DNS Domain Ownership enforcement:
DNS Domain
Ownership enforcement:............. 1
Problem statement:
Domain Name Service (DNS) records are registered with an
authority in a network to allow hosts to be reached by their names. The records
map names to ip addresses that can be resolved in the network. A hierarchy of
domain name servers can translate external traffic to network hosts. This
enables users to reach web sites and organizational resources from the internet
or intranet respectively. When these records are created, they are a new
instance and do not affect the existing records. If they are untouched, they
resolve to specific hosts that can be reached and do not interfere with
security or usages of existing hosts. However, an unintended or hostile update
to the record can take down the reachability of critical business resources.
This article explores the need for DNS security and the ways to perform updates
securely – whether to rely on features specific to a DNS server or streamline
and harden the process surrounding the use of DNS servers and associated
network.
Solution:
The API based approach with chain the ownership resource to
the DNS record so that all changes can be authenticated, authorized and
audited. These include:
2) the integration between the ticketing framework and the
message queues
In this case, each record on the dns server has a owner
associated with the workflow that generated the record. All actions taken on
the records are logged against this resource. The API is as follows:
Create resourceowner
POST /rest/api/2/resourceowner
Get resourceowner
GET /rest/api/2/resourceowner/{resourceownerIdOrKey}
Delete resourceowner
DELETE /rest/api/2/resourceowner/{resourceownerIdOrKey}
Edit resourceowner
PUT /rest/api/2/resourceowner/{resourceownerIdOrKey}
Assign PUT
/rest/api/2/resourceowner/{resourceownerIdOrKey}/record
Get records GET
/rest/api/2/resourceowner/{resourceownerIdOrKey}/record
Add record POST /rest/api/2/resourceowner/{resourceownerIdOrKey}/record
Update recordPUT
/rest/api/2/resourceowner/{resourceownerIdOrKey}/record/{id}
Delete recordDELETE
/rest/api/2/resourceowner/{resourceownerIdOrKey}/record/{id}
Notify POST
/rest/api/2/resourceowner/{resourceownerIdOrKey}/notify
Create or update remote resourceowner link POST
/rest/api/2/resourceowner/{resourceownerIdOrKey}/remotelink
Get resourceowner watchers GET
/rest/api/2/resourceowner/{resourceownerIdOrKey}/watchers
Add watcher POST
/rest/api/2/resourceowner/{resourceownerIdOrKey}/watchers
Remove watcherDELETE
/rest/api/2/resourceowner/{resourceownerIdOrKey}/watchers
Get create resourceowner meta GET
/rest/api/2/resourceowner/createmeta
Some solutions involve recurring best practice patterns such
as an automation framework that can enable background processing with the help
of a persistence layer, a message queue and a synchronous full-stack service
model. Others require general purpose but pre-defined grouping of cloud service
resources. Organizations will find they will not need to repeat the discovery
and implementation of dns record owner security.
No comments:
Post a Comment