Why DDI (DNS, DHCP and IP Address Management) is critical for distributed organizations

With multiple branches and thousands of IP addresses, centralized management of critical network services like DNS, DHCP and IP Addresses are catching up with bigger and distributed organizations. Read on to understand how the DDI – DNS, DHCP and IP Address Management appliances can help and the advantages of centralizing these critical network services.

The critical network services like DNS and DHCP have been managed by Unix based Open Source platforms like the BIND DNS or ISC DHCP or Microsoft AD – Windows Server 2003/ 2008. But when organizations grow and spread across multiple locations with thousands of IP addresses, the number of servers deployed for providing DNS/ DHCP services might also be large and similarly distributed among multiple branches.

The DDI – DNS, DHCP and IP Address Management services help to have an eagle eye’s view on such networks and enable centralized management, as well as introduce redundancy at every level for the high availability of the critical DNS and DHCP services.

An Overview of the DDI – DNS, DHCP and IP Address Management appliances:

First, the DDI appliances can themselves provide DNS, DHCP, IP Address Management functionalities as well as provide centralized management for third party services like Microsoft Server 2003/2008 and Unix based DNS/DHCP servers across multiple locations.

The DDI solutions can be appliance based (most popular), software based or even managed services based. They can also integrate with a few virtual service platforms. The most useful functionality of these DDI services is that they give a full fledged web based GUI (Graphical User Interface) through which administrators can control almost every aspect of their DNS, DHCP and IP address management servcies.

Another important reason why they are popular is their ability to give total redundancy (High Availability) at every level – there can be two DDI appliances directly connected at the HO which can provide appliance level fail-over, there can be a master appliance at HO and multiple slaves at branch location/ Data Center anywhere to provide appliance level as well as network level fail-over. Even the databases (used for DNS, DHCP) are unified and updated simultaneously across the network, providing for their efficiency and redundancy. The upgrades, patches and even configurations (sometimes) to these services can be done centrally and it automatically gets pushed across to all the DDI appliances across the network, minimizing downtime and ensuring uniformity.

The administration can be centralized or split zone-wise enabling different administrators to manage different zones. All the logs (including administrative changes) can be exported to a Syslog server from the central location for the entire network. Some solutions support pre-configured event notification via SNMP traps and emails.

DNS/ DHCP:

As mentioned earlier, DDI solutions consolidate and centralize DNS/DHCP services across multiple branches and provide HIgh Availability of these services. Many DDI solutions enable DNS and DHCP services to share a single database in order for tighter integration between these two services.

Multiple appliances can be load-balanced to provide DNS services to clients while still advertising a single DNS address. Handy tools like templates enables companies to automate and standardize the creation of DHCP configurations across the network (for example, each new branch could be served with a ready made template which has all the common configurations already applied to it).

Some DDI solutions offer import tools which enable users to migrate from Windows / Unix based solutions to the DDI appliances with automated checks for data corruption.

Most importantly, the appliance based purpose built DDI solutions offer a great deal of security to the DNS/ DHCP services by,

• Opening only those network ports required for DNS/ DHCP management, while all the other ports operate in the Stealth mode.
• Implementing a controlled and uninterrupted boot process and Kernel that does not support file systems other than the ones already used by it.
• Running the applications in ‘Jailed’ mode, wherein even if a hacker manages to get in to the appliance, the access is highly restricted and new binaries cannot be run.
• Employing techniques that prevent Cache poisoning and numerous other attacks like Denial of Service attacks etc that target the DNS and DHCP services in an organization.

IP Address Management:

Most of the DDI Solutions provide you with a nice GUI that gives a visual representation of all the IP addresses in the network with real time IP address allocation data by zones/ subnets. This enables the administrators to discover IP enabled devices anywhere in their network. It also becomes easier to discover who did what and when if such unified and centralized IP address management tool is available. The IP address details are hierarchically arranged (mostly with graphical representation) and some of them even offer API’s that integrate with external applications like Google Maps to view where exactly any IP address is located!

For every IP address, the IPAM (IP Address Management) module maintains individual records which include information like host-names, MAC addresses, associated switch ports, device info, date and time of device assignment, etc.

IPAM module checks for IP address inconsistencies and overlap and hence identifies IP address conflicts, which can be corrected by the administrator. They also help identify and reclaim unused IP addresses in the network.

IPAM module gives alerts when the IP address ranges are nearing their full utilization in any sub-network. Administrators can partition, re-size and re-allocate the IP address space without worrying about any IP address conflicts.

As network transition to IPv6 addressing is inevitable, the IPAM module allows organizations to have both IPv4 and IPv6 addresses during the transition period, as a single step transition to IPv6 would be very difficult.

excITingIP.com

In case you want to add any additional points or have any questions, you can use the comment form below or you can contact us using the contact form. You can stay up to date on the various computer networking technologies by subscribing with your email address in the box mentioned as “Get Email Updates when new articles are published”.