DNS security improvements!

LARG*net operates a high availability DNS infrastructure and authoritatively hosts quite a number of domains for the membership. We also act as a backup for almost as many more domains. Our DNS servers also act as caching servers to provide the quickest possible response to your queries. If you’d like to use our servers as resolvers or to host your domains you can send a quick email and we’ll get you set up!

We enabled DNSSEC about a year and a half ago. DNS’ original design did not include security which was fine at the time but was certainly due for an upgrade. DNSSEC is a set of DNS extensions created by the Internet Engineering Task Force to prevent malicious actors from forging or manipulating DNS to redirect traffic nefariously.

At the same time we enabled filtering of malicious domains on our administrative network by pulling info from public intelligence feeds to identify and drop them. This effectively protects our team from a number of threats like phishing, malware downloads, ransomware, cyberjacking, exploit kits, and many others often propagate via DNS. These DNS-dependent propagations are filtered by our DNS servers even if they successfully bypass antivirus and/or other security controls.

Recently we ran into a bug that should have brought DNS down for our admin network but did not. Connectivity to the internet was fine but the DNS servers were not handling basic recursion properly. During our investigation we discovered that the filtering had spared us specifically.

We have decided to move forward with providing this security service to all of our DNS users. Anyone using our DNS servers will start reaping the benefits of filtering malicious domains. We are enabling this feature globally on Tuesday September 15th and this service will be provided at no additional cost. If you are already using our DNS servers you don’t need to make any changes but if you are not and would like to start just send us an email to get set up.