This is to let you know about some March Planned Engineering and Service Updates - and our fist 'Bono Pastore' Focus area. Please see the background and overview of the program at http://www.onega.net/blog/2016/03/2/bono-pastore if you're not yet aware of this.

Our first best practice focus is going to be on DNS (Internet Domain Name Services) and making sure that clients systems (as well as our own) are in-line with best practice in this area.

In business terms:

DNS is the system that allows us to register Internet domains for our organisations and to browse the web and send emails with friendly names like www.bbc.co.uk www.onega.net and fred@onega.net etc. So much uses DNS that we often take it for granted much of the time – and well implemented so we should.

Being such an important system, we want to make sure that client implementations are optimal in three key areas relating to DNS:

Domain Registrations – This is the administration of your domain and the registration of it. We want to help make sure that all the details related to your domains are up to date, correct & appropriate, not due to expire any time soon etc.

Internal Resolution – This is how client and server computing devices carry out Internet resolution so that you can connect to the Cloud quickly, reliably and safely (see Secure DNS Services for more on this).

External Resolution – This is how people find your organisation and services on the Internet – to know where to send you email, browse your website and communicate via electronic means etc. It is important that this service be provided robustly and reliably.

Our object is to conduct a review to ensure that these aspects of DNS are all well implemented across our client organisations.

The next steps are:

We will be in contact with clients over the coming weeks to ensure that we run through your DNS configuration with you. Don’t worry if you’re not technical – we are happy to take care of those parts. We have a checklist which we’ll complete with you so that we capture the key information about your domains, and identify any areas that need attention so that we (you or us as per preference and can work to resolve these and get them checked off.

For clients under Onega managed services contracts we'll liaise with you and do most of the running on this to help make sure your DNS is good and documented. For clients with whom we have PAYG agreementswe can agree with you who will do what with the aim that we make sure all our your services are robust.

Expect us to be in touch soon then about next steps and starting the process. If you are not under contract with Onega (or not sure) and would like to engage in the DNS best practice review process then please do get in touch and we’ll be happy to add you to the review rosta.

For reference:

Internet DNS Best Practice Policy – http://intwiki.onega.net/index.php?title=Internet_DNS_Configuration_Best_Practice_Policy

Organisational DNS Checklist - http://intwiki.onega.net/index.php?title=Organisational_DNS_Checklist

For information on Secure DNS Services:

http://www.onega.net/blog/2015/6/4/the-importance-of-using-secure-dns-servers

If you don’t have a login for the Onega’s Policy and Procedure wiki then please get in touch and we’ll setup access for you.

Technical changes that will occur on Onega Infrastructure:

Tuesday 22nd March 2016 12:00 (Midday) GMT - We will be changing the configuration of our two legacy DNS servers 81.3.75.71 and 81.3.75.72 to no longer act as recursive resolvers. Thus any computers or servers that are using these servers for DNS will need to be updated to use alternate (eg Secure DNS) servers before this cut off date.

Tuesday 12th April 2016 12:00 (Midday) GMT - We plan to turn off these two DNS servers - thus any zones hosted on these servers will need to be moved before that time. We have new servers in place to take the zones and migrations will be done as part and in conjunction with the best practice review process – the new DNS servers being more best practice compliant than our legacy servers.

Why are we making these changes?

In short, so that we also comply with our own guidelines for Best Practice, but in more detail:

1) Comply with best practice - Recursive DNS Servers (ones that do lookups for client PCs) should be split off in role from ones that host DNS Zones.

2) For best security and maintain best performance of the service - Recursive resolvers can be abused in DNS Amplfication attacks (see https://deepthought.isc.org/article/AA-00897/0/What-is-a-DNS-Amplification-Attack.html if you're interested to learn more

3) So that we make sure all clients are resolving securely to the Internet and to retire an older Windows Server 2003 DNS Server which is coming towards end of life.

What happens if I don’t have best practice DNS?

We don’t want to scare anyone but if you don’t comply with best practice then you risk (in the worst case):

Losing your domain or having it suspended.
Not being able to access the Internet
Not being able to send or receive email
Clients getting redirected to phishing or competitor’s websites and email going the same way.
Being unprotected at DNS level against infected websites.

The above are worst case scenarios but we aim to greatly reduce the risk of occurrence by complying with best practice with regards to your domains.

Once we've been through the review process with you the outcome should be that we can all sleep easier knowing that the DNS aspect of your IT is in very good order.

Bono Pastore = Good Shepherd

This is what we aim to be at Onega. We work with organisations to help deliver smooth IT and related services. We like working with people and machines, and fixing issues. Even better than this we like to prevent problems from happening in the first place.

Before anyone asks we're certainly not likening our clients to quadrupedal, ruminant mammals of genus Ovis, nor do we walk on water. What we are saying is that much of IT, like many other things is about procedures, routine and best practice. Watching over a flock is about patience and care. Not glamorous but important.

In the same vein, here at Onega, we are thus planning to address a number of IT focus areas with clients during the course of 2016. The pattern we plan to set and repeat here will be as follows:

Identify key areas of IT that may cause risks for clients.
Ensure we have best practice solutions and procedures available to address these.
Communicate the focus area and engage with clients to address this.
Create and fill out appropriate checklists so that we capture any relevant information and actions.
Agree on a plan to resolve any issues; so that things are brought as close to optimal as practicable and document exceptions where there are good reasons why not.

During the course of these processes we well be looking at the same aspects of IT operations across multiple clients so we have the benefit of scale in the effort and the team will be well briefed on the task at hand to ensure you are getting good advice. The outcome should be more robust systems implementations, documented procedures and policies, and documented systems and responsibilities.

The engagement that Onega has with clients varies widely. For some clients we manage entire IT estates and systems, and for others we provide ad hoc assistance as you need us. Thus, one of the first parts of an effort is establishing the relevance of an area of IT to a client, who is responsible for this aspect and who will carry out the work and under which contract.

We fully expect that not every proposed Bono Pastore engagement will be relevant to every client so where you are happy to take care of something yourself this is documented, and where you'd like our assistance in a matter big or small we are happy to help with that. One big benefit for everyone is that the process should help make everyone aware of aspects and ensure that any ambiguity in responsibilities (or duplication of effort) is addressed and removed.

The first pass of this series of best practice benchmarking exercises is due to start soon with DNS - Domain Name Services. This is one of the underpinnings of the Internet and something we use every day for conduct of business. Thus it is one that affects just about all clients so expect a post and for us to be in touch about this. We may even make it a podcast topic soon to go into more detail. We're mindful that we should communicate more about what we do as much of good IT, if done right, will not be seen but contributes to things 'just working'. This is ideal but far from universal so we should resist the trap of complacency just as the good shepherd keeps vigilant watch. The wolf is ever hungry but will find tonight's meal elsewhere.