Adaptive DNS for a Cloudy Architecture

The world’s first commercial passenger airline flight happened on January 1, 1914. The flight carried one passenger, Abram C. Phiel, 21 miles from St. Petersburgh, FL to Tampa, FL in 23 minutes. The vessel was a hybrid “airboat” that could touch down on the water. The first land-air-only commercial flight took place 5 years later on Koninklijke Luchtvaartmaatschappij Nv, Royal Dutch Airlines, a.k.a., KLM. In 1926, the U.S Congress implemented the Air Commerce Act, which authorized the Secretary of Commerce to design airline routes, develop air navigation systems, license airlines and aircraft, and investigate airline-related accidents.[i]

Thus, 1926 marks the beginning of air traffic routes in the U.S., allowing ordinary citizens to travel from one place to another. The early airline system in the US operated under a point-to-point system, meaning if you wanted to fly from LA to Salt Lake City, you flew directly from LA to Salt Lake City. In 1978, deregulation of the airline industry allowed the airlines to implement a hub-and-spoke system that we’re all familiar with today. What used to be a direct flight may now be a connecting flight through a hub city, depending on when you want or need to fly and how much you want to pay, making traffic routing easier for air traffic control.

Needless to say, air traffic control today is substantially more complex today than it was in 1926, necessitating new routes and management over those routes. The same can be said of computer networking; early network traffic was point-to-point, but as networks grew, a hub-and-spoke system emerged. The system was predicated on DNS, a fundamental layer of network technology which connects devices and traffic through servers inside the network. DNS allows network communication to travel from point A to point B, sometimes “touching down” via a server, but offering a quick route of travel.

DNS: foundational, but historically complex

But you can see where this is going, can’t you? As virtualization, cloud, and containerization have become as fundamental to organizations’ networking strategies as their on-premises networks, in-network technology like DNS has become overly complex to use. Every time a new cloud instance is spun up, every time a new server is provisioned, the network team must update the DNS directory, which is not efficient and is contrary to what digital transformation aims to accomplish.

“DNS is a ‘firewall mentality,’” said BlueCat Networks’ VP of Strategy, Scott Penney, during a recent briefing with Ed and me. What he meant by that was that most DNS today was adapted from an on-prem tech to today’s hybrid architectures, but it still fundamentally operates like it’s running in the data center as a standalone, rigid, and manually configured technology. “Companies don’t want arcane, archaic technologies that require intensive change control processes,” Penney said, explaining that BlueCat’s solution—an integration of DNS, DHCP, and IPAM—”allows companies to go fast.”

Positioned at the core of the network, DNS has the potential to make a network fail. Because most networks today run with high levels of complexity, they’ve become fragile. There are so many things touching the network that anything that disrupts the stack, be it an incorrectly provisioned server or new cloud instance, can bring it down. “And if it breaks,” said Penney, “everything collapses.” Yet, many companies suffice with decentralized Active Directory because it’s free, built in, and “good enough.”

A new twist on an old technology

But distributed or decentralized DDI is hard to manage and plenty of companies don’t have or want to expend the resources to manage it. This is where BlueCat’s Adaptive DNS comes in. The solution puts DNS data at the center, using it as a rich data source about the state of the network. Drawing on partner integrations in asset inventory, SIEM, and threat intelligence, BlueCat offers full east-west visibility of DNS traffic through a central console (including disparate cloud instances and across namespaces), can help customers identify misconfigurations, and provides traffic steering, enhanced threat feeds, and behavior modeling. From a defense point of view, these capabilities allow customers to understand how threat actors are using the network to get from point A to point B and cause major disruptions or breaches.

Penney told us that a main differentiator is that BlueCat revolves around APIs, even offering nine GitHub repositories for developers, so that the solution can remain dynamic. The company has landed some very big customers based on its open, adaptive model. The key drivers for customer adoption, he said, include the need to move from a manual model of managing network changes to an automated system; the need to integrate with expanded network architectures; system disruptions; orchestration across hybrid environments; and, as expected, traditional DDI platforms are starting to fail because of the need to handle so much traffic and so many device types.

Ensuring Security and scalability for modern networks

The truth is, DDI is at the heart of network services but it’s not sexy and convincing your boss to spend money on something so basic as DNS, which can be managed through free sources (though not without difficulty and risk), is no easy task. The cybersecurity landscape is so vast that DNS often simply doesn’t bubble to the top of the list. That said until someone develops a network that doesn’t use IP addresses for network communication, DNS is going to remain highly important and highly valuable to threat actors. This is why defenders should consider DNS traffic a rich data source and should evaluate better ways to control and secure it.

Fortunately for network managers and security teams, the shortlist of adaptive DNS providers is short! We recommend companies put BlueCat on that list. With about 20 years in the space and a great team driving innovation, they have a good handle on reducing the complexity of network traffic and keeping connections running on time. And unlike the first commercial airline flight that had to touch down and relaunch before reaching its destination, BlueCat assures me and Ed that once companies are up and running, they won’t hit any turbulence, whatever clouds they encounter along the way.