and-tls-certificates/why-is-dns-so-hard-to-manage/ Why Is DNS So Hard to Manage?

Managing a Fragmented DNS Ecosystem
Operating Without a Unified View of the DNS
Letting Change Create Chaos

2. Security

What Is DNS Security, and Why Is It Important?

https://authenticweb.com/domains-dns-and-tls-certificates/what-is-dns-security-and-why-is-it-important/

What is external DNS security?

If the external DNS itself is the internet’s directory, then think of security as the gatekeeper, identifying and protecting visitors while keeping your premises safe.

Essentially, it’s a way for your business to screen and validate visitors. It also assures your visitors that your website or online application is authentic.

External DNS cybersecurity protects both the company and its customers from a wide range of threats known to prey upon the DNS as it directs traffic.

Understanding DNS Security

There are two important aspects of ensuring DNS security: technical settings and management systems.

DNS security settings protect domains and users, ensuring privacy and route authentication. Most organizations employ SSL certificates on their domains to ensure visitors are protected from eavesdropping during their online sessions.

Route authentication is a trickier matter.

When users attempt to connect to a website — a domain — without route authentication, it’s easy for your visitors to be sent to a falsified destination outside your control.

Validating domains before routing to them prevents the kind of man-in-the-middle cyberattacks in which hackers “hijack” and impersonate authentic websites. Domain or DNS hijacking is on the rise with dire consequences for organizations and their users.

Our Apex-level DNS audit can test your DNSSEC deployment.

The other aspect of DNS network security is domain lifecycle management: the systems and processes that manage all the various entry points companies create into their network. A typical organization has hundreds — or even thousands — of domains and can have tens of thousands of DNS records, SSL certificates, and DNS security settings. A single error or omission on any one of these puts your network and customers at risk.

A common example is the case of the “orphaned domain.” Some online content, perhaps a marketing promotion, expires and the website is turned down, yet the DNS settings remain. Bad actors search out these unattended domain settings for appropriation and misuse.

Effective domain lifecycle management is just as important as security settings. Why DNS Security Is an Important Issue

DNS security is important, especially as organizations extend their public internet presence to engage with audiences. Because consumer engagement is growing across an ever-expanding digital landscape, any breach in the internet chain of trust is unacceptable.

Consider organizations in healthcare or finance. If DNS security flaws compromise customers’ abilities to safely access their online bank accounts or confidential medical records, it could have catastrophic consequences.

DNS security problems are more common than many will admit. In a recent incident, hackers appropriated thousands of orphaned domains belonging to hundreds of major brands including Mastercard, ING Bank, MIT, and Hilton International. Hackers manipulated DNS controls to launch spam email and fraud campaigns under the hijacked brand identities.

DNS security is vital because a single incident can have long-term and wide-ranging consequences. Failing to control DNS settings leaves companies vulnerable to fraud, theft, customer, and enterprise brand harm.

Read our complete guide to defending the DNS Learn more Making DNS Security an Ongoing Priority

While it’s crucial for all organizations to apply security and change management compliance controls to keep customers safe, very few do it effectively. To be fair, external DNS is incredibly hard to manage, especially without expert help. Even so, DNS security should be an ongoing organization-wide priority.

Most organizations are failing to adequately protect their external DNS. They use email, disconnected ticketing systems, Excel, and internal forms to manage dozens of DNS services, domain registrars, and SSL certificate providers. Best practice security standards like DNSSEC, DMARC (Domain-Based Message Authentication Reporting and Conformance), and SPF (Sender Policy Framework) are overlooked or improperly deployed.

It’s increasingly difficult to tell whether a website or email is real or fake. Effective DNS management keeps customers safe: It ensures that an inherently vulnerable system is secure, authenticated, and trustworthy.

The best way to address DNS security is to start with visibility. A DNS security audit will identify missing security settings and management control gaps that expose your brand and customers to risk.

Contact us at info@authenticweb.com for an audit that assesses your DNS security fitness.


CategoryDns CategoryWatch CategoryTemplate

MoinQ: DNS/hard (last edited 2024-10-07 09:00:39 by ToshinoriMaeno)