Skip to main content

DNS Overview

Protected domain name resolution for staff devices

The MoJO-DNS service is a client device facing service, used to resolve DNS queries within the MoJ local area network.

The service will provide DNS resolution requests for the following:

  • A DNS resolution request from a device on the internal, wired network.
  • A DNS resolution request from outside the wired network.

User needs

Unlock access to the public internet to enable new devices for staff.

Principles

Allow our staff access to modern devices by unlocking public internet.

Prevent access to malware, ransomware, phishing attacks, viruses, malicious sites, and spyware. NCSC protective DNS service.

Use cloud first To meet point 5 of the Technology Code of Practice (TCoP) and the government’s cloud first policy.

Infrastructure as Code provides full audit of changes, automated testing, redeployment of the service in the event of failure or disaster.

Tools

The DNS service uses BIND ISC containers running on AWS ECS Fargate. We use Terraform and Infrastructure as Code. This provides an audit of changes, versioning of components and automated testing and redeployment of the service in the event of disaster.

Diagram

High level diagram diagram source

Repositories

Repository Description
DNS admin portal Admin Portal for managing staff device DNS forwarders and zone configuration.
DNS server This repository contains the Dockerfile to create the BIND DNS server Docker image. The configuration for this server is managed in the Admin Portal.
DNS disaster recovery This repo contains an interactive script which can be used to roll back a corrupt config file for the DNS or DHCP services.
DNS performance testing These scripts emulate UDP traffic for both DHCP and Syslog requests, contains results of previous load testing. See also video of testing here
Shared Infrastructure CI/CD This creates the shared infrastructure for the main account, named Shared Services. This account is used to host CI/CD pipelines.
Link Description
DNS admin portal Admin Portal for managing staff device DNS forwarders and zone configuration. Please not you need to be a member of the AzureAD group MoJO-EntApp-DNSDHCP_Viewer and MoJO-EntApp-DNSDHCP_Editor to edit.
Monitoring and alerting guide List Grafana dashboards for health of the products and slack channels in use for alerts.
NCSC Protective DNS Portal Dashboard for Protective DNS
Transit gateway Connects the service to wider MoJ networks as a virtual WAN
This page was last reviewed on 15 April 2024. It needs to be reviewed again on 15 October 2024 .
This page was set to be reviewed before 15 October 2024. This might mean the content is out of date.