Sometimes it takes a major, sudden, shock to make people see the obvious. The recent Facebook outage, on its own, was a pretty big deal. When one of the largest companies, with thousands of the best engineers, could take itself offline for 8 hours, what is the hope for the average company? The details of how it happened are arcane, but it boils down to "It's always the DNS".

Why is DNS Always Involved?

The Domain Naming System (DNS) is like a phonebook for the internet. Each device connected to the internet has its own unique IP address. Since websites are hosted on these distributed devices (web servers), they are located on a specific IP address. DNS translates domain names used by humans (like threatstop.com), to the machine-friendly IP addresses that services are hosted on. This technology lies at the core of the internet, so when DNS stops resolving for some reason - things go downhill. Fast.

Why Outages Will Keep Happening

The recent Facebook outage wasn't an isolated incident, it wasn't the first time, and won't be the last time DNS will be the cause of massive outages for the products and services we use daily. Just a few months ago, a big chunk of the internet went offline due to a DNS issue at Akamai. Popular services that rely on Akamai's Edge DNS service included UPS and FedEx, Airbnb, Steam, LastPass, and the PlayStation Network, all of which went down in an instant. And that's not all - Cloudflare suffered a DNS outage during the summer as well, breaking access to Shopify, Discord and Politico.

DNS is a Frequent Target for Attackers 

Aside from the common name server configuration and server issues, some DNS-based fallouts happen as a result of targeted cyber attacks. Dyn, a large DNS provider, became victim to a DDoS (Distributed Denial-of-Service) attack that took down its DNS services for 12 hours. The result - Amazon, Twitter, Netflix, and another 60+ sites fell across the U.S. and Europe. The underlying infrastructure of the Internet, like plumbing and piping under a city, is brittle and subject to catastrophic failure through abuse, mistakes, and being overwhelmed by the billions of devices and users that depend on it.

The Solution? Host Your Own DNS!

Losing Netflix for a few hours when you want to binge a new show is annoying, but having services that your company needs go down could be company-ending. So if there's always an outage right around the corner, what can you do to keep yourself connected when services are falling off the internet?

Facebook and other gigantic internet services are monopolies, but you can take the control into your own hands with an in-house DNS. This way, you get greater availability, visibility and control of the traffic coming in and out of your network.

1. Availability

When hosting your own DNS, you still have the external ones to fall back on, so having both is a fool proof solution that won't leave you DNS-less. In case an upstream ISP pushed the wrong button and took down their own DNS servers, no sweat - your own DNS resolver springs into action seamlessly. And there's  no action required of you, and no downtime for your employees or apps. In fact, local DNS can offer performance advantages by caching responses.

2. Visibility

The ability to find individual infected hosts and remediate them is critical. Most managed DNS solutions remove your ability to identify the private IP or hostname of a device making harmful DNS requests, and that makes pinpointing machines for remediation really tricky. To keep the network clean, you MUST be looking at enriched logs through a reporting mechanism.

3. Control

Define the things your business considers "bad stuff", and stop those things things faster. Do you have customers in China? Would you like to block all DNS requests going there? Security policy and traffic enforcement can, and should, look strikingly different from one company to the next. 

 

Summary

Your business relies on keeping your network up and running, and secure. Hosting your own DNS achieves both goals. And it's easier to do than you might think. Add in the fact that it's a zero risk move, and adding an in-house DNS is an easy objective to achieve, so why delay?

At ThreatSTOP, we live and breath DNS. ThreatSTOP's DNS Defense is a unique, highly adaptive Protective DNS service that stops threats early, before they cause damage. Powered by continuous updates from 900+ Threat Intelligence sources, the platform knows and tracks the infrastructure used by cyber criminals to conduct attacks, and keeps network devices updated to block or redirect malicious and unwanted DNS requests.

 

Want to learn more? Interested in how ThreatSTOP can stop attacks on your network?

Get a Demo