Sunday, February 20, 2022

 

DNS Domain Ownership enforcement:

DNS Domain Ownership enforcement:............. 1

Problem statement:............................... 1

Solution:................. 1

Conclusion:............ 2

 

Problem statement:

Domain Name Service (DNS) records are registered with an authority in a network to allow hosts to be reached by their names. The records map names to ip addresses that can be resolved in the network. A hierarchy of domain name servers can translate external traffic to network hosts. This enables users to reach web sites and organizational resources from the internet or intranet respectively. When these records are created, they are a new instance and do not affect the existing records. If they are untouched, they resolve to specific hosts that can be reached and do not interfere with security or usages of existing hosts. However, an unintended or hostile update to the record can take down the reachability of critical business resources. This article explores the need for DNS security and the ways to perform updates securely – whether to rely on features specific to a DNS server or streamline and harden the process surrounding the use of DNS servers and associated network.

Solution:

The API based approach with chain the ownership resource to the DNS record so that all changes can be authenticated, authorized and audited. These include:

2) the integration between the ticketing framework and the message queues 

In this case, each record on the dns server has a owner associated with the workflow that generated the record. All actions taken on the records are logged against this resource. The API is as follows: 

Create resourceowner  POST /rest/api/2/resourceowner 

Get resourceowner     GET /rest/api/2/resourceowner/{resourceownerIdOrKey} 

Delete resourceowner  DELETE /rest/api/2/resourceowner/{resourceownerIdOrKey} 

Edit resourceowner    PUT /rest/api/2/resourceowner/{resourceownerIdOrKey} 

Assign        PUT /rest/api/2/resourceowner/{resourceownerIdOrKey}/record 

Get records GET /rest/api/2/resourceowner/{resourceownerIdOrKey}/record 

Add record   POST /rest/api/2/resourceowner/{resourceownerIdOrKey}/record 

Update recordPUT /rest/api/2/resourceowner/{resourceownerIdOrKey}/record/{id} 

Delete recordDELETE /rest/api/2/resourceowner/{resourceownerIdOrKey}/record/{id} 

Notify        POST /rest/api/2/resourceowner/{resourceownerIdOrKey}/notify 

Create or update remote resourceowner link POST /rest/api/2/resourceowner/{resourceownerIdOrKey}/remotelink 

Get resourceowner watchers GET /rest/api/2/resourceowner/{resourceownerIdOrKey}/watchers 

Add watcher   POST /rest/api/2/resourceowner/{resourceownerIdOrKey}/watchers 

Remove watcherDELETE /rest/api/2/resourceowner/{resourceownerIdOrKey}/watchers 

Get create resourceowner meta GET /rest/api/2/resourceowner/createmeta 

Conclusion:

Some solutions involve recurring best practice patterns such as an automation framework that can enable background processing with the help of a persistence layer, a message queue and a synchronous full-stack service model. Others require general purpose but pre-defined grouping of cloud service resources. Organizations will find they will not need to repeat the discovery and implementation of dns record owner security. 

at

No comments:

Post a Comment