Building a Dynamic DNS Server for Your Enterprise?

Biff98 asks: "We manage thousands of hostnames for field gear with DynDNS.org. It's always been our intention of configuring our own DDNS server and bring it in-house. Given the recent DynDNS outage due to a DDOS attack, resulting in the inability to resolve names for multiple days, there has been 'encouragement' from management to move forward on bringing DDNS in-house. Here's the problem: I can't find any easy-to-use, scalable software to accomplish this task! BIND doesn't scale well, and I don't consider MintDNS an option due to the required platform (Windows Server w/ AD & IIS). Has anyone out there solved this problem before?"

Not an option?

[Short Circuit]

I'm sorry, but are you discounting MintDNS because it's a Windows application, or because it would cost too much to implement? Only one of those two choices is fiscally responsible...

Compare the total cost of using any software, including Windows-based software, with the cost of rolling your own.

Re:

[Aladrin]

So, you're saying you think it might be cheaper for an completely non-windows shop to set up a windows server solely to run their dynamic DNS and then hire someone that knows how to keep it running rather than find a solution that runs on their current OS of choice?

If they've decided that they don't want Windows machines in their shop at all, it isn't very likely to be cost-effective to have one there.

Re:

[Short Circuit]

So, you're saying you think it might be cheaper for an completely non-windows shop to set up a windows server solely to run their dynamic DNS and then hire someone that knows how to keep it running rather than find a solution that runs on their current OS of choice?

He didn't say they were a non-Windows shop, though he did say that he wasn't considering MintDNS because it ran on Windows. His original statement read more like a matter of taste, to me.

All I'm saying is that they should compile estimates of actual costs, rather than simply assuming one option would be too expensive.

Re:

[Hack'n'Slash]

There's nothing wrong with allowing one's previous experience to influence current decisions.
 
Let's say I've had troubles with a couple of EMC boxes and haven't had much luck with their support. Would you criticize me for excluding EMC products from future storage purchases???

Re:

[Aladrin]

Why would a shop with Windows boxes reject a piece of software on the basis that it runs on Windows?

I suppose it's vaguely possible that they are trying to get rid of the Windows boxes, but that places them back in the category of 'non-Windows shop.'

The only other option I see is that it's his personal preference and not the company's. In that case, you are correct, he might be making a poor decision. I tend to assume people have a modicum of sense until they've proven otherwise, though.

Re:

[Short Circuit]

Why would a shop with Windows boxes reject a piece of software on the basis that it runs on Windows?

Because they may not have a Windows Server license, or because they may not use Active Directory.

The only other option I see is that it's his personal preference and not the company's. In that case, you are correct, he might be making a poor decision. I tend to assume people have a modicum of sense until they've proven otherwise, though.

That's the possibility I was cautioning against. This being Slashdot, and considering the way the question was written, it seemed like an appropriate caution.

Re:

[Just Some Guy]

Compare the total cost of using any software, including Windows-based software, with the cost of rolling your own.

Don't forget to include the cost of getting escrowed access to the source code so that you're not totally screwed if they stop making MintDNS and it can't be made to run on the next version of Windows.

Honestly, F/OSS owns the network infrastructure category. I can see no reason whatsoever to use a proprietary solution when this is already a solved problem.

Re:

[clark0r]

by the sound of it, they don't have the necesarry AD infrastructure to support that solution. implementing AD for this purpose will be expensive and costly in time.

Re:

[pyite69]

Windows is not a server platform - it is for desktops only.

Re:

[dbIII]

I'm sorry, but are you discounting MintDNS because it's a Windows application, or because it would cost too much to implement?

I would say both if you don't already have some MS Windows servers. Redundancy and licencing alone (licence for the hot or cold spare in addition the the real server) makes it a hassle.

BIND does not scale???

[WindBourne]

Exactly what do you think runs the bulk of the internet? That is like saying Linux or Solaris or sendmail do not scale well.

Re:

[fimbulvetr]

That's exactly what I was thinking. There's only one reason this douchebag is asking this question, and that's because he knows fuckall if he thinks reading some DJB rant has made him experienced in the dns.

Bind9 on debian etch with views takes all of 1.5 minutes to set up, and a sub 1ghz/512mb machine could easily serve the domain he's describing.

Dumb point on your sig.

[WindBourne]

By definition, the 2'nd fattest girl is skinny. Skinny and fat are relative in terms of what we accept. For example, many ppl accept Calista Flockhart as being skinny. But if somebody from Ethiopia say 10 years ago saw her, they would have considered positively FAT.

Re:

[Biff98]

I don't like to think of myself as a douchebag :-). I'm a BIND guy, I just am. I actually picked up the NEWEST edition of O'Reilly's "DNS & BIND" (5th edition now just in case you were curious), and read about just how hard it is to maintain a LARGE number of dynamically updateable host records. You've got key-pairs for each records, and you've got no other way than port 53 to update records.

Roll my own, yeah I know, but remember, I'm not a developer and I'm currently using DynDNS.org which has HTT

Re:

[pete-classic]

You stole my post.

BIND has been demonstrated to be inherently scalable. If the problem is that some DDNS piece doesn't scale, why not pay someone to fix that?

It'd be nice if you provided such a fix upstream, but it's BSD so you'd never be obligated to do so.

-Peter

Re:

[WindBourne]

Actually, ddns does scale nicely. If you have static ips, then the flat file is fast since they are normally sucked in 1 x and then sit in memory. But with DDNS, there are updates. That is where flat files fail. So you add one of the DB options (postgres, mysql, and sqlite are ALL good options; I have seen amazing speed out of sqlite when doing lots of updates), and now it is VERY fast. I believe that a number of the distros (linux and BSD) have compiled bind to use optional DBs.

Re:

[baadger]

It'd be nice if you provided such a fix upstream, but it's BSD so you'd never be obligated to do so.

Technically even if it was GPL'd you'd never be legally obligated to provide the source (or a patch against it) unless you was distributing your modified version as a binary

Re:

[pete-classic]

Did you just really point out the difference between "never" and "unless"?

-Peter

Re:

[JFitzsimmons]

He didn't, but you clearly did.

Re:

[pete-classic]

Thanks for the back up, but I think it is generally better not to encourage ACs.

-Peter

Re:BIND does not scale???

[Spazmania]

Bind's implementation of dynamic dns is... funky at best. It syncs changes to disk infrequently and unpredictably, and it does so by rewriting the entire zone file in the same format as it uses for secondaried zones so that any comments or other organization in the affected file is lost. The security is also relatively coarse: the tools don't allow a particular security key to apply to a particular name -- the key applies to a whole zone. If you have a large number of devices and want to tightly constrict update access, that poses a scalability problem as you need one zone per device.

Dyndns is likely using Bind at the back end, but they've built another layer of security and management on top of it. Biff98 is looking for software that does the whole job out of the box.

Re:BIND does not scale???

[Just Some Guy]

The security is also relatively coarse: the tools don't allow a particular security key to apply to a particular name -- the key applies to a whole zone.

BIND9 addresses this with update-policy [isc.org] which can map an individual TSIG key to a specific name (or subdomain or wildcard). You can say that "key 'laptop23.example.com.' can update an A record with the same name".

I won't disagree about the dynamic zone file ugliness. I usually put dynamic hosts in their own subdomain so that my main zone file can remain nicely human-friendly. For example, we'd use ".mobile.example.com" and put it in its own zone file. The file for ".example.com" will still be nice, and if every record in ".mobile.example.com" is dynamic, who cares if it's a machine-generated mess?

Re:

[JFitzsimmons]

... which is exactly how every single dynamic DNS service I've seen works.

PowerDNS

[PsyQo]

Why don't you give PowerDNS [powerdns.com] a try?

It has an authoritive component and a recursive one, both work extremely well and are in use by some big companies, as well as the Wikipedia and the .TK TLD.
As for flexibility: PowerDNS uses backends to retrieve its zone data, so you can use one that's already available (MySQL, BIND zone files, SQLite, ODBC, etc.) or write one yourself.

Oh and it's opensource :)

Re:

[num42]

even better, its GPL.

A better place to point slashdot people to is http://doc.powerdns.com/ [powerdns.com]

the shiny official site does not provide all the geeky information that we hunger for.

Re:

[Miniluv]

I have to say PowerDNS is awesome. I've been using it for a quasi-dynamic DNS deployment of a tens of thousands of A records using the MySQL backend. Its more stable than my traditional BIND servers, and offers better insight into what its doing through both a simple web interface for stats and meaningful logs.

BIND doesn't scale well

[JackHoffman]

BIND does indeed not scale well. Down, that is.

PowerDNS

[JerkBoB]

http://www.powerdns.com/ [powerdns.com]

I used it when I was running an ISP a few years ago. Used a replicated MySQL backend behind three authoritative servers. Also used dnscache for recursors in front of all the customers.

All your zone data is stored in DB tables, so it's easy to hack together a frontend, or integrate with CRM or whatever. I wish Rails had existed back then for all the CRUD that I wrote by hand. :/

Re:

[Just Some Guy]

I've done this on a small scale. It took me about five minutes to set everything up, client and server.

[snip Rube Goldberg replacement for RFC standards]

There's a reason people hate DJBDNS. Instead of just implementing the mechanism that everyone else in the entire world uses, Dan wanted to be Dan so he wrote an incompatible mess and called it "good". Of course DJBDNS has a decent security record - it doesn't actually do anything. I'd wager large amounts of money that more systems have been compromis

Re:

[LinuxOnEveryDesktop]

There's a reason people hate DJBDNS. Instead of just implementing the mechanism that everyone else in the entire world uses, Dan wanted to be Dan so he wrote an incompatible mess and called it "good". Of course DJBDNS has a decent security record - it doesn't actually do anything. I'd wager large amounts of money that more systems have been compromised due to all the half-assed hackery required to give it half the features of BIND than because of BIND itself.

I would take that with a very large grain of salt

Re:

[Just Some Guy]

You can say a lot about DJB and his software, but you have to grant him that his code is very, very well written, and very secure.

No, I really don't have to. Since he's never actually released a program that supports more than 10% of the functionality of what it claims to replace, we have no idea whether he's capable of designing a large, secure system.

My BIND-based dynamic DNS depends on BIND not having a hole in the code that looks at the authentication key used to decide which records it can update.

Re:

[LinuxOnEveryDesktop]

You can say a lot about DJB and his software, but you have to grant him that his code is very, very well written, and very secure.

No, I really don't have to. Since he's never actually released a program that supports more than 10% of the functionality of what it claims to replace, we have no idea whether he's capable of designing a large, secure system.

You're not listening are you? I'm saying that the software DJB writes is very, very well written and very secure. Period. I'm not claiming anything abo

Re:

[LinuxOnEveryDesktop]

As for your claims of 'having to run a web server on your dns server' - that's nonsense. If you're running a dynamic dns service, you might perhaps already *have* a web server?

Not on the DNS server, though! For all your talk of the "Unix way", your plan would turn a single-purpose DNS server into a web server, rsync server (if you want to use slave servers for redundancy), SSH server, and so on. I think the GP just wants his DNS server to be a DNS server. That sounds like a pretty good idea and more uni

Re:

[fimbulvetr]

DJB's software is "secure" because he can flat out deny vulnerabilities and all of his fans believe him and parrot it around for the rest of their servitude, despite there being realworld exploits for realworld configurations.

For us rational people, places like osvdb.org exist.

This doesn't even take into account the fact that 12 different patches with at least 2 or more of them being mutually exclusive are needed to make his software work. Indeed, these 12 patches are one offs usually written by one or two

Re:

[LinuxOnEveryDesktop]

DJB's software is "secure" because he can flat out deny vulnerabilities and all of his fans believe him and parrot it around for the rest of their servitude, despite there being realworld exploits for realworld configurations. For us rational people, places like osvdb.org exist.

I don't have time for this nonsense. Do a search on osvdb.org for tinydns. Do one for djbdns. Any hits?

It tells me there are no results. What is your point, exactly? Who's the rational person here - you for claiming mythical sec

Re:

[fimbulvetr]

http://osvdb.org/searchdb.php?action=search_title& vuln_title=qmail&Search=Search [osvdb.org]

I was covering all DJB's software, not just $somethingdns. Just because it's written by djb, doesn't mean it's secure.

DJBDNS: Not having functionality is the *point*

[billstewart]

I haven't looked at DJBDNS for dynamic applications, only for more conventional ones.

But one of the main *points* of building a system like that, (other than expressing one's personal crabbiness about the rest of the world :-) is that by building components with limited functionality and using pre-existing standard tools to do the things that pre-existing standard tools already do well, you can restrict the security exposure of your new components, and can design them to use only the privileges and powers

Re:

[discord5]

You've obviously never used tinydns/djbdns. It just works. It serves dns records, and it does that job well, and it's very secure. It doesn't have the poor code quality and 50 gazillion other features that have made Bind the, well, security nightmare that it has been.

I've used djbdns for 2 years serving 4000+ internet domains, caching nameservers on lans, and all that fun stuff that makes DNS so "intresting". Tinydns is a great piece of software if you know what you're doing, but for someone with little o

Re:

[Anonymous Coward]

Your hack around DJBDNS's shortcomings lets you give out shell accounts to people so they can run shell scripts on your server that are hopefully so well written that they can't possible be fed bad data

Not quite. I don't give out shell accounts: clients -- in this case, run by me -- connect to one shell account and authenticate by public key. I trust SSH's ability to authenticate a remote user far more than I do BIND's. The incoming connections don't get to run shell scripts; the .ssh/authorized_keys looks

Re:

[num42]

Microsoft is trying something like this with PNRP (peer name resolution protocol)

-> http://www.microsoft.com/technet/network/p2p/pnrp. mspx [microsoft.com]

This might prove a viable way to establish a decentralized DNS in the future. Version 2 of the protocol ships with Vista.
Makes me wonder what Apple will come up with next in that field.

Re:put it differently ... zeroconf

[Sleepy]

>PNRP... Makes me wonder what Apple will come up with next in that field.

How about Zeroconf (Bonjour)?
You can already use Zeroconf to replace DNS, DHCP, and SMB(NMB) and uPNP... among other things. It's a broadcast discovery and configuration service. Now of course broadcast does not directly run across router links/subnets unless you make it so (on the other hand, any chatty P2P can be routinely blocked by admins).

Zeroconf is not an Apple-only solution.. lots of the tier-one printer companies and consum

Re:

[num42]

Well i own a Macbook Pro since last Saturday, sure i've heard about Bonjour and Zeroconf but from what i have learned about it Microsoft seems to take its PNRP thing one step further, even using it do distribute computing tasks as they say in some introduction video i've seen.
Thats why i wonder how apple will respond to it and if we might be on the verge of a whole new personal computing era where you can contribute parts of your laptops computing power to the local super computing cluster grid.

Btw. avahid

Raving Fanatism

[mac1235]

There is no DNS problem that djbdns cannot solve. None! None I tell you! Don't listen to the heathens....

Does tinyDNS scale?

[flydpnkrtn]

Have you looked at DJB's tinydns with dynamic capabilities wrapped around it? I know for a fact djbdns scales, but I dunno how well scripts wrapped around it work.

"TinyDYN

In a nutshell, TinyDYN consists of a set of scripts that allow you to run your own dynamic dns services (similar to dyndns.org) on your own network. The services use strong authentication via GnuPG, and is designed to work with djbdns's tinydns for name service."

http://www.technocage.com/~caskey/tinydyn/ [technocage.com]

Talk to DynDNS

[b.thompson]

I'm just throwing this out here, but why not contact the people at DynDNS.org and ask about licensing their software (or process, or however they do it) for your internal use. It could solve your problem (and maybe quicker than rolling your own solution), and at the same time potentially create a new revenue stream for them.

Consider an Appliance!

[Llama Keeper]

Have you considered an appliance solution?

I have several colleagues that have InfoBlox appliances in production and love the devices. I believe that they do a 30 day free evaul. Their units are reasonably priced and very feature full. Pre-sales engineering is pretty good too from what I've been told.

Re:

[billstewart]

InfoBlox is Cricket Liu et al - you'll probably recognize his name as the author of the O'Reilly DNS book. I've generally heard good things about their products, though I haven't used them myself.

DNS.net's "Name Server Software: Unix" page

[CFrankBernard]

http://www.dns.net/dnsrd/servers/unix.html [dns.net]

Building a Dynamic DNS Server for Your Enterprise?

[Anonymous Coward]

With Incognito's DNS Commander authoritative server, you can use DDNS to populate millions of records. I think this should solve the scalability issue that you were concerned about. And if you prefer non-windows centric software, DNS Commander also runs on Linux/Solaris. Also, I'm pretty sure it uses a binary database instead of text files, and it doesn't require dbms. Are you integrating this with OSS? DNS Commander offers a CORBA API for 3rd party integration, if necessary.. Have a look at www.incognito.c

MaraDNS

[Wabbit Wabbit]

I've been using MaraDNS [maradns.org] quite happily. Never a problem on FreeBSD, Slackware or OS X. The developer is very responsive, and the documenation is very very good, unlike that for some other alternative DNS daemons *cough*tinydns*cough*

The zone syntax and config file structure is worlds ahead of BIND and actually makes setting up DNS fun (no, I'm not kidding. Well-written software is always a pleasure to use).

Roll your own

[ArkiMage]

We too manage a lot of customer sites behind dynamic IP connections. We have the advantage of there being servers at every location where we can run our own code. We have a simple (PERL) program run out of cron once an hour to connect to one of our servers on a high port and pass through some information unique to the site. On the server end is another program (PERL again) that receives the messages, does an in-RAM check (a simple associative array) to see if this IP is any different than the last one we sa

Re:

[Biff98]

We use HTTP for dynamic updates now (courtesy of DynDNS.org) and a large percentage of the gear we have in the field (attached to scientific equipment) is embedded equipment that is unable to run "nsupdate" or other types of executables. We're limited to the web GUI presented to us. I really regret not explicitly stating that in my submission to Slashdot.

As far as BIND "not being scalable", I meant that in the context of DDNS only. BIND requires a key-pair for each Dynamically update-able host record.

Multi-day outage?

[twobithacker]

I must have completely missed this outage. According to their status page [dyndns.com] there were some attacks against their update system, but I never had any issues resolving names, either for my domains hosted with them, or with my free hosts.

Re:

[Biff98]

How many hosts do you manage in your zone? Like I said we're in the "thousands". DynDNS.org might have offlined the biggest users of the service in favor of keeping the much larger number of "smaller" users online. Believe me, they were offline for at least 2 days from our perspective, and I got to speak with their phone support guys a LOT. It didn't help they didn't have an ETA for when threats and outages would be mitigated. -Steve

GnuDIP

[Roadmaster]

DUDE!! take a look at GnuDIP. It's do-it-yourself GPL and free Dynamic DNS system. It interfaces with a standard BIND installation so you basically register a domain, then add hosts to your domain, and they can automatically update from a client installed on remote equipment. Give it a try. http://gnudip2.sourceforge.net/ [sourceforge.net]

Write your own!

[NNland]

With simple recipes available that offer an implementation of DNS: http://aspn.activestate.com/ASPN/Cookbook/Python/R ecipe/491264 [activestate.com] one could easily plug it into any one of a number of databases. Add a very simple HTTP front end for updating name/IP information in the database, and you are done.