Slashdot Mirror
Organizing Your DNS?
Neil Watson asks: "In previous organizations I've kept track of IPs, hostnames and DNS entries by using a single hosts file. I used a script (h2n) to convert the hosts file to DNS entries (BIND). Thus, all information was available in a single text file. For Microsoft Active Directory servers, we had that system's DNS server simply forward all of its requests to the BIND server. Now, I find myself at another organization. This network is considerably larger, with more name servers. The control of IPs, hostnames and DNS entries is somewhat loose, and it is starting take its toll. How do you organize all of your DNS information in order to easily assign and track all of the entries?"
You do it with a point and click UI
You can use PowerDNS and any number of administrative tools to manage the domains with a SQL database rather than flat text files.
It seems to me that most of your problems can be solved with a little politcal weight-throwing.
This network is considerably larger, with more name servers. The control of IPs, hostnames and DNS entries is somewhat loose, and it is starting take its toll.
The number of nameservers is irrelevant as long as they're master/slave. Are each of these NS boxen run by a different business unit/department? If so, find the group with the organizational proponency for DNS (probably you) and demand that they be given full control. Assign a hostmaster for your organization and funnel ANY and ALL dns changes through him/her/it. Authority for subdomains can still be given out, but force a signed waiver to cover your ass when they shoot themselves in the foor by running 2k3 AD as a production NS service.
Once this is done you'll probably want to ditch the flat-file approach and run some sort of frontend. It guarantees that when your hostmaster eventually quits you wont have to find another expensive geek. I used to run the webmin plugin for BIND, but stopped once I saw what a security nightmare webmin was. Don't have much experience with anything else besides custom solutions but nictool and oDNS have their supporters.
We have been using our own software, Ganymede, to handle our DNS for the last 7 years. Ganymede is a programmable directory mastering application.. you give it a schema with objects for real-world items such as systems, interfaces, networks, etc., and Ganymede provides an object database and concurrent client/server GUI for making changes. Whenever an administrator hits 'commit' in their client, Ganymede turns around and updates the DNS (and in our case, our NIS, our Active Directory, our DHCP, and more) on a background thread.
The schema we use for managing DNS at ARL:UT is not the most flexible, in that we have only a single DNS domain that we are managing, and may well not fit your environment, however there is a consulting company in Germany, http://www.fg-networking.de/, which has built a complete DNS and DHCP management solution around Ganymede. They are using it to manage the DNS and DHCP for a University of 14,000 hosts, and they might be able to help you out with your environment.
If you do decide you might like to know more about Ganymede, let me know.. I've been working on it for the last couple of years for internal use and for clients, without posting any new releases on our website. The software has tons of improvements that have been made in the meantime.
- jon
Ganymede, a GPL'ed metadirectory for UNIX
and sorted by IP for the reverse.
Easy to enforce via script, and simple enough for even windows admins to remember. Sure, you get problems when people forget to remove old hosts, and in the time it takes for your servers to replicate from the master, but you'll get those with any setup really...
Would love to help you, but not sure if these are all internal domains? mixed? How are the zones organized now?
:) Total cost :
:)
.. I'd tame it soon before you get blamed for the previous guy's lack of effort.
:)
I use a single system image cluster (A small Xen virtualized one) with my own little sqlite concoction to keep track of what is soa for what. This lets me easily shift things around with a back end I wrote using PHP5.
I have 2 machines, each has 7 nodes (1 director and 6 real nodes) each with 128 MB allocated to it. This gives me failover, load balancing and the convenience of the single system image without the hassles of nfs breaking, and no trust relationships to hassle with.
I have each node running a seperate config, with CVIP running directing queries from the Internet to the 2 nodes SOA for the domain as seen from the outside world.
This lets me put each node on a different network, but using only 1 nic (I should use 2 but I'm cheap) per machine. I really didn't *need* the admin back end, (grep works wonders so does find) but it makes things simple.
I also haven't had a 3AM wake up due to a DNS outage in quite a while
2 P4 HT's, 4 SATA drives, and about 12 hours of time to set it up. No single point of failure either
Sounds like you're in a bowl of spaghetti
HTH
Even Rocky's DNS has a montage.
If you were able to manage out of a single hosts file before, then you would have been looking after a small organisation.
I find that even up to 1500 hosts, managing IP addresses out of a spreadsheet is fine. The amount of times that admins actually connect machines to networks isn't all that often (with the exception of workstations, but use dynamic DNS for that and don't worry about putting them into a spreadsheet) so the changes are minimal.
Get the solarwinds software if you are running Windows (or find a box to put it on) and in the engineers edition, there is a DNS auditing tool. Run that every now and again to make sure that what's in the spreadsheet and what's in DNS matches up and all is good.
If you are looking above 1500 hosts, then you might need to consider some of the other posts above.
I found in the past as long as your IP allocations are easily managable, and you know what it is that you want to manage, then it's all good.
Berny
Curiosity was framed; ignorance killed the cat. -- Author unknown
Depending on how many people are updating the zones, what kind of security you need on that, and how many zones you actually have then start looking at GUI/web based frontends and database backends. Personally, I'd try and assign a few designated hostmasters to administer all DNS changes centrally, but if that meets objection and you don't have or can't get enough weight to overrule it it's not a major problem. There are plenty of quite decent web based GUIs out there to interface with the zone files directly or things like SQL and LDAP based backends, pretty much all of the better ones allow you to apply access control somewhere in the implementatation. If you are considering a database based backend though, be very careful about your selection and implementation if there are any dynamic zones (especially Active Directory, since you mention Windows) in the mix!
UNIX? They're not even circumcised! Savages!
Infoblox is a great product for doing this. It's all appliance based, runs Bind (Cricket Liu works for them), and basically everything operates as a grid. I've done a couple of installs of this for clients, and it's a very slick system.
Need Free Juniper/NetScreen Support? JuniperForum
You should update your information architecture to send client DNS resolution requests via your postal service. Employ a small number of columnar mapping table lookup experts to enscribe the proper domain names onto the request sheets and transfer them back to the clients, again via post mail. You should realize the desired sea change in support staff utilization within weeks.
Here is a nice web-based solution: http://iptrack.sourceforge.net/
...
We are using it at the office and it is very handy.
There is a lot of features, including DNS management, search tools, routing tables management,
lucm, indeed.
Our sys admins are switching to dynamic dns for that very reason.
Only 'flamers' flame!
Does slashdot hate my posts?
If you have an all-Windows server environment (it doesn't sound like you do, but if you do), MS AD and DNS under Server 2003 handles almost everything automatically. You can insert your own entries if you want (CNAMEs), but on all small and many medium sized networks you can leave DNS as a totally hands off affair. Just make sure the DDNS updates are set to secure.
ACs are modded -6. I don't read you, I don't mod you, I don't see you. Don't like it? Don't be a coward.
It's 2006! Where have you been? IP's and DNS are so easy and so automated that most people don't trouble themselves with such trivia any more.
It's simple. You have a central authority decide the IP scheme for your organization. These would be the upper level decision makers and network architects in your IT department, the ones that actually design the network infrastructure. With the scheme decided, a block of addresses is assigned to the backbone and server farms. The rest are distributed as necessary around your network.
But, this is where things deviate from your norm. Instead of your Excel spreadsheet and host file method, the IP address ranges are given to the MS DHCP servers which are also configured to dynamically update DNS. This way, all non-server or router IP's are assigned automatically via DHCP and if the client, typically XP, doesn't automatically update the DNS server with it's assigned address and hostname, then the DHCP server will on its behalf.
It's a really simple configuration that shouldn't take more than an hour, even on a large network. Once the configuration is done, you never look back. IP's are handed out automatically and DNS entries are updated on the fly. The network just works and you concentrate on more important issues than host files.
Now, being a dyed in the wool BIND fan, like you appear to be, I'm sure you'll want to avoid the MS DHCP and DNS servers. And indeed, BIND can be configured to allow automatic updates as well as SRV records but, its all very cumbersome and manual. The MS servers are preconfigured and ready to go. They just work in this fashion and are far better integrated into the whole infrastructure than BIND ever will be. Why work so hard when and easy fire and forget solution is already at hand?
I'm fortunate enough to have an all Windows 2000/XP domain, the automatic DNS really makes things easier internally.
I even have a couple of old WINS servers running for the legacy clients, which don't exist anymore, which reminds me to turn off the WINS servers. Well, at least they integrate into DNS automatically.
Microsoft actually provides some easy to use and powerful DNS tools with Windows. Recently I had to add a batch of 35 domains to our hosted environment, was pretty easy with DNSCMD and a few batch files. For simple updates though, the GUI does a decent job.
We have hundreds of thousands of domains and millions of A, PTR, MX records. It is quite manageable with MyDNS. It uses a MySQL database with two simple tables - one for the domains and one for the address information.
It makes multiple name servers easier because you don't need to AXFR - you just use MySQL replication which is quite easy to deal with.
Nictool is an excellent DNS management system which uses mysql as a backend, rsync/ssh to update djbdns servers, and has a web frontend with very granular delegation to different users.
I've been using it for many many months on multiple DNS setups, and many other organizations use it also. It takes a bit of knowledge to setup, but is very reliable once its setup. I've written a few guides on configuration and installation (though now a little outdated) -- they can be found in the mail toaster forum.
May this post be indexed by spiders, and archived for all to see as my Internet epitaph.
One of the big problems I've always had with most DNS management frontends is that they seem to all need a separate database of some sort, and then they try to sync up the contents of the zonefiles with what's in that database.
This wreaks all sorts of unholy havoc if you do any sort of changes outside of that interface (like a DHCP server that updates DNS).
I wrote a small app to manage DNS for my home that plays well with DHCP, though I'll confess I have no reports of anyone using it for a large site:
http://www.poochiereds.net/dnsdusty/
It simply uses zone transfers for reads and DDNS for writes. Note that is not a "do all" tool, it's geared toward giving you a frontend to the most common tasks (adding and removing records). Things like creating a new zone still need to be done by hand.
It also allows you to limit users to updating only particular zones.
When I was looking at solutions (both commercial and OSS), I was astounded at the number of apps that completely lacked this capability.
We have hundreds of thousands of domains and millions of A, PTR, MX records. It is quite manageable with MyDNS.
Spam much
Seriously.
You probably don't want to jump into LDAP if this would be your sole use. However a site large enough to make maintainenance of the DNS files a pain is probably large enough that it either does, or at least should consider, using LDAP for user and system information. See the recent series of articles (in Linux Journal?) on setting up a single sign-on system using LDAP and Kerberos for an idea of how powerful it can be.
Yes, maintenance can be a bitch. But it's better than having to maintain separate access and permission files on dozens or hundreds of servers for hundreds or thousands of users. What are you going to use, NIS instead of LDAP+SSL? Besides there are already tools and front-ends and in the worst case you toss together some quick perl or java pages. It's not _that_ hard.
But why bother? Several reasons:
- LDAP is standard and has standard schema. That doesn't matter much when you create your initial system, but what happens when your company acquires another company using their own custom system? Or you're acquired by another company?
- LDAP is extensible. Again that doesn't matter when you create your initial system since you'll include everything you need. But what will it take to add new attributes? E.g., the new TXT entry that's used to indicate which hosts are authorized to send mail for the domain, or a key pair because your corporate overlords tell you to provide DNSSEC.
- DHCP servers can/will soon publish their IP address assignments to LDAP.
- RADIUS servers can/will soon(?) publish their assignments to LDAP.
- LDAP can/will soon be natively supported by bind in the next few releases. It won't be necessary to write tools that map your SQL database to text files, bind will be hitting the database directly.
If I were you, my first question would be whether the company already used LDAP or the CIO had plans that would require it anyway within the next few years. If so, document the points I made above and bite the bullet.
(The "can/will soon" is from the recent LJ articles.)
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
I'm in a similar boat and specifically need my UI to support views (BIND's answer to split-horizon DNS). It looks to me like nictool also has no concept of views... :(
I haven't evaluated it yet, but here's another option: http://www.menandmice.com/
Can anyone comment on the Men&Mice suite?
Assuming by the nature of your question, you have multiple sites each wanting control over their DNS. You should simply delegate control for individual zones to their admins. Say you have hq, la, dc and ny offices. You should have example.com being top level, only thing in there are web entries, and maybe the mail servers. You then have hq.example.com, la.example.com, dc.example.com and ny.example.com and you put all the machines in DNS zone respective to their location. I recommend using Windows 2k3 DNS if you have access to it since it comes with a pretty GUI, AD zones can be delegated to individual admins and it works extremely well. This type of question is generally answered in most Administator training. I remember covering this in Windows 2000 Network training (70-216). Most of information could have easily been ported over to Linux environment as well. Maybe you should ask your boss for some training $$$ and find some DNS specific classes.
As the current primary developer of the system I'm a bit biased, but I think its a great system. It has a steep learning curve, and the documentation leaves something to be desired (like a tech writer...), but once you hit a certain scale the benefits outway the cost. On the site linked above you'll find a working demo with some base data you can experiment with, but obviously the full power of the system isn't utilized until you have lots of data and can see the resulting zones & config files.
There is an active mailing list. Feel free to join it and ask questions.
*: Not to be confused with Southwestern University's NetReg, which is a completely different system developed in parallel around the same time.
First, let me say that I am an employee of Lucent Technologies, Inc. If you are interested in highly scaleable and fault tolerant IPAM, DNS and DHCP solution, we can offer VItalQIP. This depends on how much you need to move beyond a single hosts file or spreadsheet. The VitalQIP product is a centralized solution for the management of your IP address space, DNS and DHCP. As part of the application we also provide the Lucent DNS Server (BIND based) and the Lucent DHCP server. The system is integrated with Windows 2003 Domain Controllers, DNS and DHCP. This includes GSS-TSIG authenticated Dynamic DNS Updates. From an administrative control perspective, the management UI allows for very granular control of access, down to the individual IP address. The software runs across a range of operating systems and hardware platforms. Let me know if you have any further questions. Frank Jennings fjennings@lucent.com http://www.lucent.com/vital
You may want to look at this entry on Wikipedia as a jumping-off point.
They have the Internet on computers now?
I work for International Network Services (INS) so I'll throw our hat in the ring with our IPAM product, IPControl. IPControl provides many features to manage IP address space, DNS, and DHCP in one integrated web interface. We offer software or appliance platforms, and IPControl can manage your existing Windows, ISC, or BIND DHCP and DNS services. The web GUI provides a simpler interface for configuring complex DHCP/DNS server parameters, from DHCP failover to DNS views, to TSIG keys and much more.