Could a tertiary name service save your uptime?

DNS is a building block
% dig service.gov.uk ns +short
ns-117.awsdns-14.com.
ns-cloud-e4.googledomains.com.
ns-1080.awsdns-07.org.
ns-cloud-e3.googledomains.com.
ns-cloud-e2.googledomains.com.
ns-cloud-e1.googledomains.com.
ns-1983.awsdns-55.co.uk.
ns-831.awsdns-39.net.
% dig gov.uk ns +short
auth50.ns.de.uu.net.
ns1.surfnet.nl.
auth00.ns.de.uu.net.
ns2.ja.net.
ns4.ja.net.
ns3.ja.net.
ns0.ja.net.

Domain sprawl

The UK Government operates a lot of domains. At least 3,127 top-level .gov.uk domains and an unknown amount of domains on other TLDs (.org, .uk etc).

Asset Inventory

There are lots of good ways to slice ‘asset inventory’ (laptops, servers, mobile phones… domain names). A cornerstone to good IT operations and cybersecurity is knowing what you have, or at least think you have.

Resiliency

DNS is one of those things which we take for granted — but oh boy will you miss it when its gone.

Supply chain diversity

This sort of stems from resiliency, but supply chain security is a hot topic at the moment for some reason — https://www.zdnet.com/article/solarwinds-the-more-we-learn-the-worse-it-looks/

So, a tertiary nameservice for UK government?

Sure, why not.

Why?

  1. This might help the UK Government actually figure out how many idle/active domains it has.
  2. This might help the UK Government with a whole bunch of really clever asset discovery and surface scanning — feeding the National Cyber Security Centre’s (NCSC) WebCheck service or figuring out what vulnerable Citrix or VPN services are internet-facing
  3. This might help figure out who is the ‘technical contact’ for domains, subdomains and so on — on what could be a per-zonefile basis, which is the most granular you can reasonably go
  4. This will provide resilient nameservices to the corporate email domains literally used to run the country.
  5. This will provide a known-good zonefile repository — including fun stuff like trend analysis over time if the tertiary nameservice operator is feelin’ fancy.

How?

  1. Offer things in return, even if you think the service being free should be sufficient to make people want to use it (its not)
  2. Automatic introduction through the existing (and any new) .gov.uk registrars
  3. Making it easy to self-register and get going
  4. Asking nicely
  5. Set guidance/standards/policy as needed, including linking to how this will help mitigate risks and help organisations meet existing guidance/standards/policy

Cost avoidance

I definitely won’t point them out but there are many, many critical domains that use a single nameservice provider and don’t have any zonefile backups.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Joel Samuel

Joel Samuel

The thin blue line between technology and everything else. joelgsamuel.com