Do It Yourself DNS

A DNS appliance can help you effectively allocate your IT resources. Flexibility and security make BlueCat Networks' Adonis the one to admire.

March 31, 2003

15 Min Read
Network Computing logo

We graded each product on ease of setup, overall usability, error-checking capabilities and security features. The results: BlueCat's Adonis won our Editor's Choice award by a whisker. Its superior security and overall usability put it on top, though ApplianSys' DNSBox300 was hot on its heels.

Dishing Up DNS

Managing and maintaining DNS for any size shop can be a challenge. While small companies rely on their ISPs to provide DNS, most companies rely on internal resources running some variant of Unix or Microsoft. Let's face it: If your DNS goes down, you lose touch with the outside world, customers included.

Acknowledging the importance of healthy DNS configurations, the conventional approach requires someone with high-level administrative skills and understanding of your network's topology, so highly compensated individuals wind up devoting a large portion of their time to designing, setting up, maintaining and troubleshooting DNS. The approach works, but the consequence is that DNS often ends up being a large, hidden expense in the IT budget.

So here's our answer to the question of why you need a DNS appliance: All three of the products we tested help manage those hidden expenses by greatly reducing the effort required on the setup, care and feeding side of the equation, freeing up those big-dollar folks to focus on higher-level issues. The goal of these appliances is to make DNS easier to live with. And after extensive testing, we believe that, if your budget allows, these boxes are a worthwhile investment.All three products can scale and support large installations via additional appliances, up to the DNS limit of 13 name servers per zone. BlueCat and Infoblox offer high-availability (HA) installations; more money will get you additional boxes and better theoretical uptime. We played with the HA setup from Infoblox and liked what we saw. (Without having equipment on hand from BlueCat, we couldn't provide a comparison, and ApplianSys' HA solution is in development. HA on primary DNS is not a high priority, as most shops are running multiple secondary servers.)

Big hosting companies like UltraDNS have reason to be nervous. Although it may take a highly technical person to design a DNS architecture for a global company, these products mean big talent is no longer required to maintain DNS.

Each of our contestants lets an administrator control the appliance (reboot, shut down, hardware and software status, autoupdate of OS and security patches) via remote client software. Standard DNS configuration (time to live and refresh) modifications also are implemented from the client interfaces. All are DHCP- and Dynamic DNS-compatible, and Infobox's DNS One and ApplianSys' DNSBox300 can function as DHCP servers. Although we couldn't test Microsoft Active Directory compatibility in our Macintosh OS and Linux shop, each vendor offers extensive documentation for integrating with a Microsoft environment and can provide customer references for successful implementation in Windows environments.

DNS Appliance Features click to enlarge

Of course, if you're not using Active Directory in a disparate environment, setting up these appliances is simple. Once configured properly, all the units performed perfectly as primary DNS boxes both in our production environment and under test load. We experienced no outages or interruption of service with any of them. From a user's standpoint, our appliance testing was uneventful. To simulate heavy query volumes, we used the queryperf tool from ISC (available with BIND 9.2 sources, in the contrib folder) to pound the heck out of all three contenders. We ran our tests off a Red Hat Linux client and never stressed CPU or I/O loads above 40 percent. We couldn't quite generate the numbers promised by the vendors (Adonis claims 8,400 queries per second, or 725 million theoretical queries per day, for example), but we could consistently get between 2,000 and 6,000 queries per second on all three appliances using queryperf, for a simulated 172 million to 517 million queries per day.

Each product hosts DNS from a streamlined, hardened OS environment where any services or devices not used to provide name resolution have been stripped from the kernel. (For more on hardened Linux setups, see "Hardened Linux Puts Hackers EnGarde".) Compared with our network's Red Hat Linux box running a GUI tool like QuickDNS 4.x from Men&Mice, life is more convenient with any of these boxes and their autoupdate capabilities. Although we continue to be satisfied with the features and performance of QuickDNS, keeping up with fixes and security patches for the OS platform it rides on can be a bear. Each appliance provides secure DNS functionality in an easy-to-manage box that keeps itself up to date.Infoblox DNS One provides solid client-to-appliance communication via SSL, and ApplianSys DNSBox300 offers solid primary-to-secondary communication via TSIG (transfer signature). BlueCat Adonis does both. And thanks to blocked ports and hardened Linux setups, all three products offer much better security than BIND on a Unix or Windows Server right out of the box.This sturdy contender comes in a 1U rackmount chassis that boasts a clear, front-mounted LCD for status and basic configuration input. The efficient admin interface is a Java-based client that will install on Windows, Linux and Solaris. Adonis uses BIND 9, and, like all products tested for this review, it's backward-compatible with BIND 4 and BIND 8.

Out of the box, Adonis gave us the second-best time of the three appliances to get up and running (with one zone and answering queries). We loaded the Java client on a Windows NT desktop, and ran through the slick setup wizards to create a configuration floppy disk. We booted the Adonis box with the configuration floppy, then synched the client and appliance. Total setup time was about five minutes after racking.

The client-based configuration carries an additional benefit: the flexibility to blast away our first config and convert the Adonis from a primary DNS server to a secondary or caching server in less than five minutes. And for less experienced administrators, the initial configuration wizard offers snazzy graphics to explain the different types of DNS topologies (slave, master or DDNS, for instance) that are possible with the BlueCat equipment.

After converting our existing environment's BIND config files to match Unix-style "ti" line endings (we run a primarily Macintosh OS X shop), we could pull in our file (including named.conf) with no problems. We did miss the GUI import tools offered by the other contenders, as we scratched our heads reviewing obscure text-file-formatting issues.

BlueCat Networks Adonis click to enlarge

Although the Adonis requires you to install a client on your PC (the other devices use Web interfaces), its interface is both full-featured and simple to use. The client offers a Microsoft Explorer-like tree structure that we found easy to navigate. Adonis' update feature is easily configured from the client, allowing manual or automated pull-downs of BIND and OS security patches from BlueCat.Adonis truly shines with security. The ACL (access-control list) tools are excellent. Right from the initial installation, everything is secure--including adds/drops and communications between master and slave. Security is maintained via a 128-bit-encrypted SSL connection on Port 10042 between the appliance and client. The certificate keys are generated and installed via the configuration floppy. SSL certificates can only be shared with additional clients via configuration disks. Adonis offers an integrated firewall and keeps only two ports open--for DNS requests and SSL communications with the client.

The error-checking capabilities are impressive. The BlueCat box wowed us with the speed and thoroughness of its audit tools. It instantly reviewed our imported DNS configs and highlighted a couple of minor issues. We watched the tools run through an import file from a multithousand node network in less than five seconds, identifying a number of problems. The tools can check existing configuration files on the client and do a live data check of the environment.

Adonis does need some improvement in one area: Apple Macintosh compatibility. We'd like to see a Macintosh-compatible client. The importation of existing zones and configurations was simple with respect to text files and databases, but not being able to directly import a zone via transfer from existing DNS servers is disappointing, especially from such an impressively polished product. The other two appliances allow for direct import via zone transfer from existing servers, making administration easier.

Adonis, $9,995. BlueCat Networks, (905) 882-5691. www.bluecatnetworks.com

The DNSBox300 is the only product in our testing trio to use NIXU NameSurfer SE to manage DNS. NameSurfer has been around for about six years, with approximately 700 major customers worldwide, including Cox Communications, Nokia and Qwest Communications. The DNSBox300 is designed to be a primary DNS, using secondary or slave DNS boxes to front BIND 9 to the outside world (ApplianSys provided its own DNSBox100 for this purpose, but we also successfully tested with a Linux box as secondary.) NameSurfer retains compatibility with BIND 4 and BIND 8 as well. So while NIXU provides the full functionality of a primary DNS in the background, ApplianSys recommends that you run secondary name servers with traditional BIND to interface with the world.

In keeping with a "simple is better" design theme, the DNSBox300 uses CompactFlash memory rather than traditional hard disks, eliminating a common source of hardware failure. This is a nice touch. With twin CompactFlash slots, the OS and application reside on one LinuxROM card; user configuration and other data are on the second card for ease of update and additional security. From our point of view, no spinning parts equals fewer points of failure.The DNSBox300 requires a connection to a keyboard and monitor to set up network settings. We had some trouble when our config settings were lost, but after that the rest of the configuration was blazingly fast. Factoring out our initial mishap, setup time was less than five minutes, without pulling out the instructions.

The DNSBox300's browser interface is so clean and simple that it required no manual to use. However, the trade-off for that simplicity is an environment that offers fewer bells and whistles than DNS One or Adonis. And our biggest concern is the lack of SSL support for client access. Security is password-based, but it does not require a secure connection between client and appliance. All traffic, including configuration information, is sent in clear text.

ApplianSys DNSBox300 click to enlarge

Still, if speed and ease of use carry more weight than a long features list, this British appliance may be just your cup of tea. The interface, once configured properly, is responsive and provides easy navigation between administrative functions. The simplicity of the Web interface on DNSBox300 could be very appealing to smaller shops managing a limited number of zones.

DNSBox300, $9, 950. ApplianSys, 44 (0) 8454-505152. www.appliansys.comThe DNS One came in just behind the DNSBox300, primarily because of usability issues. When we first reviewed the venerable DNS One ("Building A Stable DNS, Block By Infoblox"), we were pleased with what we saw--and we are still impressed. Like the other offerings we tested, the Infoblox appliance is easy to set up and configure compared with a server-based DNS solution. DNS One also manages DNS via BIND 9, and provides backward compatibility with BIND 4 and BIND 8.

To establish its initial network configuration, the DNS One requires a connection with a provided serial cable to the small box. Front access ports eliminate the need to crawl around behind the racks. After digging up a PC to use as a terminal, we were up and running. This appliance requires a modern browser--anything capable of HTTPS and Java to access the client interface.We began the appliance's setup sans manual, and it took us a little while to get this box to answer queries. We had to configure the network portion before we could add any zones. But anyone following the setup guide should have no problem getting up and running. Total setup time was a bit less than 10 minutes. DNS One could use better setup wizards, but compared with traditional DNS solutions, its installation was a dream.

Infoblox DNS One click to enlarge

The client interface needs improvement. Usability is a problem: The browser-based client takes up a lot of screen, and the display is cluttered. It was difficult to view and manage large zones. A call to Infoblox's very good tech support helped us modify settings to get more information on our screen. They reduced the number of hosts pulled in by default to help the Java code perform faster. Despite this problem, the client did provide adequate wizards and tools for setting up initial configurations, importing existing DNS data, and setting up and calculating sub-networking structures. We did miss the extensive error-checking capabilities that Adonis offers. DNS One has simple system-reporting features, but it provides decent raw exports to play with and solid DNS query data.

Infoblox provides a clone feature to copy one appliance configuration to another. We tried this with the test appliances from Infoblox and it worked well. One minor note: The backup utility is a traditional PERL script. We'd like to see this moved to the GUI as in the DNSBox300.

All three appliances provide a standard autoupdate feature to check for and install patches and updates. Both Adonis and BlueCat allow automatic or manual updates, but ApplianSys requires an admin to kick off theirs. Our first attempt at updating locked the DNS One, forcing a hard restart. However, we were unable to repeat the lockup over our weeks of testing, and autoupdate worked fine after our initial mishap. We did not experience any difficulties with the other two appliances' update features.

Security for DNS One is password-based. The appliance relies on a secure HTTPS browser connection for configuration. All unused ports are unavailable, and all zone transfers are disabled by default. CERT (Computer Emergency Response Team) advisories are monitored by Infoblox, and the DNS One automatically pulls down patches from its site as they become available.The DNS One does the best job of the three of administering multiple user accounts (administrator, super users and users) with filtered views, which permit views of designated zones or networks based on role. DNS queries and access to the management interface can be restricted for zones or networks using access lists.

DNS One, $7,000. Infoblox, (847) 475-8500, Ext. 155. www.infoblox.com

Joe Hernick is an IT director with a Fortune 500 firm; he has 12 years of consulting and project management experience in data and telecom environments. Dean Ellerton, MS.Ed, is the director of technology for a private New England boarding school. Write to them at [email protected].

Post a comment or question on this story.

Executive Summary

DNS appliances offer advantages in ease of use and long-term cost savings when compared with server-based solutions. The appliances we tested all provide excellent functionality, serving up services while targeting an often hidden IT cost: The use of top IT staffers to design, set up and troubleshoot DNS. Migrating to a DNS appliance should allow these employees to allocate more time to business-focused concerns, instead of tinkering with the network.And by relying on autoupdate capabilities and hardened platforms, ongoing maintenance costs are further reduced, especially compared with Windows- or Unix-based DNS.

While each of the three DNS appliances we tested delivers on the promise of easy-to-manage DNS, we recommend BlueCat's Adonis for its security features, client interface and error-checking capabilities.





The ROI Adds Up

All three vendors supplied examples of return on investment, each showing a payback in four to 12 months. In every case, the cost of the appliance was offset by reducing setup and maintenance expenses compared with conventional setups. By our numbers, if you're looking at a $10,000 outlay, your DNS guru is bringing in $45 per hour, and you can save 222 hours in configuration and maintenance labor, you've paid for the appliance. However you calculate it, it should be easy to justify the expense.



How We Tested

Our existing production environment hosts more than 600 user nodes, with a mix of Linux, Microsoft Windows NT and Apple Macintosh OS X servers on the back end. All users have Internet access. Multiple externally accessible Web sites are hosted on Red Hat Linux and Mac OS X-based Apache servers. Our normal primary and secondary DNS servers are hosted on Red Hat Linux, running BIND 9.2 that we manage with a GUI (QuickDNS 4.x from Men&Mice). Our primary DNS resides behind our firewall; our secondary DNS lies outside.

Each appliance was installed behind our firewall one at a time over a six-week period. Our existing DNS configuration was imported, and the appliance was activated as primary. Each appliance then served two weeks in production as our domain's primary DNS. Each product took its turn as our main internal DNS server. During that period, the switch to any one of the three appliances was transparent to our users. Real DNS lookup times appeared anecdotally similar to, if not faster than, our end-user population. We performed multiple stress tests using the queryperf tool from ISC, while the appliances and Linux box were connected via a private 100-Mbps connection. The appliances were configured as primary and were not managing any production queries during stress testing.





Related Links

DNS Resources Directory

iCANN DNS Security Update

Men&Mice

NIXU NameSurfer,• Public DNS Service,

R E V I E W

DNS Appliances


Sorry,
your browser
is not Java
enabled




Welcome to

NETWORK COMPUTING's Interactive Report Card, v2. To launch it, click on the Interactive Report Card ® icon

above. The program components take a few moments to load.

Once launched, enter your own product feature weights and click the Recalc button. The Interactive Report Card ® will re-sort (and re-grade!) the products based on the new category weights you entered.

Click here for more information about our Interactive Report Card ®.



SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox
More Insights