Building a Dynamic DNS Server for Your Enterprise? 67
Biff98 asks: "We manage thousands of hostnames for field gear with DynDNS.org. It's always been our intention of configuring our own DDNS server and bring it in-house. Given the recent DynDNS outage due to a DDOS attack, resulting in the inability to resolve names for multiple days, there has been 'encouragement' from management to move forward on bringing DDNS in-house. Here's the problem: I can't find any easy-to-use, scalable software to accomplish this task! BIND doesn't scale well, and I don't consider MintDNS an option due to the required platform (Windows Server w/ AD & IIS). Has anyone out there solved this problem before?"
Not an option? (Score:2, Informative)
Compare the total cost of using any software, including Windows-based software, with the cost of rolling your own.
Re: (Score:2)
If they've decided that they don't want Windows machines in their shop at all, it isn't very likely to be cost-effective to have one there.
Re: (Score:1)
So, you're saying you think it might be cheaper for an completely non-windows shop to set up a windows server solely to run their dynamic DNS and then hire someone that knows how to keep it running rather than find a solution that runs on their current OS of choice?
He didn't say they were a non-Windows shop, though he did say that he wasn't considering MintDNS because it ran on Windows. His original statement read more like a matter of taste, to me.
All I'm saying is that they should compile estimates of actual costs, rather than simply assuming one option would be too expensive.
Re: (Score:2, Insightful)
Let's say I've had troubles with a couple of EMC boxes and haven't had much luck with their support. Would you criticize me for excluding EMC products from future storage purchases???
Re: (Score:2)
I suppose it's vaguely possible that they are trying to get rid of the Windows boxes, but that places them back in the category of 'non-Windows shop.'
The only other option I see is that it's his personal preference and not the company's. In that case, you are correct, he might be making a poor decision. I tend to assume people have a modicum of sense until they've proven otherwise, though.
Re: (Score:1)
Why would a shop with Windows boxes reject a piece of software on the basis that it runs on Windows?
Because they may not have a Windows Server license, or because they may not use Active Directory.
The only other option I see is that it's his personal preference and not the company's. In that case, you are correct, he might be making a poor decision. I tend to assume people have a modicum of sense until they've proven otherwise, though.
That's the possibility I was cautioning against. This being Slashdot, and considering the way the question was written, it seemed like an appropriate caution.
Re: (Score:2)
Don't forget to include the cost of getting escrowed access to the source code so that you're not totally screwed if they stop making MintDNS and it can't be made to run on the next version of Windows.
Honestly, F/OSS owns the network infrastructure category. I can see no reason whatsoever to use a proprietary solution when this is already a solved problem.
Re: (Score:1)
Re: (Score:1, Flamebait)
Re: (Score:2)
I would say both if you don't already have some MS Windows servers. Redundancy and licencing alone (licence for the hot or cold spare in addition the the real server) makes it a hassle.
BIND does not scale??? (Score:5, Insightful)
Re: (Score:3, Insightful)
Bind9 on debian etch with views takes all of 1.5 minutes to set up, and a sub 1ghz/512mb machine could easily serve the domain he's describing.
Dumb point on your sig. (Score:1, Offtopic)
Re: (Score:1)
I don't like to think of myself as a douchebag :-). I'm a BIND guy, I just am. I actually picked up the NEWEST edition of O'Reilly's "DNS & BIND" (5th edition now just in case you were curious), and read about just how hard it is to maintain a LARGE number of dynamically updateable host records. You've got key-pairs for each records, and you've got no other way than port 53 to update records.
Roll my own, yeah I know, but remember, I'm not a developer and I'm currently using DynDNS.org which has HTT
Re: (Score:1)
BIND has been demonstrated to be inherently scalable. If the problem is that some DDNS piece doesn't scale, why not pay someone to fix that?
It'd be nice if you provided such a fix upstream, but it's BSD so you'd never be obligated to do so.
-Peter
Re: (Score:2)
Re: (Score:2)
Technically even if it was GPL'd you'd never be legally obligated to provide the source (or a patch against it) unless you was distributing your modified version as a binary
Re: (Score:1)
-Peter
Re: (Score:2)
Re: (Score:1)
-Peter
Re:BIND does not scale??? (Score:5, Interesting)
Dyndns is likely using Bind at the back end, but they've built another layer of security and management on top of it. Biff98 is looking for software that does the whole job out of the box.
Re:BIND does not scale??? (Score:5, Interesting)
BIND9 addresses this with update-policy [isc.org] which can map an individual TSIG key to a specific name (or subdomain or wildcard). You can say that "key 'laptop23.example.com.' can update an A record with the same name".
I won't disagree about the dynamic zone file ugliness. I usually put dynamic hosts in their own subdomain so that my main zone file can remain nicely human-friendly. For example, we'd use ".mobile.example.com" and put it in its own zone file. The file for ".example.com" will still be nice, and if every record in ".mobile.example.com" is dynamic, who cares if it's a machine-generated mess?
Re: (Score:2)
PowerDNS (Score:3, Informative)
It has an authoritive component and a recursive one, both work extremely well and are in use by some big companies, as well as the Wikipedia and the
As for flexibility: PowerDNS uses backends to retrieve its zone data, so you can use one that's already available (MySQL, BIND zone files, SQLite, ODBC, etc.) or write one yourself.
Oh and it's opensource
Re: (Score:2, Informative)
A better place to point slashdot people to is http://doc.powerdns.com/ [powerdns.com]
the shiny official site does not provide all the geeky information that we hunger for.
Re: (Score:2)
BIND doesn't scale well (Score:5, Funny)
PowerDNS (Score:4, Informative)
I used it when I was running an ISP a few years ago. Used a replicated MySQL backend behind three authoritative servers. Also used dnscache for recursors in front of all the customers.
All your zone data is stored in DB tables, so it's easy to hack together a frontend, or integrate with CRM or whatever. I wish Rails had existed back then for all the CRUD that I wrote by hand.
Re: (Score:2)
[snip Rube Goldberg replacement for RFC standards]
There's a reason people hate DJBDNS. Instead of just implementing the mechanism that everyone else in the entire world uses, Dan wanted to be Dan so he wrote an incompatible mess and called it "good". Of course DJBDNS has a decent security record - it doesn't actually do anything. I'd wager large amounts of money that more systems have been compromis
Re: (Score:1)
I would take that with a very large grain of salt
Re: (Score:3, Interesting)
No, I really don't have to. Since he's never actually released a program that supports more than 10% of the functionality of what it claims to replace, we have no idea whether he's capable of designing a large, secure system.
My BIND-based dynamic DNS depends on BIND not having a hole in the code that looks at the authentication key used to decide which records it can update.
Re: (Score:1)
You're not listening are you? I'm saying that the software DJB writes is very, very well written and very secure. Period. I'm not claiming anything abo
Re: (Score:1)
Re: (Score:2, Interesting)
For us rational people, places like osvdb.org exist.
This doesn't even take into account the fact that 12 different patches with at least 2 or more of them being mutually exclusive are needed to make his software work. Indeed, these 12 patches are one offs usually written by one or two
Re: (Score:1)
I don't have time for this nonsense. Do a search on osvdb.org for tinydns. Do one for djbdns. Any hits?
It tells me there are no results. What is your point, exactly? Who's the rational person here - you for claiming mythical sec
Re: (Score:2)
I was covering all DJB's software, not just $somethingdns. Just because it's written by djb, doesn't mean it's secure.
DJBDNS: Not having functionality is the *point* (Score:2)
But one of the main *points* of building a system like that, (other than expressing one's personal crabbiness about the rest of the world :-) is that by building components with limited functionality and using pre-existing standard tools to do the things that pre-existing standard tools already do well, you can restrict the security exposure of your new components, and can design them to use only the privileges and powers
Re: (Score:3, Informative)
I've used djbdns for 2 years serving 4000+ internet domains, caching nameservers on lans, and all that fun stuff that makes DNS so "intresting". Tinydns is a great piece of software if you know what you're doing, but for someone with little o
Re: (Score:1, Informative)
Not quite. I don't give out shell accounts: clients -- in this case, run by me -- connect to one shell account and authenticate by public key. I trust SSH's ability to authenticate a remote user far more than I do BIND's. The incoming connections don't get to run shell scripts; the .ssh/authorized_keys looks
Re: (Score:1)
-> http://www.microsoft.com/technet/network/p2p/pnrp
This might prove a viable way to establish a decentralized DNS in the future. Version 2 of the protocol ships with Vista.
Makes me wonder what Apple will come up with next in that field.
Re:put it differently ... zeroconf (Score:2)
How about Zeroconf (Bonjour)?
You can already use Zeroconf to replace DNS, DHCP, and SMB(NMB) and uPNP... among other things. It's a broadcast discovery and configuration service. Now of course broadcast does not directly run across router links/subnets unless you make it so (on the other hand, any chatty P2P can be routinely blocked by admins).
Zeroconf is not an Apple-only solution.. lots of the tier-one printer companies and consum
Re: (Score:1)
Thats why i wonder how apple will respond to it and if we might be on the verge of a whole new personal computing era where you can contribute parts of your laptops computing power to the local super computing cluster grid.
Btw. avahid
Raving Fanatism (Score:1)
Does tinyDNS scale? (Score:2, Informative)
"TinyDYN
In a nutshell, TinyDYN consists of a set of scripts that allow you to run your own dynamic dns services (similar to dyndns.org) on your own network. The services use strong authentication via GnuPG, and is designed to work with djbdns's tinydns for name service."
http://www.technocage.com/~caskey/tinydyn/ [technocage.com]
Talk to DynDNS (Score:2, Insightful)
Consider an Appliance! (Score:3, Interesting)
I have several colleagues that have InfoBlox appliances in production and love the devices. I believe that they do a 30 day free evaul. Their units are reasonably priced and very feature full. Pre-sales engineering is pretty good too from what I've been told.
Re: (Score:2)
DNS.net's "Name Server Software: Unix" page (Score:2)
Building a Dynamic DNS Server for Your Enterprise? (Score:1, Informative)
MaraDNS (Score:2, Informative)
The zone syntax and config file structure is worlds ahead of BIND and actually makes setting up DNS fun (no, I'm not kidding. Well-written software is always a pleasure to use).
Roll your own (Score:2)
Re: (Score:1)
We use HTTP for dynamic updates now (courtesy of DynDNS.org) and a large percentage of the gear we have in the field (attached to scientific equipment) is embedded equipment that is unable to run "nsupdate" or other types of executables. We're limited to the web GUI presented to us. I really regret not explicitly stating that in my submission to Slashdot.
As far as BIND "not being scalable", I meant that in the context of DDNS only. BIND requires a key-pair for each Dynamically update-able host record.
Multi-day outage? (Score:1)
Re: (Score:1)
How many hosts do you manage in your zone? Like I said we're in the "thousands". DynDNS.org might have offlined the biggest users of the service in favor of keeping the much larger number of "smaller" users online. Believe me, they were offline for at least 2 days from our perspective, and I got to speak with their phone support guys a LOT. It didn't help they didn't have an ETA for when threats and outages would be mitigated. -Steve
GnuDIP (Score:2)
Write your own! (Score:1)