I've written in previous blogs about the value of using DNS as a security control point and how using a DNS based security solution like Akamai's Enterprise Threat Protector can help accelerate your transition to a Zero Trust security approach.
In this blog, I'm going to cover how (in addition to the security benefits that Enterprise Threat Protector will deliver) there is another set of benefits to be gained simply by moving your recursive DNS to a single provider with a globally distributed DNS platform. This will be of particular interest to enterprises that have a global footprint and that may not have a cohesive recursive DNS infrastructure.
DNS is absolutely vital for the internet to work effectively and for all of the services we use. However, the only time we take any notice of recursive DNS is when it does not operate as expected, like when it slows or it does not work at all. Of course, these issues manifest as slow web browsing or no internet access. If you are not a networking expert, it's likely you will not realize your recursive DNS service is the root cause.
Now, it's pretty annoying when your recursive DNS service at home is slow or just stops working completely. Most of us will simply accept sluggish browsing or wait until normal service resumes. But, consider the impact on an enterprise if its recursive DNS service becomes slow or stops operating completely.
The vast majority of enterprises will likely use whatever recursive DNS service happens to be most convenient. Examples include ISP provided, Google DNS and so on. So perhaps by accident rather design, a global enterprise may have ended up with a heterogeneous recursive DNS deployment as shown below.
Having a heterogeneous DNS deployment presents a number of challenges. These include:
- The recursive DNS is controlled by different ISPs and other vendors, and it's very likely that none of the services will have an SLA for availability.
- Because there's no consistency, it's impossible to apply any security or control to the DNS traffic.
- Roaming and home workers need to be connected to a VPN for any policy enforcement.
Now compare and contrast this with the picture when an enterprise deploys Akamai's Enterprise Threat Protector service
Having a homogeneous recursive DNS deployment delivers the following benefits for a global enterprise:
- A single global recursive DNS service with a 100% availability SLA.
- Recursive DNS can now be used as the control point to apply centralized security policies that can be updated in minutes.
- Policies for roaming and home workers can be enforced with no need for a VPN
All of these benefits can be delivered quickly and easily with no major changes to your existing DNS forwarder infrastructure - all that is required is to configure whichever service or services you currently use to forward DNS requests to Akamai's Enterprise Threat Protector service. This can typically be done in less than 30 minutes.
Delivering Recursive DNS with a 100% Availability SLA
So how does Akamai ensure it delivers that 100% availability SLA for the recursive DNS component of Enterprise Threat Protector? The key to this is the Akamai Intelligent Edge platform, which is the world's largest cloud security platform. That scale and global footprint has allowed Akamai to quickly deploy DNS resolvers - we currently have over 90 DNS points of presence (POPs) in production and that number will increase throughout the remainder of 2019. In terms of scale that is over 3x the DNS resolver footprint than our closest security competitor.
To further increase reliability, each POP has built in resilience designed to ensure that, in the event of a hardware or software failure in a server, the DNS service in that POP will still be available. In addition, by employing Anycast routing, even in the event that a DNS POP goes out of service, then DNS requests are automatically routed to the closest DNS POP.
For example, we recently added a new DNS POP in Australia, bringing the total to four, with a further two POPs in New Zealand. That compares with the two that our closest security competitor has deployed in Australia. In India, we now have six DNS POPS, compared to the one that our closest security competitor has.
To find out more about how Enterprise Threat Protector could quickly help you increase your company's security posture and simplify your recursive DNS deployment, then visit akamai.com/etp.