DNS Server Appliances
Preassembled servers that feature preinstalled DNS software
February 23, 2004
Network appliances—hardware devices with preinstalled software that you can bring into service with little or no configuration—have been around for years. Network appliances offer several advantages, including low cost, ease of use, and high reliability. Because they arrive completely assembled and with software preinstalled, the time and cost to get them running is reduced. Simplified UIs for configuration and administration often reduce the levels of technical skill required for successful implementation. And because appliances are designed to perform one function well, they are often more reliable than general-purpose servers that are dedicated to the same function.
Like network appliances, DNS server appliances have been around for several years, and they appeal to users for the same reasons. From a user perspective, DNS services are a hidden function, just a part of the technical infrastructure. Yet, reliable DNS services are as crucial to successful network applications as the electric power that runs the network. When name resolution fails, client-to-server communication fails and work stops.
Administrators who use Windows Server 2003's or Windows 2000 Server's DNS Service might want to understand how DNS server appliances compare with general-purpose servers running the Windows DNS Service. The articles Inside Out, "Windows Server 2003 DNS," October 2003, http://www.winnetmag.com, InstantDoc ID 40049, and Inside Out, "Solving DNS Problems," September 2003, InstantDoc ID 39771, offer an excellent description of Windows 2003's DNS Service.
Two key capabilities in a Windows DNS Service server are support for stub zones and conditional forwarders. Stub zone servers store only the Start of Authority (SOA) and Name Server (NS) records for a domain (i.e., a zone). When you configure a client to use a DNS Service server that has the domain configured as a stub zone, that server can't respond directly to name-resolution requests for hosts in the zone. Instead, the stub zone server forwards the request to one of the DNS Service servers it knows is authoritative for the zone. You can let Active Directory (AD) replicate a list of authoritative servers to a stub zone server, or you can manually configure each stub zone server with a list of authoritative DNS Service servers. Zones with conditional forwarders are similar to stub zones, except that you must configure each zone's conditional forwarder with a list of DNS Service servers that are authoritative for the zone—automatic replication of this information from AD isn't an option.
You're likely to find some key differences between Windows DNS Services servers and non-Windows DNS server appliances in the areas of AD integration and security. For example, some non-Windows DNS server appliances lack complete AD integration features. Conversely, Windows DNS Service servers don't support encrypted zone transfer and update features like some non-Windows DNS server appliances do. Let's look at DNS server appliances from the top DNS server appliance vendors: ApplianSys, BlueCat Networks, BorderWare Technologies, Incognito Software, Infoblox, Offmyserver, and Threshold Networks.
ApplianSys's DNSBOX Series
ApplianSys produces three DNS server appliances: DNSBOX300, DNSBOX050, and DNSBOX100. DNSBOX300 and DNSBOX050 run Nixu NameSurfer Suite, software for DNS and IP address management. The DNSBOX100 is a slave-only BIND-based DNS server appliance that can act as a secondary DNS server to any standards-based master DNS server. When you pair DNSBOX100 with DNSBOX300, zone transfers and updates occur through a secure VPN tunnel for a higher level of security than that offered by BIND 9's Transaction Signature (TSIG) facility.
ApplianSys's three appliances run under a hardened version of Linux. Compared with the other appliances I discuss in this article, the DNSBOX appliances are unique in that they boot and run from a pair of CompactFlash (CF) cards rather than a disk drive, which eliminates a moving part that can often become the source of a system failure. DNSBOX300 has a 1U (1.75") rack-mountable chassis with a 1GHz Pentium III processor, 512MB of RAM, and a 10Mbps/100Mbps Ethernet port. DNSBOX050 uses a 1.4GHz Celeron processor with 512MB of PC133 DRAM, whereas DNSBOX100 uses a 1.7GHz Celeron processor with 512MB of PC2100 Double Data Rate (DDR) memory.
DNSBOX050 has a DNS feature set similar to that of DNSBOX300 but is designed for smaller networks. All the appliances feature AD integration, which includes support for Internet Engineering Task Force (IETF) Request for Comments (RFC) 2782 SRV records. Both master servers include a DHCP server, integrated dynamic DNS (DDNS) host registration, and data validity and consistency checking to find syntax errors, logical errors, and duplicate names and IP addresses. A built-in firewall reduces exposure to unwanted access.
To configure and manage the appliances, you use a Web-based interface, which features Secure Sockets Layer (SSL) secured communication, supports an audit trail of changes, and provides unlimited undo/redo functionality. The appliances support distributed administration. The primary administrator can create multiple administrative-user IDs, granting each ID the right to manage only specific domains. You can also configure the appliances to perform automated updates to BIND and the Linux OS, further reducing the administrative workload.
DNSBOX300 with a 1U rack mount costs $10,950, whereas DNSBOX100 with a 1U rack mount costs $2950. The DNSBOX050 minicube desktop unit costs $4250.
BlueCat's Adonis and BorderWare's NameVault
BlueCat offers the Adonis DNS Management Server, a DNS-only server (without DHCP or WINS) running BIND 9 software. The software runs under a hardened version of the Linux kernel. In a standard configuration, only port 53 (DNS) and the port that the management interface uses are open.
To configure and manage the appliance, you use the Adonis Management Console, a Java-based GUI that runs on any platform supporting Java 1.3. To secure server-management functions, the management console uses certificate-based user authentication and 128-bit SSL communication between the client and server. The management console's ease-of-use features include 100 levels of undo/redo functionality and wizards that support initial setup and conversion from other DNS platforms.
Adonis's security features include support for BIND 9 encrypted zone transfers and TSIGs to authenticate zone transfers and other DNS updates. Data-validation tools check for logical errors in DNS configurations and ensure complete and accurate synchronization and replication with slave servers. You can configure the appliance to require authenticated access by using digital certificates on both the client and server side. You can also configure an integrated firewall that's designed to reject any network traffic not related to DNS or the Adonis Management Console.
Adonis supports DDNS and caching server configurations. The appliance includes AD integration, with support for SRV records per RFC 2782 and support for configurations that include an AD master. When you use two units, Adonis supports automatic failover.
Adonis has a 1U rack-mountable chassis that houses a 2.6GHz Pentium 4based motherboard, 512MB of RAM, a 40GB disk drive, and a 10Mbps/100Mbps Ethernet port. BlueCat reports that the server can handle more than 20,000 queries per second and can support networks of as many as 100,000 IP addresses. The Adonis lists for $9995.
BorderWare has added BlueCat's DNS service appliance to its product line, marketing it as the NameVault DNS Appliance. Unlike BlueCat, BorderWare is bundling a 1-year service agreement with the purchase of NameVault DNS Appliance, pricing the package at $12,000.
Incognito's MSA Series
Incognito's MSA 300 and MSA 800 DNS server appliances use Cubix's three-blade and eight-blade servers, respectively, preconfigured with Incognito's DNS Commander software or IP Commander software (a companion DHCP server product) running under either Red Hat Linux or Win2K Professional. For example, a typical three-blade configuration might consist of one blade running DNS Commander under Red Hat Linux, one blade running DNS Commander under Win2K Pro, and one blade running IP Commander under either OS. (If you're unfamiliar with blade servers, see "Blade Servers," July 2003, http://www.winnetmag.com, InstantDoc ID 39181.)
Unlike some DNS server appliances, DNS Commander isn't based on the open-source software (OSS) BIND, although it's RFC-compliant at a BIND 9 level. DNS Commander is based on Incognito's proprietary implementation of DNS-related RFCs. Incognito touts its proprietary implementation as more secure (because the source code isn't publicly available) and more stable (because the company subjects its products to prerelease testing).
DNS Commander doesn't include AD support. However, the software supports stub zones as well as caching and conditional forwarding configurations. Other features of interest to Windows administrators include a WINS lookup feature and support for DDNS updates from DHCP servers and Win2K clients. Features of interest to Web administrators of multiple domains include the ability to disable domains and resource records. You can configure DNS in advance of system implementation and turn off name resolution for a domain without having to delete the information from DNS.
Incognito provides three ways to manage DNS Commander. A Win32-based application lets administrators configure and manage both Red Hat Linux–based and Windows-based configurations. You can use a Web interface when the blade is also running Microsoft IIS (under Windows) or Apache (under Red Hat Linux). A command-line interface lets you perform common administrative functions.
DNS Commander's price depends on the number of blades and the number of A (i.e., address) records the system will manage. A typical MSA 300–based configuration with two DNS Commander Pentium III processor 1GHz blades (one Red Hat Linux and one Win2K Pro) with licensing for 1000 A records costs about $7350. Incognito no longer actively markets MSA 300 and MSA 800 on its Web site, but you can contact the company for more information about these appliances.
Infoblox's DNS One
Infoblox describes DNS One, a product of the company founder's research into distributed database technology, as the next phase in distributed computing. You can use DNS One as a caching server and as a conditional forwarding server for zones and networks. Infoblox plans to add support for stub zones in 2004.
DNS One integrates a standards-based DHCP server with the latest stable release of BIND 9. Integration of DHCP with DNS services lets DNS One support dynamic registration of DHCP clients into DNS, regardless of the client OS support for DDNS. The DHCP server supports networks that use variable-length subnet masks (VLSMs) and Classless Inter-Domain Routing (CIDR) addressing. Support for DHCP Relay and BOOTP lets DNS One provide DHCP services for enterprisewide multivendor networks.
Like most of the other appliances in this article, DNS One runs under a simplified hardened version of Linux. Only a few TCP/IP ports are open on DNS One, and these ports are configurable. Port 53 (DNS) and port 443 (SSL) are open; optionally, you can open port 66 or port 67 (DHCP) or port 15300 (scripting API). According to Infoblox, you can use DNS One for networks that contain as many as 100,000 IP addresses. DNS One's AD support lets it act as a high-performance secondary DNS server for AD-based zones. Infoblox designed DNS One for mixed environments, including networks with mixed-OS clients, Voice over IP (VoIP) clients, and other gateways.
To configure and manage DNS One, you use a Java-based GUI. An integrated SSL-supporting Web server implements this GUI. Support for granular, role-based administration lets the primary administrator delegate administration responsibility to other administrators, limiting their management access to specific zones and management functions. DNS One includes SNMP support, which enables integration with third-party network management products. A one-button update feature lets you apply software and security updates with little effort. Using an API, which is accessible through Perl, you can automate common administrative tasks. DNS One's Phone Home feature notifies you when hardware and software problems arise.
When you link two units, DNS One supports automatic failover. Working in active/passive failover mode, DNS One reassigns the server's media access control (MAC) and IP addresses to the passive server at failover. DNS One costs $12,000.
Offmyserver's DNSdevil
Offmyserver, a new player in the DNS server appliance market, plans to make DNSdevil available in second quarter 2004. Unlike the other appliances I cover in this article, DNSdevil uses a custom-configured FreeBSD kernel. The system uses a Pentium 4 processor with 1GB of DDR RAM, a 40GB disk drive, and four Intel 100Mbps Ethernet controllers.
DNSdevil also implements BIND 9, with AD support and support for DDNS registration. You'll be able to configure DNSdevil through an SSL-secured Web interface and access the system through a Secure Shell (SSH) when necessary.
DNSdevil supports default zone settings, which simplifies the process of creating new zones. The appliance even supports bulk creations.
DNSdevil offers many tools. For example, a DNS query tool will let you compare the results of a query against the local server with the results of the same query against other DNS servers on the Internet, which demonstrates that the domain name and local server are both properly configured for public use. Other tools simplify zone management by auditing resource records.
DNSdevil will cost $5,500. Offmyserver will provide security updates and other patches for free, with additional levels of support available for a fee.
Threshold Networks' Razzo IP Series
Threshold Networks offers Razzo IP E-1000 and Razzo IP C-2500. These DNS server appliances differ from each other primarily in the level of fault tolerance of the underlying hardware platform. Razzo IP E-1000 has a 2GHz Celeron processor, 1GB of RAM, an 80GB IDE disk drive, and dual 100Mbps Ethernet controllers. Razzo IP C-2500 includes two 2.4GHz Xeon processors, 2GB of RAM, and mirrored 36GB Ultra 160 SCSI disk drives, with dual Gigabit Ethernet controllers, hot-swappable hard disks, and redundant hot-swappable power supplies.
Razzo IP implements BIND 9 and the Internet Software Consortium's (ISC's) implementation of DHCP 3.0. The appliance stores DNS and DHCP information in a SQL-style database, with support for a one-step backup-and-restore operation as well as the ability to roll back some kinds of administrative updates. The integration of DNS and DHCP functions lets Razzo IP's DDNS features automatically add or remove DNS host information for DHCP clients as those clients' leases are granted and expired.
Razzo IP's integrated WINS server manages name resolution for WINS clients. A built-in firewall protects Razzo IP from Denial of Service (DoS) attacks and lets you control which IP and TCP ports are open. Razzo IP runs under a customized hardened Linux kernel for additional system stability and security. AD support lets you import and export SRV records between Razzo IP and AD-based DNS zones.
You can use a Win32 management application or a Java-based Web GUI to configure and manage Razzo IP. Software updates for Razzo IP are available on CD-ROM, or you can download them from Threshold Networks' Web site. SNMP support lets SNMP-based network-management systems receive Razzo IP system performance information. Host discovery features let you compare discovered network addresses to the list of hosts maintained in the Razzo IP database; a wizard helps you add discovered hosts when appropriate. Another feature lets you convert DHCP clients so that those clients can use static IP addresses.
Both Razzo IP E-1000 and Razzo IP C-2500 support hardware failover to a second, standby appliance. Razzo IP C-2500 costs $4995, which includes unlimited host licenses. Razzo IP E-1000 costs $2995, which includes 10,000 host licenses.
A Viable Alternative
Each of the DSN server appliances I described here has a unique set of strengths. An appliance that features a standard BIND implementation in a low-maintenance package (e.g., Adonis, DNS One, DNSdevil, Razzo IP) might appeal to some administrators, whereas an appliance that features a proprietary source-code implementation (e.g., MSA 300, DNSBOX300) might appeal to other administrators. Some administrators might need a highly secure, high-performance DNS server appliance to use with their public network (e.g., Adonis, DNS One), whereas other administrators might need a DNS server appliance for use in a small, private network (e.g., DNSBOX050). No matter what your needs might be, DNS server appliances offer a low-cost, high-reliability alternative to running Windows' DNS Service on general-purpose servers.
Contact the Vendors |
ADONIS DNS MANAGEMENT SERVERBlueCat Networks * 905-882-5691 * http://www.bluecatnetworks.comDNS ONEInfoblox * 408-716-4388 or 888-463-6259 * http://www.infoblox.comDNSBOX300, DNSBOX050, DNSBOX100ApplianSys * (44) (0) 8454-50-51-52 * http://www.appliansys.comDNSDEVILOffmyserver * 408-943-4100 * http://www.offmyserver.comMSA 300, MSA 800Incognito Software * 604-688-4332 or 800-877-1856 http://www.incognito.comNAMEVAULT DNS APPLIANCEBorderWare Technologies * 905-804-1855 or 877-814-7900 http://www.borderware.comRAZZO IP E-1000, RAZZO IP C-2500Threshold Networks * 661-398-6141 or 877-413-8012 http://www.thresholdnetworks.com |
About the Author
You May Also Like