Building a Dynamic DNS Server for Your Enterprise?

Biff98 asks: "We manage thousands of hostnames for field gear with DynDNS.org. It's always been our intention of configuring our own DDNS server and bring it in-house. Given the recent DynDNS outage due to a DDOS attack, resulting in the inability to resolve names for multiple days, there has been 'encouragement' from management to move forward on bringing DDNS in-house. Here's the problem: I can't find any easy-to-use, scalable software to accomplish this task! BIND doesn't scale well, and I don't consider MintDNS an option due to the required platform (Windows Server w/ AD & IIS). Has anyone out there solved this problem before?"

Not an option?

[Short+Circuit]

I'm sorry, but are you discounting MintDNS because it's a Windows application, or because it would cost too much to implement? Only one of those two choices is fiscally responsible...

Compare the total cost of using any software, including Windows-based software, with the cost of rolling your own.

Re:Not an option?

[Hack'n'Slash]

There's nothing wrong with allowing one's previous experience to influence current decisions.
 
Let's say I've had troubles with a couple of EMC boxes and haven't had much luck with their support. Would you criticize me for excluding EMC products from future storage purchases???

BIND does not scale???

[WindBourne]

Exactly what do you think runs the bulk of the internet? That is like saying Linux or Solaris or sendmail do not scale well.

Re:BIND does not scale???

[fimbulvetr]

That's exactly what I was thinking. There's only one reason this douchebag is asking this question, and that's because he knows fuckall if he thinks reading some DJB rant has made him experienced in the dns.

Bind9 on debian etch with views takes all of 1.5 minutes to set up, and a sub 1ghz/512mb machine could easily serve the domain he's describing.

Re:BIND does not scale???

[Spazmania]

Bind's implementation of dynamic dns is... funky at best. It syncs changes to disk infrequently and unpredictably, and it does so by rewriting the entire zone file in the same format as it uses for secondaried zones so that any comments or other organization in the affected file is lost. The security is also relatively coarse: the tools don't allow a particular security key to apply to a particular name -- the key applies to a whole zone. If you have a large number of devices and want to tightly constrict update access, that poses a scalability problem as you need one zone per device.

Dyndns is likely using Bind at the back end, but they've built another layer of security and management on top of it. Biff98 is looking for software that does the whole job out of the box.

Re:BIND does not scale???

[Just+Some+Guy]

The security is also relatively coarse: the tools don't allow a particular security key to apply to a particular name -- the key applies to a whole zone.

BIND9 addresses this with update-policy which can map an individual TSIG key to a specific name (or subdomain or wildcard). You can say that "key 'laptop23.example.com.' can update an A record with the same name".

I won't disagree about the dynamic zone file ugliness. I usually put dynamic hosts in their own subdomain so that my main zone file can remain nicely human-friendly. For example, we'd use ".mobile.example.com" and put it in its own zone file. The file for ".example.com" will still be nice, and if every record in ".mobile.example.com" is dynamic, who cares if it's a machine-generated mess?

PowerDNS

[PsyQo]

Why don't you give PowerDNS a try?

It has an authoritive component and a recursive one, both work extremely well and are in use by some big companies, as well as the Wikipedia and the .TK TLD.
As for flexibility: PowerDNS uses backends to retrieve its zone data, so you can use one that's already available (MySQL, BIND zone files, SQLite, ODBC, etc.) or write one yourself.

Oh and it's opensource :)

Re:PowerDNS

[num42]

even better, its GPL.

A better place to point slashdot people to is http://doc.powerdns.com/

the shiny official site does not provide all the geeky information that we hunger for.

BIND doesn't scale well

[JackHoffman]

BIND does indeed not scale well. Down, that is.

PowerDNS

[JerkBoB]

http://www.powerdns.com/

I used it when I was running an ISP a few years ago. Used a replicated MySQL backend behind three authoritative servers. Also used dnscache for recursors in front of all the customers.

All your zone data is stored in DB tables, so it's easy to hack together a frontend, or integrate with CRM or whatever. I wish Rails had existed back then for all the CRUD that I wrote by hand. :/

Re:Use appropriate tools!

[Just+Some+Guy]

You can say a lot about DJB and his software, but you have to grant him that his code is very, very well written, and very secure.

No, I really don't have to. Since he's never actually released a program that supports more than 10% of the functionality of what it claims to replace, we have no idea whether he's capable of designing a large, secure system.

My BIND-based dynamic DNS depends on BIND not having a hole in the code that looks at the authentication key used to decide which records it can update. The DJBDNS "equivalent" requires that (in the grandparent's setup) DJBDNS, SSH, console access to their DNS server, their update scripts, and the conversion-and-aggregation makefile are all configured and working perfectly. Your "solution" requires the same, but replaces SSH+console with a webserver on your DNS server.

Your contention seems to be that those entire sets of applications are at least as secure as just using BIND in the first place, and frankly, I dismiss that out of hand. Even if you're a security expert and your particular setup is bulletproof, I doubt that the majority of people trying to juggle such a fragile setup are that capable. Ergo, DJBDNS is much less secure for the average person trying to get the same functionality that BIND ships with.

Re:Use appropriate tools!

[discord5]

You've obviously never used tinydns/djbdns. It just works. It serves dns records, and it does that job well, and it's very secure. It doesn't have the poor code quality and 50 gazillion other features that have made Bind the, well, security nightmare that it has been.

I've used djbdns for 2 years serving 4000+ internet domains, caching nameservers on lans, and all that fun stuff that makes DNS so "intresting". Tinydns is a great piece of software if you know what you're doing, but for someone with little or no experience with DNS there is too little proper introduction documentation. Zone transfers between master and slave servers usually have hacky setups as novice admins do really stupid things here making your machine insecure (not djbdns' fault). Google for a couple of tinydns examples and you're bound to hit one that has a major security flaw in it in the first 10 hits.

Bind has the advantage of being mentioned in nearly any book on DNS, used in example configurations, and usually doesn't mean you're stuck with an unreadable log file (unless you know the tools), an obscure startup mechanism (unless you've invested time to get acquainted with the tools), and a syntax for setting records that no tools except DJBs use.

Again, djbdns is a good software package, and I can't really complain about it since it worked so well for me in the past, but I do wish it was a little less obscure in aforementioned areas so I didn't need a perl script to convert my dates in my logfile into a readable format, or need to start thinking differently when adding records.

Again, it's a great tool, if you have reasons enough to stay away from bind.

Does tinyDNS scale?

[flydpnkrtn]

Have you looked at DJB's tinydns with dynamic capabilities wrapped around it? I know for a fact djbdns scales, but I dunno how well scripts wrapped around it work.

"TinyDYN

In a nutshell, TinyDYN consists of a set of scripts that allow you to run your own dynamic dns services (similar to dyndns.org) on your own network. The services use strong authentication via GnuPG, and is designed to work with djbdns's tinydns for name service."

http://www.technocage.com/~caskey/tinydyn/

Re:Use appropriate tools!

[fimbulvetr]

DJB's software is "secure" because he can flat out deny vulnerabilities and all of his fans believe him and parrot it around for the rest of their servitude, despite there being realworld exploits for realworld configurations.

For us rational people, places like osvdb.org exist.

This doesn't even take into account the fact that 12 different patches with at least 2 or more of them being mutually exclusive are needed to make his software work. Indeed, these 12 patches are one offs usually written by one or two people and compromise the touted security of "DJB"'s godness.

PS if by "very well written" you mean hardcoded, very ugly code, using every hardware "trick" possible (thereby decreasing portability), you have an interesting perception of reality. I'll compare Postfix's coding style to Qmail's any day.

Talk to DynDNS

[b.thompson]

I'm just throwing this out here, but why not contact the people at DynDNS.org and ask about licensing their software (or process, or however they do it) for your internal use. It could solve your problem (and maybe quicker than rolling your own solution), and at the same time potentially create a new revenue stream for them.

Consider an Appliance!

[Llama+Keeper]

Have you considered an appliance solution?

I have several colleagues that have InfoBlox appliances in production and love the devices. I believe that they do a 30 day free evaul. Their units are reasonably priced and very feature full. Pre-sales engineering is pretty good too from what I've been told.

MaraDNS

[Wabbit+Wabbit]

I've been using MaraDNS quite happily. Never a problem on FreeBSD, Slackware or OS X. The developer is very responsive, and the documenation is very very good, unlike that for some other alternative DNS daemons *cough*tinydns*cough*

The zone syntax and config file structure is worlds ahead of BIND and actually makes setting up DNS fun (no, I'm not kidding. Well-written software is always a pleasure to use).