Just as it’s important for service providers and enterprises to maximize the performance and availability of their caching DNS servers, it’s important for brand owners and IT departments to ensure the robustness of their Authoritative DNS. Some of the issues are similar, but ensuring security of Authoritative data also has to be considered.
- Make sure your primary Authoritative server is not accessible by anything other than your secondary Authoritative servers. In particular, the primary should not be accessible via UDP/TCP port 53 from anywhere other than the secondaries. If a secondary is compromised, you can quickly take it down and rebuild it, because your authoritative DNS data is still secure.
- Implement query-rate limiting on network devices (load balancers, firewalls) in front of your secondary Authoritative servers.
- It might also be worth considering approaches for introducing a redundant master authoritative server. Active-standby configuration have limitations with only a single primary authoritative nameserver accepting zone changes and transmitting them to secondary servers across their network at any one time, especially for voice and real-time applications. Existing approaches for handling failure of a master add complexity and often introduce synchronization problems as well as unacceptable and unpredictable delay, all of which can have a negative impact on application performance.
In some cases backing up or supplementing internally managed servers with hosted services may make sense (Nominum offers SKYE Authority). This provides additional live capacity to maintain DNS service for handling unusual loads or if you are attacked. Look for a globally distributed network that is actively monitored for any unusual traffic.