Most corporate DNS problems arise from misconfiguration. Roman Borovits, Senior Systems Engineer DACH at F5, describes the most common errors and simple protective measures for the DNS.
The Domain Name System (DNS) is one of the most important protocols on the Internet. It is often boldly referred to as the “Internet phone book”. In fact, DNS is a decentralized directory with which individual host names such as “www.f5.com” are translated into an IP address such as “18.66.122.15”.
Small mistake - big effect
This makes it clear: if there is a problem with the service, browsers can no longer find the website entered by the user. This is so often the cause of major failures that it is said in the IT industry: "It's always down to the DNS". This is mostly true, for example with Akamai (July 2021) and Cloudflare (July 2020), but not always, as the current failure of Facebook at the beginning of October shows. For once, the BGP (Border Gateway Protocol) was to blame.
Common errors in configuration
In practice, the DNS servers are configured once - and then forgotten as long as they run smoothly. This also applies to performance monitoring. This can create significant problems over time, especially with the following common mistakes:
- Operating DNS servers at the same location leads to a complete DNS failure in the event of a power failure
- Operation of the DNS infrastructure via a single network (autonomous system / ASN) also leads to a DNS failure in the event of network problems
- Using the same software on all DNS servers can spread an error to all servers
Practical solutions for secure DNS
One of the best ways to avoid outages is to use multiple DNS providers. It is relatively easy to do. This is because the DNS protocol has built-in mechanisms that enable “secondary DNS services” to be added via zone transfers. This means: Every change at the main provider generates a notification (NOTIFY) to the secondary provider, which in turn inquires about the changes. Most DNS providers support these functions.
In addition to greater reliability, using an additional DNS provider can bring many other advantages, including:
- Software variety. Provider B will likely use different DNS software than provider A. If A fails, it (hopefully) doesn't affect B - and vice versa.
- Network redundancy. The providers forward DNS requests over their network. Even if the DNS is working, a network failure can affect the service. A second DNS provider with a different network / ASN reduces this risk.
- Latency. Low latency is critical for fast DNS responses. However, some networks have better latency times in certain regions. Bringing in another DNS provider can help ensure optimal latency around the world.
So companies should act now instead of waiting. Because the next DNS-related failure is bound to come.
More at f5.com
Via F5 Networks F5 (NASDAQ: FFIV) gives the world's largest companies, service providers, government agencies and consumer brands the freedom to deliver any app securely, anywhere, with confidence. F5 offers cloud and security solutions that enable companies to use the infrastructure they choose without compromising speed and control. Please visit f5.com for more information. You can also visit us on LinkedIn and Facebook for more information about F5, its partners and technologies.