A few months ago I told someone in the UK Government that a tertiary nameservice could solve a handful of problems — including the ones they were handling in relation to “how many domains? why? WHO? asset discovery!”
A Tertiary DNS Server is a second secondary server. That is, a server that gets all of its authoritative information from the primary server.
Every domain should have two or more nameservers setup. Ideally geographically diverse (mainly for performance), network diverse (different BGP networks if you can, for performance/resiliency) etc.
The nameservers hold the zonefile for the domain they are the nameservers for. www.medium.com (the www bit) is a record within the medium.com zonefile, which is how your computer knows www.medium.com is 184.108.40.206 / 220.127.116.11 — don’t worry, your computer knows what to do with all this!
www. is a bit of an obvious record. You could say vpn. is one as well, but it may not be named that or there could be 5 of them. The only way to know for sure is to have a copy of the zonefile.
% dig service.gov.uk ns +short
ns-831.awsdns-39.net.% dig gov.uk ns +short
A good tertiary nameservice is very low effort on a day-to-day basis, helps field lookups if needs-be and keeps a copy of the zone based on automatic synchronisation from the main/primary nameservice.
The UK Government operates a lot of domains. At least 3,127 top-level .gov.uk domains and an unknown amount of domains on other TLDs (.org, .uk etc).
It operates a delegated model for .service.gov.uk subdomains (and others) as well, so there is a SuperFun(TM) problem with delegation/ownership that WHOIS alone cannot solve either.
The Ministry of Justice has something like a 1,000 top level domains — don’t ask why, it just does OK?
There are lots of good ways to slice ‘asset inventory’ (laptops, servers, mobile phones… domain names). A cornerstone to good IT operations and cybersecurity is knowing what you have, or at least think you have.
While not everything is a DNS record, having an understanding of zone files allows you to ‘walk’ them as a basis for things to scan, domains no longer required or orphaned subdomains vulnerable to jacking.
DNS is one of those things which we take for granted — but oh boy will you miss it when its gone.
You may have noticed the .service.gov.uk domain above uses both AWS Route53 and Google Cloud DNS at the same time. It wasn’t always this way.
A DDoS attack against Dyn in 2016 took out a bunch of stuff, including a lot of people’s corporate email.
Your existing domain registrar provider can usually add a tertiary nameservice during a nameservice outage (but probably not if they are the same service provider). If they can, they might want to email you to confirm your identity etc — see the problem?
If you need to rapidly move nameservice, you need a copy of your zonefile so you can populate the new nameservice. Most people don’t keep an up to date copy (or any copy really) of their zonefiles.
Supply chain diversity
This sort of stems from resiliency, but supply chain security is a hot topic at the moment for some reason — https://www.zdnet.com/article/solarwinds-the-more-we-learn-the-worse-it-looks/
A tertiary nameservice should be hosted on a different BGP network, but at least logically and operationally diverse.
If you have one BGP network provider under attack, or perhaps the nameservice provider has even gone bust or been cut off for not paying their bills — a tertiary nameservice might be the best bit of tech that you setup and promptly forgot about.
So, a tertiary nameservice for UK government?
Sure, why not.
- This might help the UK Government actually figure out how many idle/active domains it has.
- This might help the UK Government with a whole bunch of really clever asset discovery and surface scanning — feeding the National Cyber Security Centre’s (NCSC) WebCheck service or figuring out what vulnerable Citrix or VPN services are internet-facing
- This might help figure out who is the ‘technical contact’ for domains, subdomains and so on — on what could be a per-zonefile basis, which is the most granular you can reasonably go
- This will provide resilient nameservices to the corporate email domains literally used to run the country.
- This will provide a known-good zonefile repository — including fun stuff like trend analysis over time if the tertiary nameservice operator is feelin’ fancy.
- Offer things in return, even if you think the service being free should be sufficient to make people want to use it (its not)
- Automatic introduction through the existing (and any new) .gov.uk registrars
- Making it easy to self-register and get going
- Asking nicely
- Set guidance/standards/policy as needed, including linking to how this will help mitigate risks and help organisations meet existing guidance/standards/policy
Free services that do not require £ at the point of consumption are still not ‘free’. They can cost a bit of time to setup. A tertiary nameservice is likely way down on a CISO’s or CTO’s to-do list, but reducing the implementation cost and providing asset discovery information in return can be really handy.
As a CISO, if you were to help me keep my corporate domains online and help me find rogue websites and VPN concentrators I did not know about… I might just shed a tear.
I definitely won’t point them out but there are many, many critical domains that use a single nameservice provider and don’t have any zonefile backups.
It takes time and effort to maintain the infrastructure as code to run AWS Route53 and Google Cloud DNS in tandem from a git zonefile source. A free solution do that problem with a lower implementation and operational burden? Well… now I’m just weeping with joy.