Introducing the UK public sector DNS
Use the UK public sector DNS to continue reaching PSN services, save money and stay protected from malware.
If you’re responsible for business, security or technical decisions about the IT your organisation uses, read:
- about the UK public sector DNS
- the security features of the UK public sector DNS
- about the service levels
- the terms you must accept to use the DNS
If you’re responsible for the external connectivity and Public Services Network (PSN) connectivity of your organisation’s network, read about:
The UK public sector DNS services
Government Digital Services (GDS) and the National Cyber Security Centre (NCSC) are providing domain name system (DNS) services for the UK public sector.
DNS is an internet standard that works like a telephone directory. It maps from names like www.bbc.co.uk to IP addresses like 188.8.131.52 which computers need to know to connect to each other.
The new DNS services are:
- run by Nominet UK
- funded by NCSC until September 2018
- free at the point of use for public sector organisations who choose to use them
NCSC will bid for funding for this project for another two years from September 2018.
The DNS services protect your users from accessing known malicious sites identified using a range of government, commercial and community sources. They are part of the government’s Active Cyber Defence programme. Find out how the DNS services will help deliver the strategy’s ‘defend’ objective on page 33 of the National Cyber Security Strategy.
The UK public sector DNS services consist of:
- an internet DNS
- a PSN DNS
The PSN DNS has an authoritative nameserver which lets you manage your PSN domains so that:
- traffic is routed to the right places within the PSN
- any permitted traffic from the internet, such as email, can get into the PSN
The internet DNS doesn’t include an authoritative nameserver because such services are commonly available.
Both DNS services support:
- internet DNS queries
- IPv4 and IPv6 addressing
- DNS and DNS security extension (DNSSEC) standards
- NOTIFY communications with the PSN DNS resolver to communicate changes to a zone
- AXFR and IXFR zone transfer requests from the PSN DNS resolver
The PSN DNS supports queries to other government networks.
The services don’t include Network Time Protocol (NTP) because NTP is freely available elsewhere.
The UK public sector internet DNS will be available from 31 March 2017. The UK public sector PSN DNS will be available later in 2017. You can pre-register for both DNS services now.
The internet DNS
The internet DNS protects your internet-connected users from accessing known malicious sites. This is a resolver only, so you can use it without needing to move your existing internet DNS records.
To migrate to the internet DNS, a technical contact in your organisation needs to tell us the IP addresses you’ll use to access it. During registration, we’ll give your technical contact configuration instructions to start using the internet DNS.
The PSN DNS
The PSN DNS meets the specifications set out by GDS. The new DNS is connected to both the PSN Assured and PSN Protected networks. This means that it can resolve names on PSN Assured, PSN Protected and the internet for any user connected to either the PSN Assured network or the PSN Protected network.
Registering for the PSN DNS lets you manage your PSN domains, including their visibility to users on the PSN and on the internet.
For users on the PSN, the DNS gives an address on the PSN (like www.domain.gsi.gov.uk). If it can’t find one on the PSN DNS (like www.bbc.co.uk), it behaves like other internal DNS services and recurses out to the internet root DNS servers.
If a user on the internet looks for a PSN address, the internet root DNS servers send them to the PSN DNS. This sends the user to a secure gateway into the PSN rather than returning a PSN address.
The technical contact in your organisation needs to register for the PSN DNS so you can start migration. During registration, we’ll give them the IP addresses of the PSN DNS.
Why there’s a new PSN DNS
Until March 2017, many organisations connected to the PSN paid for DNS services under the Government Secure Internet (GSi) Convergence Framework (GCF). The closure of this framework created an opportunity to save money across government.
Register for the PSN DNS
If you’re already the PSN point of contact for your organisation, you’ll receive an email from GDS inviting you to register for the new DNS through the online support tool. When you access the tool you’ll see your PSN domain names. When you register, GDS will seek formal authorisation from a decision maker in your organisation before you can begin using the new DNS.
If you haven’t received the invitation, you can still register on the online support tool.
How the PSN DNS works
The new DNS connects directly to more than one PSN service provider network for a fast and reliable service. You’re dependent on your PSN network service provider to reach the DNS.
The DNS is authoritative for names hosted on the PSN. When users on the PSN send DNS queries about services connected to the PSN, those queries stay inside the PSN. This reduces vulnerability to distributed denial-of-service (DDoS) attacks.
The DNS can resolve:
- PSN Assured DNS records (for example, www.domain.gcsx.gov.uk)
- PSN Protected DNS records (for example, www.domain.gsi.gov.uk)
- internet DNS records (for example, www.bbc.co.uk)
It has forward and reverse resolution capability to assist interoperability, diagnosis and tracing.
The DNS consists of authoritative nameservers for PSN and internet users, and a resolver for PSN users:
- The internet-facing nameserver responds to hosts on the internet.
- The PSN-facing nameserver transfers your domain names to the resolver on the PSN using the standard zone file format, which then respond to hosts on the PSN. The nameserver for PSN hosts isn’t delegated to or from the internet root DNS servers, so it doesn’t appear in internet lookups, and it’s protected by access controls.
Together, the nameservers create a ‘split horizon’. This means that when a user on the internet emails a user on the PSN, the associated DNS query returns the address of a secure mail gateway into PSN rather than the destination mail address. Web addresses on the PSN aren’t reachable outside the PSN. When a user on the internet tries to reach a URL on the PSN, the associated DNS query returns nothing.
The PSN DNS and internet DNS protects users and their information by using DNS filtering to:
- prevent users from accessing known malicious sites
- make phishing attacks less effective – if a user clicks a malicious link in an unsolicited email, the DNS prevents access to a pre-identified malicious site
- prevent communication between cyber criminals and their malware - they block or redirects DNS lookups to known malware command and control servers
Inbound query and response traffic is collected at each DNS nameserver site and securely streamed in near real-time to:
The following NCSC principles form the basis of DNS user protection:
- The DNS is opt-in and freely available to UK government and public sector organisations over the internet.
- The DNS is not intended for use by private industry, individual home users, or non-UK organisations.
- The DNS is configured to ensure that it doesn’t resolve any lookups for domains that are known to be used for malware distribution or operations.
- The DNS is intended to prevent access only to sites known to harbour malicious content. The DNS tries to resolve all legitimate business and personal sites that haven’t been identified as infected or hosting malware.
- A range of government, commercial and community sources of information are used to identify and prevent malicious sites from being accessed. Further malicious sites are identified by observing anomalous behaviour in DNS traffic.
- The sources of information aren’t published publicly as this would tell the criminals where to direct their efforts. They are reviewed on an ongoing basis by NCSC.
- The dynamic nature of the threat means the solution can never be 100% perfect, and there will be a few false positives or false negatives.
- Blocking other categories of site (for example gambling sites or sites containing adult content) is defined in your organisation’s policy. Your network administrators are responsible for implementing your organisation’s policy.
- End users are presented with a block page citing the address they attempted to connect to and the reason the site was blocked.
- The DNS monitors traffic for active threats analysis to protect end users.
- Any DNS data retained is held securely and processed fairly and lawfully in the UK. The data is used for the purpose stated above and retained no longer than necessary.
The DNS resolver services: * limit suspicious traffic to prevent exploitation of the service * are designed and managed to protect against known vulnerabilities
- quickly fixes every vulnerability that they identify
- uses several tools to identify vulnerabilities
The UK public sector DNS is designed so a security vulnerability in one part of the service doesn’t affect other parts of the service. Someone would need to find multiple vulnerabilities to successfully attack the DNS.
The nameserver for PSN hosts isn’t delegated to or from the internet root DNS servers, so it doesn’t appear in internet lookups. The associated zone files are protected by strict access controls.
The DNS service is continuously monitored internally and externally for health, efficiency and capacity. Intrusion detection mechanisms are in place, which are monitored and maintained.
The DNS infrastructure is housed in data centres that use strong multi-layered physical security measures.
Usernames and passwords for the DNS support tool are stored as a salted SHA-256 hash. Users access the portal over the internet using enforced Transport Layer Security (TLS) encryption. The support tool encrypts data in transit and data at rest.
Operational staff have the minimum permissions necessary to do their job. Accounts aren’t shared. Data changes are linked to the account that made them. Controls minimise data leakage and the risk of compromising the production systems.
Access to the online support tool is based on users, groups and roles. Role-based user permissions are built from access control lists (ACLs) set by Nominet and GDS. GDS ensures that users from a particular organisation can only access that organisation’s own data.
Departmental request changes to zones on the PSN authoritative nameserver are made in the support tool. These changes are peer reviewed by experienced DNS engineers.
The ability to make changes to the zone files directly is available to approved departmental users who follow best practice. Self-service access must be authorised by GDS.
Nominet regularly tests its security boundaries using internal testers and third party specialists. Security accreditation and adherence is reported to Board level and any issues identified or reported are promptly addressed. Testing includes:
- code reviews
- quality assurance
- penetration tests
- social engineering exercises
Nominet provides support to technical administration teams that manage DNS in:
- public sector organisations using the PSN DNS or the internet DNS
- commercial organisations using the PSN DNS
Nominet doesn’t provide direct support to individual end users. End users should contact their own IT service desk for all support requests.
If your organisation uses the PSN DNS or the internet DNS you can use the online support tool to:
- register to use the DNS
- raise operational issues with the DNS
- ask questions about the DNS, including whether a site should be blocked
- monitor the status of the DNS
- request an update to the registered IP addresses your organisation uses to access the service
If your organisation uses the PSN DNS you can also use the online support tool to:
- raise change requests to manage your organisation’s PSN domain names
- request to manage your own PSN domains directly
You can also contact the support team by email or by telephone.
Telephone: 01865 332 277
Online support tool: https://dnssupport.nominet.uk
Report urgent requests, incidents or problems by telephone. There’s 24-hour support 7 days a week for urgent incidents, such as:
- your organisation experiences a loss of service
- you need to request an urgent change to a domain to ensure continuation of service
After transition to the new DNS is completed, from 8am to 6pm Monday to Friday the support team aims to:
- answer 100% of calls within 20 seconds on average
- answer 100% of email and online support tool tickets within 6 hours and 95% within 4 hours
The DNS services are designed to be highly reliable and available, geographically diverse and low latency. Each node connects directly to multiple service provider networks for a fast and reliable service.
The stated peak resolution volume in queries per second can be handled even in the event of multiple simultaneous site failures. There are no single points of failure to DNS resolution.
|Attribute||Internet DNS||PSN DNS|
|Traffic rate supported||More than 24,000 million queries per month at a peak of 15,000 queries per second||More than 12,000 million queries per month at a peak of 15,000 queries per second|
|Availability (including all periods of maintenance)||At least 99.99%||At least 99.999%|
|DNS request response time||Not applicable*||25 ms for PSN traffic*|
|Resiliency and disaster recovery||Geographic with anycast approach||Geographic with anycast approach|
*The DNS request response time doesn’t include the latency of the network between your users and the service.
- The DNS is provided ‘as is’ free to users by arrangements made with GDS. As such, neither Nominet nor GDS provide any warranties as to minimum service standards and functionality, and neither will Nominet accept any liability for any loss of service or functionality.
- You must not use the DNS for any unlawful purposes.
As part of providing the DNS, Nominet monitors DNS queries and analyses DNS traffic. Nominet processes and shares this data with GDS and other government organisations including NCSC, to:
- help check that the DNS is running smoothly
- improve the DNS
- detect threats and anomalous DNS traffic patterns
- Nominet will attempt to block access to IP addresses and domain names which are believed to be associated with malware or other threats. However, Nominet doesn’t guarantee that it will be successful and that all malicious sites will be effectively blocked, and nor can Nominet guarantee that sites which carry no risk will never be inadvertently blocked to end users. Nominet recommends that you install appropriate security measures on your computer systems, including up-to-date virus protection and firewalls. Nominet isn’t responsible for any third party content or material which you may be able to access on the internet via the DNS.
- Both Nominet and you may terminate your use of the UK public sector DNS services at any time.
To continue using the PSN DNS, your organisation’s PSN-connected environments must maintain PSN-compliance.
Published: 24 February 2017