I've read that enterprise users sometimes use a DNS other than that provided by our ISP (for example, Google DNS)....
Are there any enterprise security advantages to employees using third-party DNSes? Will going outside the ISP put DNS security at risk?
DNS plays a critical role in Internet communications as it translates human-readable computer hostnames to destinations defined by IP addresses in order for them to be used by networking equipment, computers and software programs; SearchSecurity.com translates to 220.127.116.11, for example.
DNS is the world's largest distributed database supported by millions of domain name servers and administrators, each providing information about a small segment of the domain name space. DNS lookups can become significant bottlenecks in the browsing experience as today's webpages tend to reference resources from numerous different domains, all of which have to be translated.
As there is no guarantee that an organization's chosen Internet service provider (ISP) will have well-resourced DNS servers, there may be an argument for using a global third-party DNS provider -- such as Google Public DNS, OpenDNS or UltraDNS -- to improve browsing times as they are focused on optimizing DNS lookup times. Google Public DNS, for example, is a free, global DNS resolution service functioning as a recursive name server and providing domain name resolution for any host on the Internet. Google claims various efficiency and speed benefits -- such as using anycast routing to send user requests to the closest data center, overprovisioning servers to handle denial-of-service attacks, and load-balancing servers using two cache levels, with a small per-host cache containing the most popular names and another pool of servers partitioned by the name to be looked up. As of 2014, it is the largest public DNS service in the world, handling over 400 billion requests per day.
Faster Web browsing can obviously improve employee productivity, but there are privacy and security issues to consider before switching to a different DNS service. Certainly don't choose any provider that practices what's known as DNS hijacking while processing queries, as it means users will be redirected to an advertisement site operated by the provider when a nonexistent domain name is entered. More importantly, though, look for services that follow DNS security best practices and are resistant to denial-of-service attacks, DNS cache poisoning and other DNS-related attacks.
There are various DNS benchmarking tools -- DNS Benchmark and namebench are two free programs that enable DNS performance analysis -- that can help evaluate whether a particular DNS service improves browsing times for commonly accessed sites.
Another option is to run a caching DNS server in-house to do direct lookups for the sites most frequently accessed by employees -- such as google.com, facebook.com and twitter.com -- and only forward other requests onto your DNS provider.
The final decision, however, should be based on which technology can provide the most secure and reliable DNS service.
Ask the Expert:
SearchSecurity expert Michael Cobb is ready to answer your application security questions -- submit them now. (All questions are anonymous.)
Learn more about DNS security and avoiding DNS threats
Dig Deeper on Data security strategies and governance
Related Q&A from Michael Cobb
Sending sensitive information in attachments is inherently unsafe, and the main way to secure them -- encryption -- can be implemented inconsistently... Continue Reading
Spyware can steal mundane information, track a user's every move and everything in between. Read up on the types of spyware and how to best fix ... Continue Reading
Explore the differences between symmetric vs. asymmetric encryption algorithms, including common uses and examples of both, as well as their pros and... Continue Reading