Let's Talk DNS

mmcgurty · August 05, 2015, 10:29:27 AM

I am looking for some direction for DNS. In my organization we are fairly siloed. My department handles traditional routing, switching, cabling, firewalls, load balancers, etc. We have another group that is strictly things like Microsoft Active Directory, Microsoft DNS, Microsoft Exchange, Microsoft DHCP, etc. We have been having issues using public Google DNS and public OpenDNS for external DNS lookups. We believe we are being rate limited or cut off completely. We found out that while we use Microsoft DNS to do the external lookups, we don't cache any of this information. Therefore, based on our calculations we are hitting Google or OpenDNS with 1000+ DNS queries per second or 40K-60K per minute. The Microsoft team wants to setup DNS caching but we think this will only be a temporary solution. We are looking for something more permanent.

We have dual 500Mb of Internet bandwidth available but our ISP does not guarantee and SLA when using their DNS service. We have just started looking at a DNS caching server from Infoblox ($25K/year) and Men and Mice caching server (uses Unbound underneath, no prices yet). However, are we looking at the right thing? Shouldn't we be looking to point our external queries to someone who can provide those rate we need as well as an SLA on this? Does anyone know where we should be looking for this? I saw OpenDNS has some Business/Enterprise options but I am still not sure this is the correct thing. Any input would be welcome because this is all new to me and our side of the house.

routerdork · August 05, 2015, 11:10:21 AM

I can't say too much about all of this but I can say that Infoblox is a great product. It really is just an appliance with BIND underneath but it works great and is much easier to configure. In my last role we had two 1050's in a cluster for all of our customers. I imagine yours will be quite a bit bigger. Updates are for the most part solid and you can test them. Plus when updating a cluster it does one device at a time so there is always a DNS server online.

Otanx · August 05, 2015, 11:31:50 AM

Why use Google or OpenDNS at all. Cut out the middle man, and go direct to the root servers. I have not had a chance to play with Infoblox yet, but I keep hearing good things.

-Otanx

mmcgurty · August 05, 2015, 12:04:43 PM

Quote from: routerdork on August 05, 2015, 11:10:21 AM
I can't say too much about all of this but I can say that Infoblox is a great product. It really is just an appliance with BIND underneath but it works great and is much easier to configure. In my last role we had two 1050's in a cluster for all of our customers. I imagine yours will be quite a bit bigger. Updates are for the most part solid and you can test them. Plus when updating a cluster it does one device at a time so there is always a DNS server online.

Apparently some of the other folks on the team had a Webex with Infoblox and really liked the interface/dashboard it provided of statistics. Not sure what model/size they recommended.

mmcgurty · August 05, 2015, 12:11:31 PM

Quote from: Otanx on August 05, 2015, 11:31:50 AM
Why use Google or OpenDNS at all. Cut out the middle man, and go direct to the root servers. I have not had a chance to play with Infoblox yet, but I keep hearing good things.

-Otanx

Are there any rules to follow for doing this? I have never heard of going directly to the root servers. Again, I am very naive in this area so be gentle.

routerdork · August 05, 2015, 12:16:10 PM

If you want to play around with it they have a VM version of all the appliances and it works for 30 or 60 days without a license key. If you aren't done by the time the trial is up you can take a config backup through the GUI, re-do the VM, then restore it. I never tried but that's what the SE told me. The good thing is that you know how man queries per second you are doing already, that was the first thing they asked me in reference to sizing. For some extra fee's you can also add your Windows boxes into the mix. And it's also great as an IPAM tool. And DHCP if you need it. I had a quarterly report I would generate based off of the IPAM data to show our IPv4 usage to management as we got closer to the end of some public blocks.

routerdork · August 05, 2015, 12:17:42 PM

Also I want to say be default the root servers are already setup for forward lookups in the Infoblox but I can't remember for sure.

mmcgurty · August 05, 2015, 02:36:42 PM

Quote from: routerdork on August 05, 2015, 12:16:10 PM
If you want to play around with it they have a VM version of all the appliances and it works for 30 or 60 days without a license key. If you aren't done by the time the trial is up you can take a config backup through the GUI, re-do the VM, then restore it. I never tried but that's what the SE told me. The good thing is that you know how man queries per second you are doing already, that was the first thing they asked me in reference to sizing. For some extra fee's you can also add your Windows boxes into the mix. And it's also great as an IPAM tool. And DHCP if you need it. I had a quarterly report I would generate based off of the IPAM data to show our IPv4 usage to management as we got closer to the end of some public blocks.

We would like an IPAM tool. We currently use IPPlan v4.92b for this. No hooks into internal DNS to resolve names to IP or show last used or anything. We are looking at POC'ing for 90 days the Men and Mice IPAM product with RO into Microsoft AD for DNS/DHCP.

Reggle · August 05, 2015, 03:55:15 PM

Quote from: routerdork on August 05, 2015, 12:17:42 PM
Also I want to say be default the root servers are already setup for forward lookups in the Infoblox but I can't remember for sure.

I can confirm this, and that's because BIND works similar.

I would personally recommend BIND9 directly. It'll be 100% CLI Linux though. Infoblox is good too, and has a nice GUI.

routerdork · August 06, 2015, 08:49:09 AM

Also if anyone is wanting to learn more about DNS, especially BIND this is a great book to learn it. Each chapter takes you a step further into building your BIND server. Plus there is an extra book you can get for IPv6 on BIND. And last I heard the main author, Cricket Liu, worked at Infoblox. I got to meet him at one of our user group meetings several years ago. Very nice guy.

http://shop.oreilly.com/product/9780596100575.do

deanwebb · August 06, 2015, 11:31:05 AM

Another vote for Infoblox. We're looking to get their stuff into our environment because of some cool security that they can do.

wintermute000 · August 08, 2015, 06:30:35 AM

with host files, you'll be entirely self reliant and perfectly secure with no external lookups

(i kid, i kid)

Lots of orgs use their local ISP and then fallback to google or opendns.
You can also load balance your outbound NAT so your DNS resolvers come as different IPs.
If AD is caching correctly, what do you gain by running BIND/Infoblox/whatever? (as much as I love messing around with linux, what exactly does an enterprise need that microsoft DNS cannot provide)

deanwebb · August 08, 2015, 09:33:25 AM

Infoblox does a lot of cool security stuff, like quashing DNS queries sent as part of a data exfiltration scheme.

packetherder · August 08, 2015, 12:48:47 PM

Quote from: wintermute000 on August 08, 2015, 06:30:35 AM
as much as I love messing around with linux, what exactly does an enterprise need that microsoft DNS cannot provide

If all you're doing is recursive searches from inside your firewalls, it's ok, but it lacks some head-scratching features when used outside of that context. Not being able to put ACLs on query-sources or do zone delegations (lol, really?) are some I've run into.

wintermute000 · August 09, 2015, 05:29:40 PM

that's hilarious, I did not know that. I was under the mistaken impression it was full featured or at least capable of being setup as such.