DNS Domain Ownership enforcement:
DNS Domain
 Ownership enforcement:............. 1
Problem statement:
Domain Name Service (DNS) records are registered with an
authority in a network to allow hosts to be reached by their names. The records
map names to ip addresses that can be resolved in the network. A hierarchy of
domain name servers can translate external traffic to network hosts. This
enables users to reach web sites and organizational resources from the internet
or intranet respectively. When these records are created, they are a new
instance and do not affect the existing records. If they are untouched, they
resolve to specific hosts that can be reached and do not interfere with
security or usages of existing hosts. However, an unintended or hostile update
to the record can take down the reachability of critical business resources.
This article explores the need for DNS security and the ways to perform updates
securely – whether to rely on features specific to a DNS server or streamline
and harden the process surrounding the use of DNS servers and associated
network.
Solution:
The API based approach with chain the ownership resource to
the DNS record so that all changes can be authenticated, authorized and
audited. These include:
2) the integration between the ticketing framework and the
message queues  
In this case, each record on the dns server has a owner
associated with the workflow that generated the record. All actions taken on
the records are logged against this resource. The API is as follows:  
Create resourceowner 
POST /rest/api/2/resourceowner  
Get resourceowner    
GET /rest/api/2/resourceowner/{resourceownerIdOrKey}  
Delete resourceowner 
DELETE /rest/api/2/resourceowner/{resourceownerIdOrKey}  
Edit resourceowner   
PUT /rest/api/2/resourceowner/{resourceownerIdOrKey}  
Assign        PUT
/rest/api/2/resourceowner/{resourceownerIdOrKey}/record  
Get records GET
/rest/api/2/resourceowner/{resourceownerIdOrKey}/record  
Add record   POST /rest/api/2/resourceowner/{resourceownerIdOrKey}/record  
Update recordPUT
/rest/api/2/resourceowner/{resourceownerIdOrKey}/record/{id}  
Delete recordDELETE
/rest/api/2/resourceowner/{resourceownerIdOrKey}/record/{id}  
Notify        POST
/rest/api/2/resourceowner/{resourceownerIdOrKey}/notify  
Create or update remote resourceowner link POST
/rest/api/2/resourceowner/{resourceownerIdOrKey}/remotelink  
Get resourceowner watchers GET
/rest/api/2/resourceowner/{resourceownerIdOrKey}/watchers  
Add watcher   POST
/rest/api/2/resourceowner/{resourceownerIdOrKey}/watchers  
Remove watcherDELETE
/rest/api/2/resourceowner/{resourceownerIdOrKey}/watchers  
Get create resourceowner meta GET
/rest/api/2/resourceowner/createmeta  
Some solutions involve recurring best practice patterns such
as an automation framework that can enable background processing with the help
of a persistence layer, a message queue and a synchronous full-stack service
model. Others require general purpose but pre-defined grouping of cloud service
resources. Organizations will find they will not need to repeat the discovery
and implementation of dns record owner security.  
 
No comments:
Post a Comment