Domain: menandmice.com
Stories and comments across the archive that link to menandmice.com.
Comments · 9
-
same boat
I've reviewed the following:
Bluecat Networks Proteus/Adonis http://www.bluecatnetworks.com/
Incognito IP/Name/DNS Commander http://www.incognito.com/
INS IPControl http://www.ins.com/
Carnegie Mellon's NetReg http://www.net.cmu.edu/netreg
Lucent VitalQIP http://qip.lucent.com/
Solarwinds IPAM Pro http://www.solarwinds.net/
Men & Mice http://www.menandmice.com/
Infoblox http://www.infoblox.com/
IPPlan http://freshmeat.net/projects/ipplan
MetaInfo http://www.metainfo.com/
In hopes of replacing our current in-house developed solution.
I'll be honest, they are for the most part simply 'ok'. I wasn't super-impressed with any of them, and the bottom half of the list were definitely not ready for ISP/ASP/MSP-level use. I've listed them in descending order of my preference. All the useable ones are super-expensive, on the order of 'ok you can afford to pay a decent php/mysql coder to code you something from the ground up', or you can take this out-of-the-box thing, and shoe-horn it into your existing network. Which will in most cases take some weeks of programming anyway...
I had some of what I thought were pretty simple requirements...
- unix/linux based
- no single point of failure (clustering)
- handle forward and reverse dns
- api's (mostly to allow us to present a customer access to their zones)
- web-based gui with tiered user-levels
- pref software-based install rather than appliance, due to the shoe-horn prediction i mentioned above
Those are the highlights off the top of my head. I was surprised how few actually had all those features.
After months of doing webcasts, reading white-papers etc we've come to the conclusion that it's going to be developed in-house from the ground up, using bsd/apache/postgres/php/bind and some soap.
After reviewing these, I'm actually dying to know what large enterprises are using. I'm hoping there's some magic bullet IPAM solution that I missed on google. Please someone tell me about it!
Anyway, hope this helps you in your quest. -
VIEWS Support
I'm in a similar boat and specifically need my UI to support views (BIND's answer to split-horizon DNS). It looks to me like nictool also has no concept of views...
:(
I haven't evaluated it yet, but here's another option: http://www.menandmice.com/
Can anyone comment on the Men&Mice suite? -
SRV effectively expands IPv4 by PNAT ~2**12RTFP, dude. SRV records (RFC2782) effectively expand the IPv4 space by a factor of about 2**10-2**14 by providing a useful port-NAT style lookup mechanism, while replacing the end-to-end-principle-breaking evils of NAT with an arguably more general mechanism.
Each service on each host of the private side of your firewall box grabs a port number on the public side of the firewall and registers a corresponding SRV record with a DNS server, and any application out on the real Internet that wants to reach it finds the port number dynamically from DNS instead of statically hard-coding it. The public side still needs genuine registered addresses, but the private side can use RFC1918 space (e.g. 10.x.x.x), and each public-side IPv4 address can support as many machines behind the firewall as it takes to run out of ports. So if your cellphone has a web server, instead of reaching it through its own IP address and port 80, it looks like 10.11.12.13:80 on the hidden site, but you reach it from the real world at firewall123.cellphone-example.net:4567, and firewall123.cellphone has a real IPv4 address 123.456.789.10. Somebody in the real world who wants to reach your phone either looks up _http_.13115551212.cellphone-example.net and gets an SRV record telling them it's port 4567 on 123.456.789.10, or else you just advertise http://13115551212.cellphone-example.net:4567/ and let their browser go there directly. So if the average cellphone has 16 ports active(counting both directions), then that one IPv4 address can support 4000 phones.
And yes, this still has problems - it encourages service providers of cellphones, DNS, and cable modems to hide their users behind NAT-like service, but it's a two-way NAT-like service, and they don't have to limit the ports or protocols the users offer to the world but many of them will. And it also encourages service providers to provide big web-proxy farms on the private side to reduce the number of ports used on the public side, which makes censorship a bit easier. And there are protocols that *know* which port they live on, so the client and sometimes the server applications would need to change to use SRV records instead, but that's probably less disruptive than teaching them to use IPv6 addresses. Other protocols like http (using URLs with port numbers) and smtp (using MX records) already have ways to specify the port numbers. Some protocols like IPSEC aren't happy with NAT, especially port NAT, but they often end up doing Stupid UDP-wrapper Tricks to work around that.
-
Checking your DNS config
It has been some time but Mice and Men has (had) a cool tool for this. They also make a damn good DNS server I ran for about a half a decade before I decided the "free as in Beer" part of Bind was too attractive.
I'd strogly reccomend DNS newies read their site and consider thier products. They do good stuff. If Bind were not so ubiquitous I'd still be running QuickDNS. -
Re:Dumb question
There are many online DNS tools DNS report being one of the best and DNS stuff being very powerful but harder to use. I also like Dig it Man! for simple DNS checks. Also many large internet providers usually have allkinds of online network tools available online on their webpages.
-
Re:For non geeks
From this site: Time To Live, the number of seconds remaining on a cached record before it is purged. For authoritative records the TTL is fixed at a specific length. If a record is cached, the server providing the record will provide the time remaining on the TTL rather then the original length it was given.
-
Re:There *could* be a way around this.
It's called a Well Known Service record (WKS). Actually, rfc 1033 defines the WKS a little differently from what you've purposed. Either way, the whole concept would only make blocking a given port harder, not impossible. If the world can read your DNS records to determine which port the services they need are on, so can your ISP.
-
Re:Good luck
you see, just because you have reverse entries in your own DNS servers doesn't mean that you're authoritative for those IP addresses.
If your ISP has delegated a reverse lookup zone to your DNS servers, then yes you are authoritative. That's literrally what the word authoritative means.
-
Re:Idea
how about a new record type for websites? A record that includes both an IP address and a port.
Um, you mean like SRV records?