Speaker
Description
The Domain Name System (DNS) is a foundational layer of internet infrastructure, yet the operational complexity of managing DNS has outpaced many organizations’ ability to keep up. In a recent study, Akamai evaluated the DNS posture of over 19,000 financial services institutions worldwide. The study measured adoption and configuration of DNS-related controls including SPF, DKIM, DMARC, DNSSEC, CAA, Registry Lock, and the handling of NXDomain responses.
Despite the high visibility and security demands of the financial services industry, the results show surprising inconsistency and misconfiguration across key operational and security features. This suggests a broader trend likely reflected in other verticals.
This talk presents aggregated findings from the study and uses them to explore a deeper question: why is DNS administration so difficult today? We will highlight the expanding operational and threat landscape, including hybrid and multi-cloud deployments, fragmented ownership, legacy records, and gaps in automation. We’ll also discuss the implications of slow detection and response cycles when DNS is not centrally monitored or easily audited.
The session concludes with a call to action for DNS operators, security engineers, and tooling vendors: what can we do to make DNS administration more agile, adaptable, and accurate without sacrificing the operational integrity that DNS demands?
Slide outline
1. Introduction
Quick context on the critical role of DNS in availability, trust, and security
Motivation: Why DNS configuration matters more than ever
Overview of recent research conducted on 19,000+ financial institutions
- Research Highlights: Financial Sector DNS Posture
Methodology: What parameters were evaluated?
SPF, DKIM, DMARC
DNSSEC
CAA records
Registry Lock presence
NXDomain behavior and anomalies
Key findings:
Inconsistent adoption across even high-profile financial brands
Misconfigured or partially configured records
Absence of DNS hygiene practices (e.g., stale zones, legacy entries)
- What Makes DNS Administration Difficult Today?
a. Environmental Complexity
Mix of on-prem, cloud-native, and third-party hosted DNS
Multi-registrar/multi-provider scenarios
DNS record sprawl and inconsistencies across environments
b. Expanding Threat Landscape
Rise of domain-based abuse (phishing, BEC, typosquatting)
Exploiting misconfigured or orphaned DNS records
Operational blind spots that allow persistent misuse
c. Organizational Silos & Ownership Confusion
Who owns DNS? Networking? Security? DevOps?
Gaps in shared responsibility and operational coordination
d. Lack of Visibility and Automation
Manual audits, flat file exports, or spreadsheet tracking
Poor MTTR for DNS-related incidents
Difficulties in correlating DNS misconfigurations with real-world risk
- Implications of DNS Mismanagement
Case studies or anonymized examples (e.g., outages, breaches, abuse)
How poor posture amplifies attacker dwell time and evasion
Impact on resilience, uptime, and security posture
- Raising the Bar: What Needs to Change
Principles for modern DNS hygiene:
Consistent record validation and renewal
Cross-team coordination (SecOps, NetOps, DevOps)
Threat-informed configuration baselines
Opportunities for community and standards:
Open frameworks for posture evaluation
Better alerting/reporting pipelines
Shared registries or transparency models
- Conclusion & Call to Action
Summary of systemic challenges and key findings
DNS as a strategic asset, not just plumbing
Open questions for the community:
What role should registrars, providers, and researchers play?
Can we create scalable benchmarks for DNS health?
How do we drive awareness without relying on regulation?
| Talk duration | 20 Minutes (+5 for Q&A) |
|---|
