Hybrid Workforce: Who’s Managing DNS?


Post pandemic situation sees the confirmation of work from home but also work from anywhere. After COVID-19, 92% of eligible people expect to work from home at least 1 day per week and 80% expected to work at least 3 days from home per week according to a survey by Owl labs. Most enterprises seem to accept this new paradigm as it improves the overall productivity of the workforce. Provided the logistics of working outside the Enterprise can be addressed, connecting them to the companies’ cloud and on-premise systems and applications securely remains the sensitive problem to tackle. This raises the question about the security provided to this new hybrid workforce. As long as they are within the company premises, all the security infrastructure is available to protect the users, the company’s applications and data. It’s a different situation when they are working remotely, starting with the DNS they use while outside the organization. As stated in the IDC 2021 DNS Threat Report, DNS in the overall security strategy for the extended enterprise is seen by 55% of respondents to be a critical component for the remote workforce. Let’s see what are the challenges of securing the extended enterprise and what are the available solutions.

Why Securing the Extended Enterprise is Important

Securing the on-premise workforce has been done for a while. On the DNS side, solutions do exist and can be implemented easily. Securing the remote workforce is another story.

The initial solution has been to set up VPNs connecting the remote worker devices e.g. the company’s laptop, personal home computer or other tablets and smartphones to a company’s VPN concentrator connected to the corporate network and acting as a gatekeeper as well as encrypting the traffic. This solution works well but can be costly as the VPN concentrator terminating those remote users’ connections must aggregate the sum of all the encrypted traffic from all remote users connected simultaneously. This inflates the costs of both the Internet uplink in the corporate site as well as the VPN concentrator appliance model and licenses. Also VPNs need an agent running on the connected device, so even though this solution works for mainstream equipments and OSs, there is always the risk of the brand new equipment or the latest version of an OS not (yet) being supported by the VPN client agent which in addition raises the need for the IT department to ensure the proper version of the VPN client is used on all connected devices.

While this solution was sufficient for occasional roaming users on the go, it becomes expensive for permanent or semi-permanent remote workers as explained before. Lastly, only using a VPN is not efficient as all the company traffic of all remote users is backhauled toward the VPN concentrator while the company’s Cloud and SaaS applications traffic could be sent directly via the broadband or 5G Internet access of the remote location e.g. home, coworking space, webcafe, car, etc.

So, the problem to solve is how to control the applications and company resources these remote users are allowed to access while only sending the part of their traffic that truly needs to go to the corporate network.

Managed DNS Service Providers vs Private DNS

Let’s remember one thing, all IP connections to applications or resources start with a DNS request. Controlling the DNS service these remote workers use will ensure the security, confidentiality and privacy of their DNS connections while allowing to route their traffic according to the resource or application they request, i.e. backhauling it to the corporate network if it is hosted there and if this requires a high level of confidentiality and privacy or provided the user is granted access to them, use the broadband Internet connection to directly access Cloud and SaaS applications with such connectivity protected via TLS. This way you can leverage the use of the VPN limiting it to traffic that must be sent to the corporate network while controlling all applications internal or in the Cloud your remote workforce will access.

This ability to provide such a ubiquitous DNS service for your hybrid workforce is called Private DNS.
What are the options to deliver such service to your users and their equipment’?

The first and simplest option is to use the services of a Managed DNS Service Provider.
The alternative is to build your own Private Enterprise DNS service by using one of the two solutions available:

DoT will create a TLS connection between the TCP stack of the device and the DNS server of your organization.
On the other hand, DoH will create a https connection between a web browser of the device and the DNS infrastructure of the Enterprise.
Both will support the same DNS services and are agentless but the first one will work for any applications used by the device as supported by the OS while the latter will only work for web applications (using a web browser).

Pros & Cons of Managed DNS Service vs Private DNS

Managed DNS Service Providers:

  • Pros:
    • Cheap or ‘offered’. ‘You are the product’ to them, and you pay with the DNS data you share.
    • “Easy”, no infrastructure is needed
    • Available immediately
    • Ubiquitous with the span of these provider and the use of anycast addresses,
    • Performant, up to ‘fair use’.
  • Cons
    • Non-guaranteed availability, despite the scale and performance of Managed DNS Service providers,
    • Limited security wise, you can only get what the provider provides and you can’t control the sources and contents of the security feeds the Managed DNS service Provider uses for DNS threat Intelligence,
    • Data privacy risks, as you can’t be sure the DNS traffic won’t be used for other purposes.

Private DNS:

  • Pros
    • Same DNS infrastructure for all your workforce including your hybrid workforce
    • Global Visibility and Control over all workers’ applications access
    • High availability and Resiliency by securing your DNS infrastructure against Zero Day attacks with Hybrid DNS, and DNS redundancy with SOLIDserver’s SmartArchitecture
    • Security wise, you can set up a tailored configuration, using DNS Guardian
    • Apply and enforce security policies consistently across on-site and remote workers
    • Privacy is guaranteed as all the DNS traffic of your remote users is handled by the company’s Private DNS without any man-in-the-middle
    • Improved Application Access Control using DNS Client Query Filtering will filter and secure access to all Apps at client level wherever your hybrid workforce works.
  • Cons
    • Requires you to extend your existing Private DNS infrastructure to handle the hybrid workforce,
    • Set up fee might be higher, though this is marginal with respect to the consequences of not having Private DNS (e.g. ransomware),
    • You need to maintain such Private DNS Security infrastructure.

Think About it Wisely…

Weighing the benefits of guaranteed privacy of the DNS traffic and data of your hybrid workforce, enhanced control and strengthened security of your DNS infrastructure to protect your apps, users and data, it is worth thinking about securing the DNS for your remote users by setting up your Private Enterprise DNS infrastructure before it’s too late…

DoH for the Hybrid Workforce

See how a controlled Private DNS infrastructure guarantees the security of the DNS traffic of your Remote Workforce

Learn More
Posted in:
17 March 2022 Post pandemic situation sees the confirmation of work from home but also work from anywhere. After C...

EfficientIP