DNS, DHCP and IP address management (DDI)

The Domain Name System (DNS) is one of the most fundamental components of the Internet’s infrastructure, allowing people to find websites, use e-mail and access a whole range of other online services. It works in close co-operation with the Dynamic Host Configuration Protocol (DHCP), a system for dynamically allocating IP addresses to individual computing devices. For this reason, control and administration of DNS and DHCP is often handled together and referred to as DNS, DHCP and IP address management (DDI). Taken together they form an essential part of any organization’s infrastructure with other key systems such as Active Directory® relying heavily on their correct functioning.

It’s essential that these core services are secure and always available, as failure can have a catastrophic impact on users and day-to-day business operations. Despite this central importance, on inspection many organizations find that, for good reasons, their DDI deployment has slowly evolved into a state that fails to match today’s needs for agile business operations, resilience and security protection.

Issues with managing DDI

Administrating and managing DNS, DHCP and other related IP issues can be very time consuming and demanding. The complexity increases as an organization grows and is currently being compounded by the staged introduction of IPv6 Internet addressing. In larger organizations this administrative work is often shared between different operating units, often making co-ordination and delegation an extra hurdle.

The traditional way of managing DNS and DDI is to manually edit configuration files with tools such as UNIX vi and Berkeley Internet Name Domain’s (BIND) rndc utility. This way of working involves repetitive steps and attention to finicky detail both of which provide huge potential for mistakes that are easily replicated across a network. As many as three quarters of organizations simply rely on Excel spreadsheets to keep track of these updates and to generally manage IP addressing throughout the enterprise.[1]

Although this is what many network managers are familiar with, considerable time is spent checking, rechecking and reconciling DNS and DHCP values and this becomes even more difficult when using IPv6’s longer addresses and IPv4/IPv6 dual stacking. Things are further complicated by the management of DHCP as Bring Your Own Device (BYOD) schemes proliferate and IP-based telephony increases the numbers of devices being connecting dynamically.

On top of management issues, DNS security is increasingly a worry, with threats, particularly to DNS, having grown rapidly in recent years.

All in all, DDI can be a major headache for already hard-pressed network managers and making mistakes can be very costly, involving service outage and angry users.

What’s the solution?

The remedy for DDI headaches is to deploy a fully integrated, centralized system that comprehensively manages DNS, DHCP and related IP services in real-time across the whole organization. Built from a range of purpose-built hardware appliances with integrated DDI software, these solutions employ easy-to-use graphical interfaces with built-in intelligence and automatic synchronization, to make it easy to manage all aspects of DDI. In a nutshell, it’s about letting software do the work.

The result is a far more efficient DDI management environment with big time and cost savings, enhanced security and maximum IP system resilience.

The activereach solution

activereach’s family of DDI appliances provides an ultra-secure, highly flexible solution to give organizations complete control over their DNS and IP address management issues.

We offer a range of integrated 1U rack mountable hardware models for a variety of DDI management scenarios: from individual DNS slaves, through DNS caches (resolvers) and DHCP servers, to master appliances. Authoritative DNS is provided by in-built, industry standard, BIND software, whilst recursive DNS resolution uses Unbound, specialist, lightweight caching software with up to 2.5 times the performance of BIND. The hardware supports robust, secure performance using a custom-built hardened Linux operating system and solid-state storage for maximum resilience.

Our equipment supports DNS separation of roles, the industry architectural best practice for IP-related security and resilience. These roles can be separated into physical hardware, for maximum resilience, or by ‘sandboxing’ via operating system processes for lower costs. The equipment is scalable and easily interlinked, and, most importantly, features a large number of security features [Link to separate page].

Our solution features:

  • Unified administration for managing all aspects of DDI.
  • Easy-to-use, graphics-rich interfaces with fast data entry, automation tools, sub-net tree views and data checking facilities.
  • Automatic synchronization with live DNS server systems and IP data.
  • Multiple administrators can easily work together, sharing workload and avoiding complex manual delegation processes.
  • Ultra-secure, high-performance, authoritative and caching DNS.
  • Supports up to 32,000 authoritative DNS queries per second.
  • Automatic synchronization of zone data from master to slave DNS systems.
  • Audit trials and reports for compliance.
  • Performance measurement tools and real-time activity monitoring.
  • Aggregated visibility of multiple, distributed DHCP servers across the organization.
  • Handles large IP phone deployments and Bring Your Own Device schemes.
  • Integrates with existing systems such as Windows Active Directory.
  • Full support for IPv6 and dual stacking.
  • Command line interface for scripting large or complex DNS tasks.
  • Solid state storage for maximum reliability.

Microsoft, Windows and Active Directory are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

[1] Lawrence Orans, MarketScope for DNS, DHCP and IP Address Management, (Stamford, U.S.A.: Gartner, 2012)