Using Transaction Signatures (TSIG) for secure DNS server communication

Using Transaction Signatures (TSIG) for secure DNS server communication

Transaction Signatures (TSIG) provide a secure method for communicating from a primary to a secondary Domain Name server (DNS). It is a simple and effective method for organizations to enhance their security. TSIG is not a requirement and many organizations choose to specify IP address-based permissions between DNS name servers. However, as the DNS is increasingly targeted by bad actors on the Internet, TSIG is a recommended design consideration.

TSIG is used (optionally) by the D-Zone Anycast DNS service to communicate with an organization’s primary DNS. This white paper provides IT administrators a brief overview of a strong external DNS configuration using D-Zone, how TSIG is used, and the required configuration information. For complete details visit the technical support documentation for D-Zone.

Implementing a resilient external DNS

Implementing a secondary DNS infrastructure for your external domain resolution improves the overall resiliency and performance of your external DNS and conforms to industry best practices. The ideal way to architect a secondary network is to maintain a hidden primary DNS server that is used for administration and management of the DNS. The secondary DNS consists of one or more name servers that are available to answer queries on the Internet which can be either Unicast or Anycast servers. Anycast technology uses multiple distributed servers that share the same IP address.

Typical DNS Architecture: Architecture of an authoritative DNS showing the corporate network, the primary DNS and a zone transfer to the secondary DNS.

Combining a hidden primary DNS with an advanced Anycast DNS secondary solution provides the following benefits:

  1. Easier maintenance of the primary DNS without without impacting public websites.

  2. Increased security because the primary DNS is hidden.

  3. Enhanced performance with a global network of servers that are close to customers.

  4. Improved resilience because out of service nodes are removed from the routing tables.

  5. Enhanced ability to soak up distributed denial-of-service (DDoS) attacks against the DNS by soaking them up at the geographically closest node.