DNS Stewardship
EntSec

DNS Stewardship

DNS Stewardship, the art of controlling internet facing projects from conception.

If you have ever needed to make sense of large public DNS records from organisations that need your help? You might often be met with a whole bunch of consiquences such as ghost entries pointing to assets no longer owned, systems that people dont know if they should or shouldnt wind down, out of date systems that become more desirable over time to attackers, and a general paralasys of 'I dont know,I dont want the heat for cleaning this up wrong' etc ...

An Approach that's growing on me

Organisations that have lots of public records would do well to inherit a change control process, or a Joiners Movers Leavers (JML) for those records, let's think about that for a moment... checks out++

Who needs to know what ?

A ticket to the DNS guy who then makes the changes and closes the ticket - done.

Within the organisation when you're publishing a service to the internet you may want marketing to know what you're doing, to make sure it's 'on-brand'... you'll need whoever is responsible for asset inventory to know, similarly if there is security onboarding and IT patch managment support for defence and updates, finally those who will be applying the record to the domain, there might be more or less depending on your organisation but you get the idea

We could agree that prior to creation there should be a process for the qualification of a record, then once qualified the visibility of intent shared with teams that need to engage in system support and defence for new services (cert creation, defence , patching, pentesting, security assurance etc...) and when all supports have participated this becomes easier for revisiting records for modification (movers) the last part is the removal (leavers) qualifier - perhaps when a certificate is up for renewal or the service owner notifies the DNS Steward 'we're sunsetting x project, please remove the record on this date' - generally speaking at a high level, that's the bones to all that's needed and it's basically a sell out way of saying 'think about it', no wrong answers, once it's been considered.

What would be nice is DNS Activity as an immutable broadcast amongst key teams that care or that should care, or more likely, jira tickets with the right people tagged in on.

It would be lovely if DNS registras had an enterprise interface to facilitate such concerns, something as simple as a webform 'who needs to know' would be nice too.

I'm just putting this rant out there to maybe help you when you face this problem and help you build out your own process for DNS managment and settling the chaos, you may even want to go a step further and span this idea accross DNS and firewall changes but remember... K.I.S.S. Keep It Stupid Simple.

also,closely related i cant help but mention a little labour of love dnssecuritytxt.org - If you have internet facing assets that dont have webservers that can host security.txt, keep dnssecuritytxt in mind for the bughunters, researchers and those that need a security front door.

Read next

The Internet Facing Velocity Problem
It's probably faster to find a flaw in all IPv4 Assets with Open-source attack and exploit validation tools than it is for someone internal to hunt down the owners, maintainers and appropriate people for remedial actions - The Internet Facing Velocity Problem
Read more