When’s the Time to Bring DNS and DHCP In-House?

What could be causing the problems? Your network is slow; users’
complaints are mounting. If DNS and DHCP services are configured
correctly, you can eliminate at least one headache from your list of
network problems.

While researching the network topography of a large engineering
company for a recent consulting job, I asked the company network
administrator about the DNS and DHCP servers. He confidently replied
that they were both on the router. Knowing that was a strange answer,
I poked around and found that they were using a computer in an ISP
datacenter located 1000 miles away! The DHCP service was indeed on the
company perimeter router, but the company was not running an internal
server DNS at all. They were relying on their ISP to serve any DNS
requests for all 450 of the company’s computers- a round trip of 2000
miles just to find computer names. No wonder the users were
complaining!

Do you know what DNS means? Do you know where your DNS server is? Does the term
DHCP ring a bell? As the number of computers in a company network grows, so
does the administrative overhead involved in maintaining the computer network.
DNS and DHCP can keep the overhead to a background task.

By using DNS and DHCP in concert, a site can happily grow to hundreds or
thousands of nodes servers, desktop systems, laptops, printers, whatever, with
minimal network/systems administrator effort. Both DNS and DHCP are essential
tools in the network administrator’s toolkit for managing all the IP devices on
a corporate network.

“So what?” you might ask.”Let my ISP take care of running the DNS service, I
have enough other systems worries.”

“Well, that is probably not the best idea,” asserts Betsy Schwartz, a systems
administrator who managed the DNS servers at Genuity. “Every time you do a DNS
lookup finding a computer in the DNS database you are sending packets to your
provider’s datacenter and back again. If your ISP provider’s data center
happens to be located across the country, you are just adding unnecessary
latency or slowness to your internet connection.”

“Let the ISP handle the DNS records for your mail and web servers because they
are on the Internet anyway,” advises Steve Henderson, Manager of DNS services
at Verizon “otherwise keep it in-house”. More significantly, if you are
managing a private network, the ISP cannot handle the DNS requests simply
because they cannot see your internal IP addresses from the Internet.

DNS and DHCP can make a system administrator’s life simpler and easier.
Fortunately, the protocols are so flexible that they can be implemented either
together or separately depending on the size and configuration of your
enterprise network.


Domain Name Service

(DNS) is a giant distributed hierarchical database of all the IP addresses
matched with the all domain names in the world. Paul Mockapetris published the
original DNS architecture in 1984. Designed originally to handle the problem of
tracking the large number of IP addresses and computer names that make up the
Internet, it has remained the gold standard for maintaining the Internet domain
structure. Prior to the implementation of DNS, all information about host names
and IP addresses was stored in a hosts file on each computer on a network. As
networks grew, it quickly became impractical to map everything in a single text
file. Think how large the file would be for the Internet!


“The whole concept of a global namespace is tied to the Internet
itself,then firewalls and split DNS came later in for security
reasons” according to Henderson. Looking at a name of a
computerinformsyou where it is located in the DNS hierarchy. For
example, if you have a host named
mail.westcoast.mycompany.com, mail is
the actual name of the computer, .westcoast is the subdomain,
.mycompany is the second-level domain, .com is the top-level domain,
and ” .” (not explicit in the name) is root. Think of DNS as the Army,
each unit only knows exactly what it needs to know and where to send a
request for additional information.

If DNS is the Army, the Dynamic Host Configuration Protocol(DHCP)
is the CIA; each agent is assigned a new secretcode address regularly
and only knows where to send information. DHCP is used to
automatically assign IP addresses, to deliver TCP/IP stack
configuration parameters such as the subnet mask and default router,
and to provide other configuration information such as the addresses
for printer, time, and news servers. Because DHCP automatically
assigns random IP addresses from a pre-assigned range of addresses,
you do not have to worry about assigning computer or system
name/address pairs on a permanent basis. It is ideal in a dynamic
environment where computers are constantly moving (laptops going back
and forth between home and the office, for example). Once configured,
it is extremely easy to administer. Macs and PCs understand DHCP
fluently. Plug both flavors of computer into the same DHCP- enabled
network, and the Internet pours in flawlessly. If you have a network
of a few computers (under 10 for instance) you are probably better off
with just DHCP and not implementing DNS. Many people use this
configuration for their homes or small businesses.

“Looking up IP addresses can be a nightmare if you have
more than a couple to remember” reports Hal German, a systems analyst at
Genuity.” If you have network-enabled printers, unless you lock the address, it
will change every time you disconnect the printer from the network. This can be
extremely frustrating for the users.If you have more than a small number of
machines, then you should be looking at implementing DNS in addition to DCHP.”

Copyrm_printer.business.com
is much easier to remember than “10.0.0.63” even if the address is permanently
assigned to the device. At the engineering company where I recently consulted,
each time someone rebooted the DHCP server, the IT staff needed to reconfigure
the printer servers for all 43 printers on the network. DNS is particularly
appropriate in an environment with many servers and networked printers because
you can assign mnemonic names to shared devices in addition to their IP
addresses.

“But I am running a private address space why do I need DNS?”
Network Address Translation (NAT), also known as “split DNS”, is what
keeps the network IP addresses inside the company private. The rest of
the world cannot see inside the company network, so NAT translates the
privateinternaladdresses into the ISP assigned external address. It is
normally configured on the customer perimeter router – the router that
connects the company to the internet. “Cisco has good support for DNS
and NAT,” Steve Henderson reports. He should know; Henderson manages
the DNS servers for most of Verizon. “Configuring the company network
this way is very useful for securing it from the outside as well as
conserving IP address space. Unless the company network is very small,
I strongly recommend implementing DNS in this configuration”. Without
DNS, the network is difficult to use because the users need to
memorize so many IP address numbers.

There are a number of ways to implement DNS in-house depending on
the specifics of the company computer systems architecture. The choice
depends on the available skills in your shop and the network
configuration. If you have staff or access to consultants who have the
skills, then go ahead. One nice thing about implementing DNS is that
once it is set up, it pretty much runs without much need for human
intervention. That means that if you hire a consultant to do the
initial configuration, you only need to maintain the service with a
minimum of skills and resources. You have three choices for
configuring the service:using Microsoft Active Directory, implementing
it on a UNIX flavor of your choice, or (the newest possibility)
purchasing a DNS/DHCP service appliance. Whatever implementation you
choose, once it is configured, the best DNS/DHCP server reliably blinks
and serves IP addresses and host names on your network.

MS Active Directory

“I have a Microsoft shop, is this for me?”

Yes absolutely!

“Active Directory works well in Microsoft shops,” states
Henderson. “It is easy to configure and has a well integrated DHCP service,
but be aware it does use extensions that are not supported by other DNS
implementations”. Microsoft included Active Directory in Windows 2000 server.
The great innovation is that it combined DNS and DHCP in one large and
reasonably manageable service with a simple GUI interface.

The Microsoft website, has
a wealth of information on how to implement DNS using Active
Directory. There are also a large number of books available on the
market on how to implement Active Directory. I recommend Windows 2000
Active Directory
by Joe Cassad, published by McGraw Hill. It is both
clear and comprehensive.

The main trick to setting up DNS/Active Directory is that you
really need to think about the size, stability, and organization of
the enterprise when you are implementing the system. If you make a
major mistake, it can be very difficult to change the structure after
the fact. For example, if you have Windows NT 4.0 servers, migrating
to Active Directory can be difficult and problematic. Since Microsoft
extensively redesigned the system from NT, the two systems are
not entirely compatible. In that situation, it is better to keep the NT
domain separate and make it a trusted peer of the new Active Directory
domain.

Unix/Linux DNS

“The simplest and most robust DNS to implement is UNIX remember it has
been around for close to 20 years already,” says Schwartz. “If the
enterprise already has some UNIX or Linux systems and the staff has
some UNIX skill, I would recommend using the DNS built into UNIX.”
Fortunately, there are a number of good resources to help configure a
UNIX DNS server. The O’Reilly book, DNS and BIND by Paul
Albitz and Cricket Liu is an invaluable resource that goes into the
guts of how the system works. The Linux
Documentation Project
is also an excellent source of information
with clear and simple directions on how to setup the service under
Linux.

Appliance DNS/DHCP

The newest approach, and maybe the easiest for taking the headache out of
managing the company DNS/DCHP service, is to purchase a dedicated appliance
that plugs into the corporate network. This solution offers the appeal of plug
and play. “As corporations rely on network infrastructure for their core
businesses they need the underlying services like DNS and DHCP to be simple,
secure and reliable,” says Stuart Bailey founder of InfoBlox, an Evanston
start-up selling a new turn-key “server appliance” under the name DNS One.
“DNS One has the reliability of the underlying UNIX infrastructure plus the
friendliness and usability of a GUI interface.” Bailey said his model was
Cisco Systems, which developed routers, stand-alone appliances to transfer
messages between computers. The company has provided the DNS/DHCP services for
the NetWorld+InterOP shows for the past year. Although InfoBlox sells to all
size companies, small and mid-sized companies might find this solution
particularly appealing because it is so simple to deploy.

Important DNS Commands

nslookup is a command to query Internet domain name servers. nslookup
has two modes: interactive and non-interactive. Interactive mode allows the
user to query name servers for information about various hosts and domains or
to print a list of hosts in a domain. Non-interactive mode is used to print
just the name and requested information for a host or domain. To find out where
your DNS server is type the command: nslookup

The dnsquery program queries domain name servers via the
resolver library. To query domain name servers using resolver, use the
command: dnsquery <host>


»


See All Articles by Columnist
Beth Cohen

Latest Articles

Follow Us On Social Media

Explore More