When's the Time to Bring DNS and DHCP In-House?
What could be causing the problems? Your network is slow; users' complaints are mounting. If DNS and DHCP services are configured correctly, you can eliminate at least one headache from your list of network problems.
While researching the network topography of a large engineering company for a recent consulting job, I asked the company network administrator about the DNS and DHCP servers. He confidently replied that they were both on the router. Knowing that was a strange answer, I poked around and found that they were using a computer in an ISP datacenter located 1000 miles away! The DHCP service was indeed on the company perimeter router, but the company was not running an internal server DNS at all. They were relying on their ISP to serve any DNS requests for all 450 of the company's computers- a round trip of 2000 miles just to find computer names. No wonder the users were complaining!
Do you know what DNS means? Do you know where your DNS server is? Does the term DHCP ring a bell? As the number of computers in a company network grows, so does the administrative overhead involved in maintaining the computer network. DNS and DHCP can keep the overhead to a background task.
By using DNS and DHCP in concert, a site can happily grow to hundreds or thousands of nodes servers, desktop systems, laptops, printers, whatever, with minimal network/systems administrator effort. Both DNS and DHCP are essential tools in the network administrator's toolkit for managing all the IP devices on a corporate network.
"So what?" you might ask."Let my ISP take care of running the DNS service, I have enough other systems worries."
"Well, that is probably not the best idea," asserts Betsy Schwartz, a systems administrator who managed the DNS servers at Genuity. "Every time you do a DNS lookup finding a computer in the DNS database you are sending packets to your provider's datacenter and back again. If your ISP provider's data center happens to be located across the country, you are just adding unnecessary latency or slowness to your internet connection."
"Let the ISP handle the DNS records for your mail and web servers because they are on the Internet anyway," advises Steve Henderson, Manager of DNS services at Verizon "otherwise keep it in-house". More significantly, if you are managing a private network, the ISP cannot handle the DNS requests simply because they cannot see your internal IP addresses from the Internet.
DNS and DHCP can make a system administrator's life simpler and easier. Fortunately, the protocols are so flexible that they can be implemented either together or separately depending on the size and configuration of your enterprise network.
Domain Name Service
(DNS) is a giant distributed hierarchical database of all the IP addresses matched with the all domain names in the world. Paul Mockapetris published the original DNS architecture in 1984. Designed originally to handle the problem of tracking the large number of IP addresses and computer names that make up the Internet, it has remained the gold standard for maintaining the Internet domain structure. Prior to the implementation of DNS, all information about host names and IP addresses was stored in a hosts file on each computer on a network. As networks grew, it quickly became impractical to map everything in a single text file. Think how large the file would be for the Internet!
"The whole concept of a global namespace is tied to the Internet itself,then firewalls and split DNS came later in for security reasons" according to Henderson. Looking at a name of a computerinformsyou where it is located in the DNS hierarchy. For example, if you have a host named mail.westcoast.mycompany.com, mail is the actual name of the computer, .westcoast is the subdomain, .mycompany is the second-level domain, .com is the top-level domain, and " ." (not explicit in the name) is root. Think of DNS as the Army, each unit only knows exactly what it needs to know and where to send a request for additional information.
If DNS is the Army, the Dynamic Host Configuration Protocol(DHCP) is the CIA; each agent is assigned a new secretcode address regularly and only knows where to send information. DHCP is used to automatically assign IP addresses, to deliver TCP/IP stack configuration parameters such as the subnet mask and default router, and to provide other configuration information such as the addresses for printer, time, and news servers. Because DHCP automatically assigns random IP addresses from a pre-assigned range of addresses, you do not have to worry about assigning computer or system name/address pairs on a permanent basis. It is ideal in a dynamic environment where computers are constantly moving (laptops going back and forth between home and the office, for example). Once configured, it is extremely easy to administer. Macs and PCs understand DHCP fluently. Plug both flavors of computer into the same DHCP- enabled network, and the Internet pours in flawlessly. If you have a network of a few computers (under 10 for instance) you are probably better off with just DHCP and not implementing DNS. Many people use this configuration for their homes or small businesses.
"Looking up IP addresses can be a nightmare if you have more than a couple to remember" reports Hal German, a systems analyst at Genuity." If you have network-enabled printers, unless you lock the address, it will change every time you disconnect the printer from the network. This can be extremely frustrating for the users.If you have more than a small number of machines, then you should be looking at implementing DNS in addition to DCHP."
Copyrm_printer.business.com is much easier to remember than "10.0.0.63" even if the address is permanently assigned to the device. At the engineering company where I recently consulted, each time someone rebooted the DHCP server, the IT staff needed to reconfigure the printer servers for all 43 printers on the network. DNS is particularly appropriate in an environment with many servers and networked printers because you can assign mnemonic names to shared devices in addition to their IP addresses.
"But I am running a private address space why do I need DNS?" Network Address Translation (NAT), also known as "split DNS", is what keeps the network IP addresses inside the company private. The rest of the world cannot see inside the company network, so NAT translates the privateinternaladdresses into the ISP assigned external address. It is normally configured on the customer perimeter router - the router that connects the company to the internet. "Cisco has good support for DNS and NAT," Steve Henderson reports. He should know; Henderson manages the DNS servers for most of Verizon. "Configuring the company network this way is very useful for securing it from the outside as well as conserving IP address space. Unless the company network is very small, I strongly recommend implementing DNS in this configuration". Without DNS, the network is difficult to use because the users need to memorize so many IP address numbers.
There are a number of ways to implement DNS in-house depending on the specifics of the company computer systems architecture. The choice depends on the available skills in your shop and the network configuration. If you have staff or access to consultants who have the skills, then go ahead. One nice thing about implementing DNS is that once it is set up, it pretty much runs without much need for human intervention. That means that if you hire a consultant to do the initial configuration, you only need to maintain the service with a minimum of skills and resources. You have three choices for configuring the service:using Microsoft Active Directory, implementing it on a UNIX flavor of your choice, or (the newest possibility) purchasing a DNS/DHCP service appliance. Whatever implementation you choose, once it is configured, the best DNS/DHCP server reliably blinks and serves IP addresses and host names on your network.
MS Active Directory
"I have a Microsoft shop, is this for me?"
"Active Directory works well in Microsoft shops," states Henderson. "It is easy to configure and has a well integrated DHCP service, but be aware it does use extensions that are not supported by other DNS implementations". Microsoft included Active Directory in Windows 2000 server. The great innovation is that it combined DNS and DHCP in one large and reasonably manageable service with a simple GUI interface.
The Microsoft website, has a wealth of information on how to implement DNS using Active Directory. There are also a large number of books available on the market on how to implement Active Directory. I recommend Windows 2000 Active Directory by Joe Cassad, published by McGraw Hill. It is both clear and comprehensive.
The main trick to setting up DNS/Active Directory is that you really need to think about the size, stability, and organization of the enterprise when you are implementing the system. If you make a major mistake, it can be very difficult to change the structure after the fact. For example, if you have Windows NT 4.0 servers, migrating to Active Directory can be difficult and problematic. Since Microsoft extensively redesigned the system from NT, the two systems are not entirely compatible. In that situation, it is better to keep the NT domain separate and make it a trusted peer of the new Active Directory domain.
"The simplest and most robust DNS to implement is UNIX remember it has been around for close to 20 years already," says Schwartz. "If the enterprise already has some UNIX or Linux systems and the staff has some UNIX skill, I would recommend using the DNS built into UNIX." Fortunately, there are a number of good resources to help configure a UNIX DNS server. The O'Reilly book, DNS and BIND by Paul Albitz and Cricket Liu is an invaluable resource that goes into the guts of how the system works. The Linux Documentation Project is also an excellent source of information with clear and simple directions on how to setup the service under Linux.
The newest approach, and maybe the easiest for taking the headache out of managing the company DNS/DCHP service, is to purchase a dedicated appliance that plugs into the corporate network. This solution offers the appeal of plug and play. "As corporations rely on network infrastructure for their core businesses they need the underlying services like DNS and DHCP to be simple, secure and reliable," says Stuart Bailey founder of InfoBlox, an Evanston start-up selling a new turn-key "server appliance" under the name DNS One. "DNS One has the reliability of the underlying UNIX infrastructure plus the friendliness and usability of a GUI interface." Bailey said his model was Cisco Systems, which developed routers, stand-alone appliances to transfer messages between computers. The company has provided the DNS/DHCP services for the NetWorld+InterOP shows for the past year. Although InfoBlox sells to all size companies, small and mid-sized companies might find this solution particularly appealing because it is so simple to deploy.
Important DNS Commands
nslookup is a command to query Internet domain name servers. nslookup has two modes: interactive and non-interactive. Interactive mode allows the user to query name servers for information about various hosts and domains or to print a list of hosts in a domain. Non-interactive mode is used to print just the name and requested information for a host or domain. To find out where your DNS server is type the command: nslookup
The dnsquery program queries domain name servers via the resolver library. To query domain name servers using resolver, use the command: dnsquery <host>