FRAMINGHAM (02/21/2000) - Dealing with Domain Name System (DNS) is a simple proposition for most users; they hardly know it exists unless it stops working.
Browsers and mail clients seem to find the appropriate service effortlessly - on a good day.
But when things go bad, you need products that can aid in your DNS administration and test DNS services and references. We tested Men & Mice Inc.'s DNS Expert, a diagnostic tool that analyzes your existing domain name server and other network qualities, and Incognito Software's DNS Commander, a domain name server and management system that replaces the Windows NT DNS service or a DNS server on another platform.
DNS Expert is well-suited for a system administrator with more than a few name servers, or with several domains and zones. By contrast, DNS Commander helps you implement your first DNS server or manage a number of primary and secondary servers.
Because DNS Expert is an analysis tool and DNS Commander is a management tool, we didn't compare them head-to-head. Thus they weren't eligible for a Blue Ribbon Award. However, both products are worthy of consideration for your network.
All about DNS
The idea behind DNS is relatively simple: translate cryptic IP addresses into more easily remembered domain names and vice versa.
DNS servers must respond quickly to queries. That makes it impractical to carry the entire domain database at local sites. Instead, each server - except at the very top (also known as a root server) - carries just the portion of the database that's germane to its site, or zone. The service takes queries and refers them to upstream DNS servers until it hits a server that can resolve the query. To eliminate another source of delay, DNS servers hold many entries in a memory cache, in order to make a disk request unnecessary. The name/address cache "lives" in cache for a specified period of time and usually holds a fixed maximum number of cached entries in bytes displaced.
In theory, it's possible to create a pristine DNS easily because the structure of a DNS database is well-defined by requests for comment. However, it's also possible to create entries that cause an immense number of problems when spoofed, or erroneous entries that point users beyond cyberspace. Site hijacking and other problems can result when pernicious updates are made.
DNS Expert to the rescue
Men&Mice's DNS Expert is an analysis tool for DNS. It has three levels of tests (minimal, normal and thorough) and some additional tools to aid in analysis.
When we tested DNS Expert, we found that very few of the networks tested were pristine. However, we also found that DNS Expert could be fooled by items that appeared to be troublesome, but actually weren't. But that's a virtue - we like to see an application err on the side of caution.
A thorough test of a sample domain pointed to some interesting errors. DNS Expert took approximately 15 minutes to analyze the sample domain - located in the network operations center of a small ISP - on the backbone of the insecure/Internet side of the ISP's connection using "thorough" weight analysis - the strongest testing value of the software.
DNS Expert turned up some real errors and some red herrings: The ns3.corplink.net server only accepts transfers from specific addresses and, therefore, cannot be spoofed unless someone figures out how to forge media access control addresses on an otherwise protected router that will shut them down. Score one for caution. The mail relay claim also falls into the same category of red herrings. DNS Expert can't know the internal admittance policies of the hosts it tests, and in our ISP test case, the provider's mail server refused relay requests except when they came from specific addresses.
In addition to the analysis software, DNS Expert provides three other tools: forping, traceroute and zone analysis. Simple ping and traceroute tools are standard issue on most machines, but Men&Mice's can produce graphs and histograms of results. However, DNS Expert's traceroute and ping tools can't print the data they produce, and can export it only through screen scraping.
The traceroute and ping reports look good, but perhaps this kind of reporting isn't used for documentation or decision support; it's not really all that useful to print the data, except to save it for potential future comparisons.
Fortunately, the zone analysis tool has reports that are easily generated and printed.
Easy interface
DNS Expert sports an interface that's easy to use and understand. The errors it finds during analysis can be easily cross-referenced as to the nature of the error. The errors are listed by icon as to the perceived seriousness of the error, and we agree with the seriousness ratings - even the red herrings.
Installation of DNS Expert couldn't have been much easier. We installed DNS Expert on a variety of clients, including Windows 98 (Sony VAIO PictureBook and Compaq Prosignia 2450) as well as Windows 2000 RTM (Compaq Prosignia 2450 and Hewlett-Packard Pavillion).
DNS Expert can be a useful tool for large and small organizations. Its analysis is a broadly cast examination of a zone, including items that aren't traditionally considered as being part of a DNS test, such as the testing of mail servers for open-relay problems. While DNS Expert sometimes finds red herrings, we're reminded of the aphorism, "Better the devil you know, than the devil you don't know."
DNS Commander
The DNS server software that comes with NT is Spartan at best. Tying several DNS servers together in a domain, zone or enterprise requires understanding DNS well, as the implementation of DNS (including that of most Linux platforms) is done in a vacuum - under NT or Linux, one DNS server is unaware of the others until the service is made aware of the others. Even when linked, DNS servers within an organization must be manually synchronized to work together. This is where Incognito's DNS Commander comes in and serves as a DNS organizer for multiple servers.
Unlike DNS Expert, DNS Commander doesn't run tests or integrity checks.
Instead, it lets you centrally manage a name service infrastructure for several popular platforms, including NT or Win 2000, Solaris (2.7+ SPARC or Intel) and Linux (Intel, 2.2+). DNS Commander works only on servers where it's licensed and installed, as opposed to DNS Expert, which worked with any name server we tried.
DNS Commander is installed on the host platform where a name service runs, but it can be controlled from other platforms through the Incognito Management Console (IMC). IMC connects to any DNS Commander-controlled name server where the IMC user has permission to change the server. IMC is a Windows application; a DOS command-line utility is also available, and Common Gateway Interface-based Web control is in development. There is no local graphical user interface for Linux or Solaris.
From the IMC interface, we could examine the entire zone naming service infrastructure, make changes manually, or use any number of wizards that helped us perform tasks as small as adding manual CNAME records or as significant as making primary domains and editing server information.
The IMC interface is similar to the Microsoft Management Console (MMC). It uses COM+, and Incognito used MMC in prior editions. IMC lets you rapidly drill down or get property assessments of objects surrounding the operation of the server, such as record management, zone transfers, the security of administrators, authority and others.
DNS Commander also imports data readily, via file or the DNS transfer capability. You can set defaults for zone information and resource records, including the fields to hide. You can also set security for updates, although we didn't find hooks for using a certificate authority to validate zone transfers. That task still has to be performed by the host operating system's name service and platform security.
The IMC interface to DNS Commander-equipped servers is similar to MMC and is very simple to manipulate. Entering or changing records is done on form-like sheets that include items such as creation and modification history. Name server management also includes security for specific items, such as domain and resource record administrative access rights. Changes, even when they're huge, are quick.
Installation
We installed DNS Commander on NT, Win 2000 and Linux. A smooth installation routine took about 5 minutes on NT and 2000, and 3 minutes for the Linux machine. IMC found the name service running on the target hosts readily from our Windows 98 and NT 4.0, Service Pack 5, workstations.
DNS Commander is compatible with Dynamic DNS (DDNS), but the current version doesn't speak to the version of Microsoft's DHCP server in Win 2000. Therefore, DDNS updates from the Win 2000 DHCP server won't update Incognito's DNS. The company says it's working on that issue.
Incognito also sells IP Commander, a DHCP server application that eliminates the need for the Windows Internet Naming Service (WINS) when coupled to DNS Commander. We tested this, and it works as advertised. We weren't able to test DNS Commander with other RFC-compliant DDNS servers, but updates and zone transfers work as expected for a regular naming server.
The DNS Commander online documentation helps explain the DNS process well, although there's not much troubleshooting information available.
DNS Commander also doesn't parse an existing DNS database for integrity, although common errors such as duplicate entries are made easily visible when importing a DNS database.
The downside to DNS Commander is that it's expensive - $495 per server. Many system administrators might be motivated to put up with native NT and/or Linux DNS services.
The added value that DNS Commander and the IMC interface provide don't really pay off until one needs to manage several servers, or combine DNS Commander with IP Commander - Incognito's DHCP server with DDNS features.
When the number of servers becomes large or the DNS infrastructure unwieldy (as in the case of multiple locations and virtual private networks) then an advanced management console starts to pay off - and handsomely. The cost-benefit ratio also starts to make sense in highly changeable networks.
Henderson is principal researcher at ExtremeLabs in Indianapolis. He can be reached at thenderson@compuserve.com.