Off-infrastructure delegation of sub-domains

An off-infrastructure delegation exists where an NS record is created to delegate control of a sub-domain of nhs.uk to a DNS service outside of the HSCN DNS service. 

Where no technical alternative exists, it may still be necessary to create NS records to support off-infrastructure delegations these cases are expected to be rare.

Off-infrastructure delegations, and their child records are subject to NHS England Domain and Record Naming standards and guidance.

NHS England will review all existing off-infrastructure delegations and re-patriate those deemed to fail security, eligibility or naming tests.

The devolved administrations are automatically granted off-infrastructure delegations for sub-domains related to the devolved health services. For example, scot.nhs.uk.

All other requests will be subject to review, which will include evaluation of security implications, clinical safety, evidence of robust management processes and technical constraints.

Off-infrastructure delegations must be reviewed regularly, and removed immediately they are no longer required, or when the third-party provider stops responding to queries.

Unused off-infrastructure delegations will be removed without notice.

Off-infrastructure delegations present 5 primary ongoing security and clinical safety risks:

1. They can be hi-jacked by malign entities, who will then use the compromised resource to pretend to be an NHS provider.
2. They can be easily misconfigured and cause denial of service to the apex domain.
3. They place reliance on potentially unvetted third-parties for security, clinical safety and NHS brand-integrity. 
4. They can be easily misconfigured and permit anonymous remote download of the entire delegation. 
5. They prevent NHS England Cyber Security Operations Centre (CSOC) from detecting or reacting to security threats.

Evidence of continued mitigation of these risks will be required from the owning organisation.

Secondary off-infrastructure delegations are not permitted under any circumstances.

A secondary off-infrastructure delegation exists where a sub-domain is delegated off-infrastructure, and then a child of that sub-domain is further delegated elsewhere.

Secondary off-infrastructure delegations present 6 primary ongoing security and clinical safety risks:

1. They can be hi-jacked by malign entities, who will then use the compromised resource to pretend to be an NHS provider.
2. They can be easily misconfigured and cause denial of service to the apex domain.
3. They place reliance on potentially unvetted third-parties for security, clinical safety and NHS brand-integrity.
4. They can be easily misconfigured and permit anonymous remote download of the entire delegation.
5. They are virtually invisible to administrators of the apex domain.
6. They prevent NHS England Cyber Security Operations Centre (CSOC) from detecting or reacting to security threats.

The egress IP addresses (both IPv4 and IPv6) used by the HSCN DNS Resolver to resolve off-infrastructure delegations will change without notice, and will not be published. Operators of off-infrastructure delegations must not implement firewall rules that restrict lookup traffic by IP address.

The NHS England CSOC and DNS teams reserve the right to re-patriate any off-infrastructure delegation if it feels that the off-infrastructure delegation in question is contravening any of these policies, or poses a security or safety risk. For further advice and guidance, please contact [email protected].

NHS England provide resource to support, maintain and update a free DNS management service, for the benefit, security and safety of the whole NHS.