FAQs - Secure64 DNS
What is Secure64 DNS?
Secure64 DNS is an authoritative DNS server with the highest
levels of security and performance of any name server software
available today.
Is Secure64 DNS based on BIND?
It is important
to have genetic diversity in the DNS, to provide resiliency
against attacks that attempt to exploit flaws in any particular
implementation. Secure64 DNS is adapted from NSD, an open source
authoritative DNS implementation available through NLNet Labs.
NSD was designed for performance and simplicity, and has been
used in production for many years to power root servers and
top level domains.
Is Secure64 DNS a caching/resolving DNS server?
Unlike BIND, which is both an authoritative and caching DNS server,
Secure64 DNS is an authoritative-only server. By focusing on
just the authoritative function, Secure64 DNS is made more secure
and higher performing than other name servers.
What hardware does
Secure64 DNS support?
Secure64 DNS takes advantage of the unique security and performance
characteristics of the Itanium 2 microprocessor, which allows
it to become Genuinely Secure. Today, the Secure64 DNS software
executes on the HP Integrity rx2660 server.
Is Secure64 DNS compatible with BIND and Microsoft DNS?
Secure64 DNS can act as a master or slave server to other DNS servers running BIND 9, BIND 8, Microsoft® Windows® DNS (Windows 2000 Server and Windows 2003 Server), and NSD.
Does Secure64 DNS support HIPPA/SOX reporting?
Secure64 DNS helps organizations meet compliance requirements by improving DNS security and availability. Through syslog and SNMP integration, IT staff and auditors can view information about user access, denial-of-service attacks, and other event-related data. Secure64 DNS does not offer pre-configured reports for specific compliance or audit requirements.
Are there limits to the number of zones or records supported?
The only constraint on the number of zones and records that may be served by Secure64 DNS is available RAM. Secure64 DNS has been successfully tested with hundreds of thousands of zones and millions of records. Contact a Secure64 sales representative for more information on hardware configuration.
Do you support dynamic updates?
Yes, Secure64 DNS supports dynamic updates and can secure those updates through TSIG, if required.
Do you support DNS wildcards?
Yes, Secure64 DNS provides answers for systems given a * (wildcard) name in the zone file.
Do you support a high-availability DNS architecture?
Yes. Secure64 DNS supports a BGP-based anycast architecture that allows
multiple DNS servers to share a common IP address. This architecture
provides additional availability, resiliency, and performance compared to a
traditional DNS architecture.
Can I change configurations, including adding or deleting zones, without downtime?
Yes. Secure64 DNS continues to respond to queries while restarting with a new configuration.
As an authoritative-only server, does Secure64 DNS support being a secondary (slave) name server?
Yes, Secure64 DNS can be configured as either a master (primary) or slave (secondary) server. As either a master or slave, it is compatible with BIND 8, BIND 9, Windows DNS (2000, 2003), and NSD name servers.
Does Secure64 DNS include IPv6 support?
Secure64 DNS does not support IPv6 at this time.
Are there any reporting/logging/alerting features
in the product?
Secure64 DNS uses a variety of mechanisms to report and log activity on the system including:
* Syslog records many different system events, including user logins.
* SNMP traps, in conjunction with syslog, alert and log abnormal conditions, such as when a network attack begins and ends.
* DNS statistics are available on demand or at regular intervals.
* Under attack, the system can provide details to help administrators set upstream router filters to protect bandwidth.
* System commands provide additional detailed information such as moving averages of attack statistics.
What type of management system does Secure64 DNS offer?
Today, Secure64 DNS is managed through a command line interface over an SSH2-secured connection. We provide a rich set of commands through this interface to configure and manage the server and the DNS data. Often,
customers integrate their own provisioning system to our server using this
interface.
Are system upgrades a manual or automated procedure?
Secure64 DNS provides upgrade and rollback commands and a user role for upgrades. Normally, upgrades are a simple process of downloading the appropriate file and running the upgrade command.
FAQs - Nixu NameSurfer Suite
What is it Nixu NameSurfer Suite?
NameSurfer Suite is DNS and IPAM management software. Featuring centralized and automated management of name (DNS) and address space (IPAM), it operates as a hidden DNS primary server and can also be used to manage remote DNS secondary servers (authoritative slave DNS servers).
What automations does it provide for DNS management?
Once appropriately configured, adding new hosts to DNS only requires that a host name is entered – everything else is handled automatically. The automations include provisioning of the next available IP from a pre-defined IP address range(s); addition of pre-defined field values using zone template functionality, including separately defined zones; error and consistency check of data input; creation of reverse entries and zone serial numbering; and master-to-slave propagation of all DNS changes.
How does NameSurfer validate the data entered into the system?
Related RFCs have been converted into NameSurfer readable syntax against which all entries are validated. Entries that are not RFC-compliant are classified into two categories: entries that pose a threat to DNS stability and entries that, while not in full compliance with RFCs, do not pose a threat to DNS stability. Both produce an error message: if the entry does not threat the stability of DNS, the error message has an “add anyway” option, whereas stability-threatening entries are categorically denied.
How do we import our existing DNS data to the system? Is there a way to audit/validate our existing DNS data?
An easy way to accomplish this is to trigger a zone transfer from NameSurfer Suite’s web-based user-interface (WebUI). Once the zone transfer has been triggered, NameSurfer validates all DNS data coming from the existing DNS master and all verifiable data is added to the system.
We use spreadsheets to manage our IP address space. Can we replace those with NameSurfer Suite?
Yes. Once the root block(s) and other blocks have been defined in IPAM (IP Address Management Module), hosts in DNS are auto-populated to the appropriate blocks in IPAM. This mechanism ensures that hosts in production DNS and in IPAM are always in synch and up to date.
What information can be associated with IP blocks and IP addresses? Are the information fields predefined?
Information fields in IPAM, whether attached to IP blocks or individual IPs, are freely definable/editable text fields so any information can be added. Further, the “Display Preferences” functionality allows users to define which information fields are displayed in different listings (e.g. block and location could be displayed on IPAM index listing page).
Our IP address space consists of both standard and virtual blocks/subnets that may sometimes overlap. Is this supported?
Yes. By utilizing the “Owner” concept in IPAM, blocks can be arranged, displayed, and viewed both logically and based on the owners that have been assigned for a given subnet(s). Overlap between the two is allowed, which allows both block-based (logical) and owner-based (virtual) sorting.
Can we add dynamic hosts to IPAM?
Yes. By configuring your DHCP server in such a way that it sends a dynamic DNS update to NameSurfer primary whenever it assigns a dynamic IP, dynamic host is automatically added to both DNS and appropriate block/subnet in IPAM. Support for dynamic DNS is RFC compliant.
How do we import my existing IP address space data into the new solution?
Existing data maintained in flat text files and/or spreadsheets can be imported in csv format using the IPAM command-line interface (CLI).
Can we export data to spreadsheets / other systems from IPAM?
Yes, the IPAM CLI can be used to export data from NameSurfer Suite to other systems / spreadsheets in csv format.
Does it support IPv6? Can I add both AAAA and A record for the same host?
Yes. The solution can be operated in pure IPv4 and IPv6 environments as well as in dual-stack networks, and both IPv4 (A record) and IPv6 (AAAA record) address can be added to a single host.
Does it support DNS Views?
Yes. For security reasons, each DNS view requires its own authoritative slave DNS server. Further, transaction signatures (TSIGs) can be used to trigger the zone transfer for an authoritative slave in a given view, so that only slave server(s) that are authorized to obtain DNS data for a given view will be able to receive it from the hidden primary.
How much data can I manage?
As there are no built-in limits for scalability, it ultimately depends on the specifications of the platform used to run it. In scalability tests performed with industry standard x86 servers with 2GBs of RAM and 2.8 GHz dual-core processor, a single server instance can manage nearly 10 million resource records and hundreds of thousands of zones.
How many queries-per-second (qps) does your system serve?
NameSurfer Suite is a hidden primary DNS server that communicates only with authoritative slave DNS servers (“DNS secondaries”). As qps is a measure used with authoritative (slave) DNS servers that resolve queries originating from the network, it is not an applicable performance measure for NameSurfer.
Can we leverage our existing DNS infrastructure?
Yes. Since NameSurfer Suite is deployed as the hidden primary, it can be installed on top of the existing DNS infrastructure. This only requires that the existing DNS servers are configured as authoritative slaves for NameSurfer primary, and that the existing DNS data is imported into NameSurfer Suite.
Which protocols are used for communications with secondary DNS servers?
DNS data is transferred using standard zone transfers (AXFR / IXFR). SCP is used for pushing configuration changes from NameSurfer primary to secondary DNS servers.
How do we integrate the system with DHCP servers?
The most straight-forward way to integrate your DHCP servers with NameSurfer Suite is to configure in such a way that they send a dynamic DNS update to hidden NameSurfer DNS primary whenever they give out IPs/leases to dynamic clients. Once the dynamic DNS update has been added to NameSurfer, it will automatically propagate the DNS changes to secondaries and add the new host to the appropriate block/subnet in IPAM.
How do we integrate it with RADIUS/LDAP?
As NameSurfer has built-in AAA (authorization, authentication, accounting) mechanisms in place, it usually is not integrated with RADIUS or LDAP. From the availability point of view, this removes the single point of failure that would result from not having access to NameSurfer should the centralized authentication mechanism fail for any reason.
How do I integrate the platform with our OSS management system and other systems used to back up data?
When implemented using traditional software binaries, the (monitoring) agents used for OSS management and data back-up are implemented as usual.
As the CentOS Linux included in the software appliance distribution of NameSurfer Suite is 1:1 with RHEL 4, any RHEL compliant (monitoring) agents can be installed on our software appliance platform: the software appliance platform is not sealed and can be used to run other RHEL compliant software alongside the actual NameSurfer Suite application.
|
