Slashdot Mirror

← Back to Stories (view on slashdot.org)

Building a Dynamic DNS Server for Your Enterprise?

Posted by Cliff on from the your-own-mutant-hostnames dept.

Biff98 asks: "We manage thousands of hostnames for field gear with DynDNS.org. It's always been our intention of configuring our own DDNS server and bring it in-house. Given the recent DynDNS outage due to a DDOS attack, resulting in the inability to resolve names for multiple days, there has been 'encouragement' from management to move forward on bringing DDNS in-house. Here's the problem: I can't find any easy-to-use, scalable software to accomplish this task! BIND doesn't scale well, and I don't consider MintDNS an option due to the required platform (Windows Server w/ AD & IIS). Has anyone out there solved this problem before?"

9 of 67 comments (clear)

  1. Not an option? by Short+Circuit · · Score: 2, Informative

    I'm sorry, but are you discounting MintDNS because it's a Windows application, or because it would cost too much to implement? Only one of those two choices is fiscally responsible...

    Compare the total cost of using any software, including Windows-based software, with the cost of rolling your own.

    --
    tasks(723) drafts(105) languages(484) examples(29106)
  2. PowerDNS by PsyQo · · Score: 3, Informative

    Why don't you give PowerDNS a try?

    It has an authoritive component and a recursive one, both work extremely well and are in use by some big companies, as well as the Wikipedia and the .TK TLD.
    As for flexibility: PowerDNS uses backends to retrieve its zone data, so you can use one that's already available (MySQL, BIND zone files, SQLite, ODBC, etc.) or write one yourself.

    Oh and it's opensource :)

    1. Re:PowerDNS by num42 · · Score: 2, Informative

      even better, its GPL.

      A better place to point slashdot people to is http://doc.powerdns.com/

      the shiny official site does not provide all the geeky information that we hunger for.

      --
      "morning is a state of mind ;)"
  3. PowerDNS by JerkBoB · · Score: 3, Informative

    http://www.powerdns.com/

    I used it when I was running an ISP a few years ago. Used a replicated MySQL backend behind three authoritative servers. Also used dnscache for recursors in front of all the customers.

    All your zone data is stored in DB tables, so it's easy to hack together a frontend, or integrate with CRM or whatever. I wish Rails had existed back then for all the CRUD that I wrote by hand. :/

    --
    A host is a host from coast to coast...
    Unless it's down, or slow, or fails to POST!
  4. Re:Use appropriate tools! by discord5 · · Score: 2, Informative

    You've obviously never used tinydns/djbdns. It just works. It serves dns records, and it does that job well, and it's very secure. It doesn't have the poor code quality and 50 gazillion other features that have made Bind the, well, security nightmare that it has been.

    I've used djbdns for 2 years serving 4000+ internet domains, caching nameservers on lans, and all that fun stuff that makes DNS so "intresting". Tinydns is a great piece of software if you know what you're doing, but for someone with little or no experience with DNS there is too little proper introduction documentation. Zone transfers between master and slave servers usually have hacky setups as novice admins do really stupid things here making your machine insecure (not djbdns' fault). Google for a couple of tinydns examples and you're bound to hit one that has a major security flaw in it in the first 10 hits.

    Bind has the advantage of being mentioned in nearly any book on DNS, used in example configurations, and usually doesn't mean you're stuck with an unreadable log file (unless you know the tools), an obscure startup mechanism (unless you've invested time to get acquainted with the tools), and a syntax for setting records that no tools except DJBs use.

    Again, djbdns is a good software package, and I can't really complain about it since it worked so well for me in the past, but I do wish it was a little less obscure in aforementioned areas so I didn't need a perl script to convert my dates in my logfile into a readable format, or need to start thinking differently when adding records.

    Again, it's a great tool, if you have reasons enough to stay away from bind.

  5. Re:Use appropriate tools! by Anonymous Coward · · Score: 1, Informative

    Your hack around DJBDNS's shortcomings lets you give out shell accounts to people so they can run shell scripts on your server that are hopefully so well written that they can't possible be fed bad data


    Not quite. I don't give out shell accounts: clients -- in this case, run by me -- connect to one shell account and authenticate by public key. I trust SSH's ability to authenticate a remote user far more than I do BIND's. The incoming connections don't get to run shell scripts; the .ssh/authorized_keys looks like:

    command="/home/dyndns/update hostname.fqdn.com",no-port-forwarding,no-pty ssh-dss AAAAB3Nza...
    This makes SSH call the script and only the script. The shell script consists of:

    #!/bin/sh
    IP=`echo $SSH_CLIENT | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}'`
     
    [[ ! -z "$IP" ]] && echo $IP > ~/data/$1
    `sshd` sets $SSH_CLIENT, regardless of everything else. If it somehow doesn't contain an IP address, it won't update. Nothing is used from standard in or standard out. SFTP, SCP, and SSH port forwarding are all disabled.

    You're right. It's not "standard dynamic DNS". It uses stronger authentication, programs that are already installed on the client machines I'm interested in (embedded systems with 4 MB of flash), and is trivial to set up.
  6. Does tinyDNS scale? by flydpnkrtn · · Score: 2, Informative

    Have you looked at DJB's tinydns with dynamic capabilities wrapped around it? I know for a fact djbdns scales, but I dunno how well scripts wrapped around it work.

    "TinyDYN

    In a nutshell, TinyDYN consists of a set of scripts that allow you to run your own dynamic dns services (similar to dyndns.org) on your own network. The services use strong authentication via GnuPG, and is designed to work with djbdns's tinydns for name service."

    http://www.technocage.com/~caskey/tinydyn/

    --
    Here's to the crazy ones
  7. Building a Dynamic DNS Server for Your Enterprise? by Anonymous Coward · · Score: 1, Informative

    With Incognito's DNS Commander authoritative server, you can use DDNS to populate millions of records. I think this should solve the scalability issue that you were concerned about. And if you prefer non-windows centric software, DNS Commander also runs on Linux/Solaris. Also, I'm pretty sure it uses a binary database instead of text files, and it doesn't require dbms. Are you integrating this with OSS? DNS Commander offers a CORBA API for 3rd party integration, if necessary.. Have a look at www.incognito.com

  8. MaraDNS by Wabbit+Wabbit · · Score: 2, Informative

    I've been using MaraDNS quite happily. Never a problem on FreeBSD, Slackware or OS X. The developer is very responsive, and the documenation is very very good, unlike that for some other alternative DNS daemons *cough*tinydns*cough*

    The zone syntax and config file structure is worlds ahead of BIND and actually makes setting up DNS fun (no, I'm not kidding. Well-written software is always a pleasure to use).

    --
    Nothing is inexplicable; only unexplained -Tom Baker, Doctor Who