Data centre rack view

OWA guide to domain name resilience

Mark Hall - 16 April 2020
quotation mark
Domains can be extremely vulnerable if an organisation doesn’t have the correct measures in place

Internet domain names are generally taken for granted by many organisations and their resilience is often overlooked.

When something goes wrong with the management or hosting of an organisation’s domain name then the effects can be immediate and have a devastating effect.

In this blog post I am not going to discuss how the Domain Name System (DNS) works as there are plenty of other good resources online to explain. What I am going to cover is some of the things that organisations can do to protect themselves and make the hosting and resilience of their domain names more robust.

At OWA, we manage domain names for many of our clients and also help organisations recover from situations when domain name issues arise. Our tips on making your domain name more resilient are based on real-world situations we have come across and how the risks can be mitigated.

1. Domain name ownership and renewals

Typically, domain names are registered by an organisation or their appointed design and development agency. Domain names can be registered through authorised resellers and the process is very quick and easy if the domain name is available. Behind the scenes the reseller will register the domain with a domain name registry.

A registry is the organisation responsible for one or more domain name extensions – for example in the UK most .uk domain names are managed by Nominet. Organisations normally need to go through a reseller in order to register a new domain name.

When a domain name is registered the contact details for the owner, administrator, technical and billing contacts will be provided. It is not uncommon, if a domain name is being registered by an agency as part of a wider digital project, that the domain name owner and contact details are given as the agency.

One of the most common issues we come across is when domain names expire and clients are not aware that the renewal was due. When the domain name was registered the contact details provided will be used to contact the client about the renewal. If these details have not been kept up to date or an organisation is no longer using the agency who originally registered it, then the renewal notice will not be received.

The first the organisation will know about the issue is when the domain name stops resolving. If the domain name is used to provide a broad range of IT services, including organisational emails, then this can have a dramatic and potentially serious impact.

If an organisation acts quickly then expired domains can normally be recovered within a few hours, but it may be necessary to pay an additional sum to recover the domain. Depending on the domain name extension it is possible that the expired domain will have been sold on and it can then get very expensive to negotiate getting it back.

This is the most common domain name resilience issue we come across and there isn’t a technical solution. It is vitally important that organisations treat domain name management as a critical part of their procedures.

2. Domain name hosting

The Domain Name System is designed to be resilient, but that does rely on the companies managing and hosting domains to conform to the various RFCs.

Domain names should be hosted on a number of independent domain name servers so if one server is unavailable, then the remaining servers can continue to respond.

We recommend that a domain name should be hosted on a minimum of two servers, but ideally three. At least one of the servers should be hosted on a completely separate network and infrastructure with different Autonomous System Numbers (ASN). This means that your domain name will continue to resolve even if one network goes down.

At OWA we operate three production DNS servers which are geographically distributed and located in independent UK-based data centres with completely separate connectivity.

3. Dependent domain names

Larger organisations tend to run and manage their own domain name servers. This can provide them with more flexibility and control when it comes to the day-to-day management and changes which they need to make.

If an organisation runs its own domain name servers then it will typically give them names such as:

ns0.myorganisation.org.uk
ns1.myorganisation.org.uk
ns2.myorganisation.org.uk

It will then use these servers to host and resolve all of the other domains that the organisation owns. For example, if the organisation has another domain name, say coolbrand.uk, it will list the three servers above as being authoritative and responsible for resolving DNS queries for the other domain.

This all works fine until something goes wrong with the domain name which is being used to host the domain name servers (myorganisation.org.uk). If this domain is unavailable then a dramatic domino effect occurs. All of the domain names which are hosted on these name servers will immediately stop working.

For organisations with many domain names this can have a serious impact on their online services.

4. Protection from distributed denial of service (DDoS) attacks

If an organisation’s domain name servers are brought down then its online presence will be taken down. Hackers realised some time ago that to damage an organisation it is relatively easy to launch a distributed denial of service (DDos) attack.

Attacks of this type are designed to overload the network and servers and effectively bring down all related services.

There are some relatively easy ways to mitigate the risk of such attacks.

Firstly, some perimeter firewall devices provide an option to proxy DNS requests. This effectively means that the firewall answers incoming DNS queries from the information it gets from the source DNS servers. This provides a certain amount of protection against DDoS attacks, however it can still mean that the organisation’s network bandwidth can be severely affected.

If an organisation feels it is really at risk from DDoS attacks then it makes more sense to offload the DNS to a specialist company who can provide the level of protection required and ensure that systems are not directly or indirectly affected.

Some of our clients use Cloudflare to protect their domain name system from attacks. Cloudflare operates a sophisticated resilient network spread across multiple data centres globally which gives it the ability to fend off large scale DDoS attacks and to ensure that DNS continues to operate and resolve queries.

OWA is able to provide resilient UK-based hosting services, security protection and application support for your online applications and apps. Please contact us to discuss any requirements you may have.