Organizing Your DNS? 43
Neil Watson asks: "In previous organizations I've kept track of IPs, hostnames and DNS entries by using a single hosts file. I used a script (h2n) to convert the hosts file to DNS entries (BIND). Thus, all information was available in a single text file. For Microsoft Active Directory servers, we had that system's DNS server simply forward all of its requests to the BIND server. Now, I find myself at another organization. This network is considerably larger, with more name servers. The control of IPs, hostnames and DNS entries is somewhat loose, and it is starting take its toll. How do you organize all of your DNS information in order to easily assign and track all of the entries?"
hehe (Score:1)
Re:hehe (Score:2)
Or at the very least a command line application.
You most certainly should not organise DNS or administrate any other part of your network by hand editing ini and config files. That's just plain stupidity.
Re:hehe (Score:1, Interesting)
I suggest that careful editing of configuration files such as a host file processed by h2n might not be a bad approach. Of course, one is allowed to write additional scripts or programs to check configuration file syntax, consistency and the like, and to make it easier to manage large zones. One could even use make to cause the generation, application, and activation of appropriate DNS zones. Or not. If you can't type, those G
PowerDNS (Score:5, Informative)
1. Consolidate Authority - 2. Install a frontend (Score:5, Interesting)
This network is considerably larger, with more name servers. The control of IPs, hostnames and DNS entries is somewhat loose, and it is starting take its toll.
The number of nameservers is irrelevant as long as they're master/slave. Are each of these NS boxen run by a different business unit/department? If so, find the group with the organizational proponency for DNS (probably you) and demand that they be given full control. Assign a hostmaster for your organization and funnel ANY and ALL dns changes through him/her/it. Authority for subdomains can still be given out, but force a signed waiver to cover your ass when they shoot themselves in the foor by running 2k3 AD as a production NS service.
Once this is done you'll probably want to ditch the flat-file approach and run some sort of frontend. It guarantees that when your hostmaster eventually quits you wont have to find another expensive geek. I used to run the webmin plugin for BIND [sourceforge.net], but stopped once I saw what a security nightmare webmin was. Don't have much experience with anything else besides custom solutions but nictool [nictool.com] and oDNS [freshmeat.net] have their supporters.
Ganymede, Doctor DNS (Score:5, Informative)
We have been using our own software, Ganymede [utexas.edu], to handle our DNS for the last 7 years. Ganymede is a programmable directory mastering application.. you give it a schema with objects for real-world items such as systems, interfaces, networks, etc., and Ganymede provides an object database and concurrent client/server GUI for making changes. Whenever an administrator hits 'commit' in their client, Ganymede turns around and updates the DNS (and in our case, our NIS, our Active Directory, our DHCP, and more) on a background thread.
The schema we use for managing DNS at ARL:UT is not the most flexible, in that we have only a single DNS domain that we are managing, and may well not fit your environment, however there is a consulting company in Germany, http://www.fg-networking.de/ [fg-networking.de], which has built a complete DNS and DHCP management solution around Ganymede. They are using it to manage the DNS and DHCP for a University of 14,000 hosts, and they might be able to help you out with your environment.
If you do decide you might like to know more about Ganymede, let me know.. I've been working on it for the last couple of years for internal use and for clients, without posting any new releases on our website. The software has tons of improvements that have been made in the meantime.
Re:Ganymede, Doctor DNS (Score:5, Informative)
Ganymede 2.0 uses SSL for all client-server communications, as well as digitally signing the applets. It also requires Java 1.4 or better, largely in order to support SSL.
Ganymede supports roles, so that you can give certain administrators arbitrarily reduced privileges. If you've got people who need to have limited privileges as you describe, it's possible to grant them in Ganymede, if the powers that be permit it.
May I ask if you work at ARL:UT?
Re:Ganymede, Doctor DNS (Score:2)
Ah, and on the LDAP/NIS/NIS+ question, Ganymede can support anything you like with it. Historically it was designed with an NIS supporting schema, but we're also using it to synchronize accounts to Active Directory by way of LDAP, and synchronizing accounts to an OpenLDAP server is easily done as well.
The big problem with using LDAP for Unix authentication is that system vendors haven't implemented RFC 2307 in as consistent a fashion as they have their NIS implementations.. different operating systems ha
Re:Ganymede, Doctor DNS (Score:2)
Yes. The individual who named the predecessor project (the Group Admin Shell) was not, however.
Re:Ganymede, Doctor DNS (Score:1)
Just checking: are you aware that 'gash' is slang for female genitalia in many English-speaking parts of the world?
Good thing they didn't name it 'cunt', eh?
Alphabetically of course. (Score:1)
Easy to enforce via script, and simple enough for even windows admins to remember. Sure, you get problems when people forget to remove old hosts, and in the time it takes for your servers to replicate from the master, but you'll get those with any setup really...
A little more info would have helped.. (Score:3, Insightful)
I use a single system image cluster (A small Xen virtualized one) with my own little sqlite concoction to keep track of what is soa for what. This lets me easily shift things around with a back end I wrote using PHP5.
I have 2 machines, each has 7 nodes (1 director and 6 real nodes) each with 128 MB allocated to it. This gives me failover, load balancing and the convenience of the single system image without the hassles of nfs breaking, and no trust relationships to hassle with.
I have each node running a seperate config, with CVIP running directing queries from the Internet to the 2 nodes SOA for the domain as seen from the outside world.
This lets me put each node on a different network, but using only 1 nic (I should use 2 but I'm cheap) per machine. I really didn't *need* the admin back end, (grep works wonders so does find) but it makes things simple.
I also haven't had a 3AM wake up due to a DNS outage in quite a while
2 P4 HT's, 4 SATA drives, and about 12 hours of time to set it up. No single point of failure either
Sounds like you're in a bowl of spaghetti
HTH
Re:A little more info would have helped.. (Score:1)
I second that more information is needed.
Is it a BIND/AD mix again, BIND only, AD only or something different?
If he is only running two DNS servers than your "what I run in my parent's basement" solution might work.
Kidding aside, what are you servicing with that setup?
Re:A little more info would have helped.. (Score:2)
Static (and light) use, never really changes so it suits them well.
How many hosts? (Score:4, Informative)
I find that even up to 1500 hosts, managing IP addresses out of a spreadsheet is fine. The amount of times that admins actually connect machines to networks isn't all that often (with the exception of workstations, but use dynamic DNS for that and don't worry about putting them into a spreadsheet) so the changes are minimal.
Get the solarwinds software if you are running Windows (or find a box to put it on) and in the engineers edition, there is a DNS auditing tool. Run that every now and again to make sure that what's in the spreadsheet and what's in DNS matches up and all is good.
If you are looking above 1500 hosts, then you might need to consider some of the other posts above.
I found in the past as long as your IP allocations are easily managable, and you know what it is that you want to manage, then it's all good.
Berny
Extend the hosts file metaphor (Score:3, Interesting)
Depending on how many people are updating the zones, what kind of security you need on that, and how many zones you actually have then start looking at GUI/web based frontends and database backends. Personally, I'd try and assign a few designated hostmasters to administer all DNS changes centrally, but if that meets objection and you don't have or can't get enough weight to overrule it it's not a major problem. There are plenty of quite decent web based GUIs out there to interface with the zone files directly or things like SQL and LDAP based backends, pretty much all of the better ones allow you to apply access control somewhere in the implementatation. If you are considering a database based backend though, be very careful about your selection and implementation if there are any dynamic zones (especially Active Directory, since you mention Windows) in the mix!
Comment removed (Score:4, Informative)
Re:Infoblox (Score:2, Informative)
BlueCat has another product called the Proteus that handles IP Address Management. We have found that with multiple locations distributed throughout the world, something like this may greatly help us keep a tighter cont
Re:Infoblox (Score:1)
Re:Infoblox (Score:1)
I hope that you will seriously evaluate all otions and decide to go with what you feel is best for you and your organization, despite my decision to not disclose the company I work for i
Think outside the box (Score:2, Funny)
You should update your information architecture to send client DNS resolution requests via your postal service. Employ a small number of columnar mapping table lookup experts to enscribe the proper domain names onto the request sheets and transfer them back to the clients, again via post mail. You should realize the desired sea change in support staff utilization within weeks.
IPplan (Score:5, Informative)
We are using it at the office and it is very handy.
There is a lot of features, including DNS management, search tools, routing tables management,
dynamic dns? (Score:2)
Server 2k3 (Score:2)
Windows DNS (Score:1)
I even have a couple of old WINS servers running for the legacy clients, which don't exist anymore, which reminds me to turn off the WINS servers. Well, at least they integrate into DNS automatically.
Microsoft actually provides some easy to use and powerful DNS tools with Windows. Recently I had to add a batch of 35 domains to our hosted environment, was pretty easy with DNSCMD and a few batch
MyDNS Rocks (Score:3, Informative)
It makes multiple name servers easier because you don't need to AXFR - you just use MySQL replication which is quite easy to deal with.
Nictool (Score:3, Informative)
I've been using it for many many months on multiple DNS setups, and many other organizations use it also. It takes a bit of knowledge to setup, but is very reliable once its setup. I've written a few guides on configuration and installation (though now a little outdated) -- they can be found in the mail toaster forum.
DNSDusty (Score:2)
This wreaks all sorts of unholy havoc if you do any sort of changes outside of that interface (like a DHCP server that updates DNS).
I wrote a small app to manage DNS for my home that plays well with DHCP, though I'll confess I have no reports of anyone using it for a large site:
http:/ [poochiereds.net]
Have you considered LDAP? (Score:2)
You probably don't want to jump into LDAP if this would be your sole use. However a site large enough to make maintainenance of the DNS files a pain is probably large enough that it either does, or at least should consider, using LDAP for user and system information. See the recent series of articles (in Linux Journal?) on setting up a single sign-on system using LDAP and Kerberos for an idea of how powerful it can be.
Yes, maintenance can be a bitch. But it's better than having to maintain sepa
Re:Have you considered LDAP? (Score:2, Informative)
VIEWS Support (Score:1)
I haven't evaluated it yet, but here's another option: http://www.menandmice.com/ [menandmice.com]
Can anyone comment on the Men&Mice suite?
Network admin should be able to handle this (Score:2)
For scalability and flexibility, try CMU's NetReg (Score:1)
As the current primary developer of the system I'm a bit biased, b
VitalQIP as a commercial option (Score:1)
DNS server comparison chart (Score:1)
Organizing your DNS? (Score:1)