Corporate news

DNS server security options: How does Gandi enable businesses to comply with ANSSI’s recommendations?

The French Agence Nationale de la Sécurité des Systèmes d’Informations (“National Agency for the Security of Information Systems”) or ANSSI for short, exists to advise on and share best practices for information security to businesses through accessible publications. Among these publications, since 2017 the agency has included a set of recommendations regarding the acquisition and use of domain names, providing a comprehensive guide that lists the essential points for choosing a domain name registrar.

In this four part series, Gandi Corporate Services outlines the various ways you can comply with these recommendations using our services.

Especially focused on DNS, the first two articles in our series outlined the five key points related to DNS security as well as DNS server resiliency. The next five recommendations in ANSSI’s document are related to the DNS security options you should take into account when choosing DNS providers, specifically:

The five ANSSI recommendations for DNS server management and resiliency

Recommendation 11: Set high TTL values during normal operations

“Set relatively high TTL values, in the normal context of operations.”

ANSSI quote: “The cache TTL of DNS records designates the maximum time period during which the data should be kept in the cache by the devices querying authoritative name servers. After this time period, these devices must consider the cached data as obsolete and ask again for the DNS records from the authoritative name servers.”

Gandi Corporate Services’ security solution:
The TTL (or “Time To Live”) represents the length of time a particular DNS record should remain cached. Gandi Corporate Services guarantees that you can define each of your records’ TTL precisely, depending on your specific needs.

ANSSI’s recommendation for TTL is between one hour and two days. That’s why, by default, Gandi Corporate Services sets TTL values on all DNS records to 10,800 seconds, or 3 hours.

While we suggest keeping this setting, Gandi Corporate Services allows you to modify this TTL value on the fly. You can either:

  • lower it as low as 300 seconds (5 minutes)
  • raise it as high as 30 days

These situations should be limited only to special circumstances, most notably when changing DNS services.

How to edit DNS record with TTL

Recommandation 12: Backup zone data

“Implement a regular backup procedure of the data contained in the DNS zones.”

Gandi Corporate Services’ solution:
Since the data contained in your DNS zone represent the foundation of all your digital services, it’s essential to make regular backups. With Gandi Corporate Services, you can make these backups in three different ways:

  1. Using the DNS zone backup feature available on Gandi’s LiveDNS nameservers from the admin interface. At any time you can make a zone backup by clicking on the dedicated button, or restore a zone backup from your list of backups.
    You can store up to 20 DNS zone backups this way, for an unlimited amount of time. By default and as a security measure, the interface automatically makes a back up before each change to the zone.
Gandi - Back up de zones DNS
Gandi - How to restore a DNS record
  1. Via automation implemented using Gandi’s LiveDNS API
  2. Using the zone export feature, available in your admin interface, in order to create your own backups

Recommendation 13: Monitor zones and parent zones for failures

“Implement an automated monitoring system for data provided by name servers authoritative over a zone and by those of parent zones.”

Gandi Corporate Services’ security solution:
ANSSI recommends monitoring the authoritative servers for a given zone. Which is to say that a business with the domain name ‘example.net’ should monitor the authoritative DNS servers for the zone ‘example.net.’

To meet this essential need for monitoring, Gandi Corporate Services maintains constant surveillance over the health of the authoritative servers for the zones of all its internal and external services. These services can be coupled with your own monitoring.

Recommendation 14: Employ various DNS software stacks

“Employ at least two different DNS server software stacks on all the authoritative name servers.”

Gandi Corporate Services’ security solution:

Gandi Corporate Services only uses a single software module. The team dedicated to DNS servers maintains constant software surveillance and uses a non-regression update and testing policy in order to ensure the security of the servers.

Recommendation 15: Isolate the querying service from the authoritative one

“The DNS query service should be undertaken by a isolated server or process separate from that providing the DNS authoritative service.”

Gandi Corporate Services’ solution:

There are two types of DNS servers:

  • Authoritative DNS servers: this is the case with Gandi Corporate Services’ LiveDNS service. DNS registrations are managed on these nameservers and they answer requests related to these domains.
  • Recursive servers/cache: these servers don’t manage DNS zones. They answer requests sent regarding domains by making new requests themselves to other DNS servers, or via responses they have saved in cache

These two types of servers answer DNS requests, but don’t work in the same way. Any given server is either recursive or authoritative, but rarely both. ANSSI recommends, then, that the software installed on servers either do one or the other, in order to avoid, for example, problems with data corruption in the servers’ caches.

That’s why Gandi Corporate Services’ LiveDNS servers are only authoritative nameservers.

Gandi’s responses to these five recommendations highlight the different DNS security options Gandi Corporate Services has implemented for managing domain names. If you want to learn more, please feel free to contact your Account manager or email us at corporatecontact@gandi.net.

Otherwise, the final five ANSSI recommendations will be the subject of our next post coming in a few weeks.

Please don’t forget to check our block to read the entire series and stay informed about the latest domain name news and updates.