3rd Party Access to DNS

Hi Everyone,

Not sure if this belongs here but it seemed like the best place for it. I am wondering if anyone has an opinion on allowing supplier access to DNS. I am getting directed to provide credentials for it by our head office (I work in a Countries Head Office).

To be honest its making all my hairs stand up on my neck and pushing back isn’t working. Apparently Head of IT couldn’t see any issues, and thought it would reduce his busy work load (obviously 5 minutes to login and setup the records was to much).

Normally suppliers would send the requested changes to me, and I would set the records up. I could understand if you don’t have any IT in house giving access.

I can’t see how you could prevent them from breaking stuff (my main concern is if an attacker gains access TBH). Its a website project and they need access to the root level of the domain. Does anyone know any DNS hosting server where you could restrict users to what records they can break?

Cloudflare seems to be either full DNS access or no DNS access (and only on the enterprise accounts).

Cheers

Viewing this from a project management perspective, ensure the access request has been documented, authorized by your head of IT and recorded in your change log.

This risk of the 3rd party credentials being obtained from a malicious attacker should also be recorded in a risk registrar if you have one and assessed for impact and consequence in the event of occurrence.

Cover those those points and ensure both documents are signed off and any fallback would be on whoever authorized it.

3 Likes

I would certainly push back hard on that, and escalate. Autodroid’s advice is good from a cover your ass perspective.

2 Likes

Thanks guys. I am glad its not just me being paranoid.

I’ve pushed back on this and escalated it as much as I can. The request came from a PM (I don’t think he has a background in IT) - who thought the marketing officer would have access, also not from head of IT which I think is fishy.

The head of IT (I think he is splineless) couldn’t see any problems with the request. I doubt they have documented the change, or even have a risk register TBH.

I am in this situation at work (happily though, i am one level below the CIO).

I do not authorise anybody else (third parties outside the company) to control the DNS.

They can request changes via the appropriate process.

Make it clear to the business that DNS is responsible for email delivery, their website (potentially, 365 or any other cloud provision you have), and pretty much every external service the company presents to the world, and that you will cooperate to make any changes requested, but they need to be vetted by somebody who knows what services the company actually has, in order to ensure there are no service breaking changes.

I’ve seen all manner of DNS retardation by third party asshats (e.g. web “developers”) who have no fucking clue what they’re doing, so DNS is something i do not give up.

Pretty much every modern service depends on DNS; giving third party clowns control of it is a BIG no no in my view, and hopefully any sane business stakeholder can see the risk if it is explained in a reasonable manner.

edit:
External DNS changes are definitely things you want to do change management on.