Analysis of DNS Management Systems

Simon Waters Simon at wretched.demon.co.uk
Sat Dec 6 11:04:19 UTC 2003


Bianca wrote:
> 
> I'm quite new to the whole DNS subject. But the company I work for 
> wants me to analyze and evaluate different solutions for DNS
> Management and DNS Monitoring - especially in association with Active
> Diractory and Win2K.I need your expertise and experience, please!
Do you ever feel you might be the wrong person for the job ;-)

> - change the DNS Management System

You already have one of the best (if rather expensive) DNS management
systems available. Presumably you've already paid for it, so the cost is
probably not such an issue.

> - get deeper into the alarming system by using BMC's DNS Knowledge 
> Module

Sounds like a plausible plan, if you already have Patrol deployed, you
might as well use it to monitor your DNS. DNS monitoring isn't rocket
science, integrating it into your support and notification systems is
usually the hard bit - such as stopping it going off because the network
links went down. Thus good integration probably counts more than having
the best tool.

I'm guesssing DHCP monitoring is more fun that DNS, as it is harder to
emulate a client remotely. Although I've only ever used it for desktop
systems, which usually come with their own somewhat erratic monitoring
systems, users.

> - secure failover in case one of our DNS / DHCP servers goes down

DNS failover is irrelevant, you just list multiple servers, the pain
comes if a box doesn't fail, but just runs slow, or gives inappropriate
answers, although that pain is usually associated with a few seconds
delay whilst time-outs kick in.

The QIP software lets you get clever with the dynamic updates, and DHCP,
if you need to, but very few organisations do.

So based on your very limited description, my best guess is you have the
tools to do the job. Now you need to figure out;

1) if your company knows how to use them.
2) if there is some other big company politics going on.
3) what the pain is (i.e. why they think they have a DNS problem).

I'm sure one you answer those questions, the technical ones will fall
into place.

My guess is the Active Directory people want to take it over, and
integrate a critical service deep into the hearts of the Microsoft
Active Directory service. The upside being it is cheap (once you commit
to the MS way, and have bought the ADS hardware and expertise), the
downside being Microsoft are notoriously poor at DNS (you probably
thought BIND has had too many security issues), and issues with lock-in
and reliability (DNS is essentially a simple service which attains
reliability in part by being so simple - at the end of the day you can
get QIP to dump it's data into zone files, take the database offline,
upgrade, patch, deworm, and bring it all back without the users
noticing, if really bad things happens you COULD hand edit those zone
files in the interim).


-- Attached file included as plaintext by Ecartis --

-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/0be0GFXfHI9FVgYRAnyOAKCnKX1bAaZbVnwahQDh2k6tLvx4cwCg1+Y8
rVLXUr5XxKTiJ+NQZCautkc=
=h4FC
-----END PGP SIGNATURE-----




More information about the bind-users mailing list