Records with an off-infrastructure target

A record with an off-infrastructure target exists where a records’ resource record data (RData) points to a target that is hosted on a DNS service outside of the HSCN DNS Service. These are typically CNAME, MX, SRV and PTR, although other record types could also include a target component (such as CAA, DNAME, DS, URI and TXT).

At the time of writing, thousands of records with off-infrastructure targets have been identified as compromised, investigated and removed.

Records with off-infrastructure targets are subject to NHS England Domain and Record Naming standards and guidance.

The devolved administrations are automatically granted requests for records with off-infrastructure targets within sub-domains related to the devolved health services.

Requests for records with off-infrastructure targets will be subject to review, which will include evaluation of security implications, clinical safety, evidence of robust management processes and technical constraints.

Records with off-infrastructure targets will not be permitted in the apex domains.

Records with off-infrastructure targets must be reviewed regularly, and removed immediately they are no longer required, or when the third-party provider stops responding to queries.

Unused records with off-infrastructure targets will be removed without notice.

Records that direct traffic elsewhere present 4 primary ongoing security and clinical safety risks when those targets are off-infrastructure:

1. They can be hi-jacked by malign entities, who will then use the compromised resource to pretend to be an NHS provider. 
2. They can be easily misconfigured and cause denial of service to the apex domain.
3. They place reliance on potentially unvetted third-parties for security, clinical safety and NHS brand-integrity.
4. They prevent NHS England Cyber Security Operations Centre (CSOC) from detecting or reacting to security threats.

Evidence of continued mitigation of these risks will be required from the owning organisation.

The following standards apply:

1. Off-infrastructure targets should be avoided wherever possible.
2. Where used, it is the owning organisation’s responsibility to ensure that off-infrastructure targets do not become orphaned, or taken-over by unauthorised entities.
3. Organisations using off-infrastructure targets (such as to contract content supply to a third party) are responsible for requesting the removal of off-infrastructure targets when the service is no longer being supplied.
4. Organisations using off-infrastructure targets are responsible for ensuring that supplier comply with NHS England security policies.
5. Off-infrastructure targets will be monitored and targets at apparent risk of take-over will be automatically deleted without notice.
6. Evidence of continued adherence to these standards will be required from the owning organisation.

Secondary off-infrastructure targets (such as where the target record is itself a pointer hosted elsewhere) are not permitted under any circumstances.

The NHS England DNS team reserves the right to remove any record on the nhs.uk Nameservers with an off-infrastructure target if it feels that the record in question is contravening any of our standards, or poses a security or safety risk. For further advice and guidance, please contact [email protected].