During the last couple of months, we have heard about a number of cases in which organizations have been less than happy with the DNS and IP addressing solutions they have procured from certain vendors operating in our industry. In most cases, these problems could have been avoided by following a simple check-list when assessing the general solution architecture of different offerings. While A Guide for Managers – Internet Domain Name Services by John Hardcastle provides an excellent overview of DNS, its underlying architecture and related security implications (many people have thanked us for writing and publishing this document), here’s a two-item list of the things you’d best avoid:

First, please make sure that any DNS / IP address management solution you’re thinking about implementing adheres to standard-based DNS architecture. If the solution does not take full use of basic things such as standard zone transfers and hidden master + authoritative slave architecture, but rather uses proprietary solution architecture dubbed as HA, you may be on your way to a carefully orchestrated vendor trap. To avoid this, please make sure that any solution you implement can be operated in a mixed-environment consisting of both plain BIND and/or DHCPD servers and commercial products. Even if you do not wish to run BIND and/or DHCPD as plain open source software, requesting for this ability ensures you will not get trapped and also that you will be able to export your existing data to the new solution without problems.

Second, please take a close look at the client/server architecture to make sure that the solution you are going implement supports “thin client” architecture rather than “fat client” architecture, basically for two reasons. First, as many organizations have nowadays certified the different pieces of software that may be run on a given workstation and/or mobile client for security reasons, certifying a new fat client may become somewhat tedious – after all, there are no guarantees of what the fat client actually does and how secure it is. And second, if the fat client is installed only on the computers of a handful of admins, it will be difficult to distribute responsibility and/or may become difficult to make any changes when the key people are out of office.

By making sure that the solution you decide to implement DOES NOT have these traits (i.e. it should adhere to standard DNS architecture and should not require fat clients to be operated), you can make sure that you will not get trapped with a bad solution.

Caveat Emptor – Let the Buyer Beware!

There are 10 kinds of people: those who understand binaries, and those who don’t. Having discussed DNS with hundreds of interested people and organizations during the last eight months, we think this adage can also be applied to DNS.

Based on our experience, one of the biggest reasons why 50%+ of DNS installations continue to be insecure, is that many people – especially managers – are having hard time understanding the exact details pertaining to DNS. While practically everyone we’ve talked to does understand that DNS maps IP addresses to human-readable domain names and vice versa, the inner workings of the underlying DNS architecture and its security implications are areas that have remained somewhat unclear for many. We believe this also why organizations continue to be somewhat hesitant on addressing the immediate DNS problems haunting networks all over the world.

To put DNS into perspective, John Hardcastle (our representative in APAC) decided to put together a three-page document that nails down pretty much everything an enlightened decision maker should know about Domain Name Service. The resulting paper – A Guide for Managers to Internet Domain Name Services (DNS) – can be downloaded free of charge from this link or from www.nixusoftware.com. As it takes only 15 minutes to read the document, it is recommended reading for anyone who wants a quick grasp of the complexities associated with DNS.

If you think your friends or organization would benefit from this paper, please feel free to download and to circulate it as you see fit.

At Nixu Software, we believe that the disruptive force of virtualization has a good chance of revolutionizing the IT industry over the course of next few years. We’re not alone with our vision, either, as an increasing number of market analysts and other pundits are beginning to see the drastic changes lying ahead of us. For an interesting take on the topic, please read IDC’s Technology Assessment: “The Impact of Virtualization Software on Operating Environments”.

In their assessment, IDC sees that inexpensive software appliances such as Nixu SNS (Secure Name Server) are going to change the way in which software is distributed and consumed. We couldn’t agree more, which is also why we have created virtualization-ready software appliance versions of all our DNS and IP addressing products.

But when it comes to virtualization, it has gone largely unnoticed that a well-functioning and a reliable Domain Name System is a pre-requisite for implementing highly available virtualization platforms – for a VMware related example, please see the following link. This is also why organizations planning on virtualization projects should seriously consider implementing DNS software appliances on their virtual platforms (as virtual machines) before doing anything else.