Corporate news

DNS server management: how Gandi helps businesses follow ANSSI’s recommendations

The mission of ANSSI — the French National Agency for the Security of Information Systems (Agence nationale de la sécurité des systèmes d’informations) — is to advise and share best practices with businesses through broadly accessible publications. Since 2017, one of the publications the agency has shared is a grouping of recommendations on the aquisition and use of domain names: a complete guide that outlines the essentials for choosing a domain name registrar.

In a four-part series, Gandi Corporate Services is presenting the different ways you can follow these suggestions.

The first part of our series covered the five key points related to DNS security. Since it underlies so much digital infrastructure, it’s completely natural that DNS is also the main subject of this second part of the series. Here we’ll cover the recommendations from ANSSI related to DNS server resilience, specifically:

The five ANSSI recommendations for DNS server resiliency

6) Use at least two authoritative name servers

“Serve domain names from at least two authoritative name servers.”

Gandi Corporate Services’ secure solution:

Since DNS servers are responsible for the availability of domain names, it’s important to limit the impact of any potential failure. That’s why it’s crucial that your domain names are served from at least two servers.

With Gandi Corporate Services, each domain name which uses Gandi’s DNS service is distributed across three servers, each dependent on separate data centers. This redundancy on separate infrastructure guarantees your DNS’s availability, and by extension, your online services.

Additionally, Gandi’s DNS infrastructure was built on Anycast technology. This means that in reality our DNS service is distributed across many servers spread out around the world, and helps reach customers from the nearest datacenter, which accomplishes two main objectives:

  •  Respond more quickly by being geographically closer to the requestor
  •  Create redundancy in case of an incident at one of the datacenters

7) Spread authoritative name servers over several prefixes

“Spread the authoritative name servers over several prefixes (blocks of IP addresses)or use the anycast routing technique.”

Gandi Corporate Services’ secure solution:

The Gandi Corporate Services infrastructure provided with every domain name is automatically configured to use 3 separate networks, allowing it to always be able divert traffic towards an available server should there be any technical issues on any of the others.

Example distribution:

217.70.187.0/24 AS209453

173.246.96.0/20 AS29169
213.167.230.0/24 AS209453

Additionally, each address is routed via Anycast in order to transit towards the closest available datacenter.

8) Distance the name servers

“Distance the name servers, for example, by placing them in different datacentres, inorder to better resist environmental threats and technical incidents.”

Gandi Corporate Services’ secure solution:

As with any kind of infrastructure, DNS servers are not exempt from the rule of spreading out risks. In this case, that translates to distributing DNS servers in different datacenters.

Gandi Corporate Services’ infrastructure is built on different, geographically distributed POPs (Point of Presence):

  •  Amsterdam
  •  Ashburn
  •  Fremont
  •  London
  •  Los Angeles
  •  Luxembourg
  •  Paris
  •  Tokyo

Carte POP DNS Gandi

Distributing our infrastructure in that way mitigates the risk of technical problems and natural disasters, like:

  • Electrical outages
  • Fiber outages
  • Floods
  • Fires
  • Earthquakes

For the most critical domain names, Gandi Corporate Services offers Advanced DNS, which provides you with an extra DNS server linked to the other three LiveDNS servers. This server, which uses Cloudflare, is built on Anycast infrastructure, distributed across more than 200 cities to ensure optimum redundancy:

  • Seattle
  • San Jose
  • Los Angeles
  • Chicago
  • Toronto
  • Newark
  • Ashburn
  • Atlanta
  • Dallas
  • Miami
  • Medellin
  • Valparaiso
  • Sao Paulo
  • London
  • Amsterdam
  • Paris
  • Frankfurt
  • Madrid
  • Stockholm
  • And more …

*not contractually bound, subject to change

9) Enable TCP support

“Configure infrastructures as a whole, notably the servers, the load sharers and thefiltering equipment to support TCP, in addition to UDP, as a transport protocol forDNS.”

Gandi Corporate Services’ secure solution:

Historically, DNS has mainly relied on UDP (User Datagram Protocol) as its transport protocol. However, in order to benefit from various improvements it brings, TCP support is recommended.

That’s why Gandi Corporate Services’ servers support UDP and TCP.

10) Enable EDNS0 support

“Configure infrastructures, notably the DNS servers, the load sharers, the intrusiondetection systems and firewalls, in order to support EDNS0.”

Gandi Corporate Services’ secure solution:

EDNS0 is an extension of the DNS protocol that increases the maximum length of DNS responses.

This extension is necessary for supporting DNSSEC.

As we discussed in the first part of our series on ANSSI’s recommendations, the DNSSEC protocol protects DNS data from being spoofed thanks to public key encryption technology. In the same way, a “chain of trust” is established from the root DNS, allowing resolvers to verify the authenticity of data sent by DNS servers.

Illustration du service DNSSECIllustration of DNSSEC

Gandi Corporate Services’ DNS servers support EDNS0, which among other things, allows for the automatic activation of DNSSEC.

From a general point of few, the security and resiliance of DNS are made possible thanks to the infrastructure’s own archiecture, implemented by Gandi Corporate Services’ network and security experts. To learn more, feel free to contact your Account representative at corporate@gandi.net.

We would also encourage you to regularly read our Corporate News channel to follow th rest of this series and to stay informed of the latest market news.