Take charge of domain name management with DNS Commander.
Allan Liska special to HostingTech
Domain name management is the bane of many hosting providers.
Adding and removing domains, ensuring information is being properly
shared between primary and secondary name servers, transferring
domains, and fielding domain name system (DNS) requests from
customers can consume a large portion of the support staff's
day. Of course, it doesn't help that DNS is such an esoteric
topic that even seasoned server administrators have trouble
understanding how it works. And finding a software program that
allows administrators and engineers to address these issues
efficiently can be a huge headache. DNS Commander by Incognito
might be a viable alternative.
The ubiquitous Berkeley Internet Name Domain (BIND) implementation often exacerbates the problems associated with DNS. BIND is a powerful open-source program that runs on more than 90 percent of Internet name servers today, including the root name servers. BIND has been around since the early 1980s, and despite its robustness, can be a serious challenge to an administrator. During its reign as the king of DNS, BIND has bloated to more than 200,000 lines of code. This code growth - and the fact that its code is publicly known - has left many security holes, making BIND a frequent target for exploits and other attacks.
Although the capabilities of BIND have increased with each new release, the configuration has remained the same and is still managed through text files. There is no error checking in place. There is also no built-in way to give a user the ability to configure specific domains without being given access to all other domains on the server.
Several tools have been developed over the years to address some of the shortcomings in BIND, in particular the security shortcomings, but none offer a complete solution. Control panels are a good example. Many control panels, like the one included with Cobalt RaQ, allow individual users to manage their domains. However, the RaQ control panel makes the assumption that DNS services will be provided by the same server that is hosting the website. Most of the time this is not the case. Most hosting providers do not store DNS information on the same servers that serve Web pages; instead they have servers dedicated to DNS.
A new alternative
Incognito Software has addressed many of the problems associated with BIND in their DNS Commander software, which is a BIND replacement that is compliant with the Request for Comment (RFC) guidelines suggested by the Internet Engineering Task Force's DNS Working Groups. DNS Commander is an application that allows hosting companies to easily manage DNS records across multiple servers. In addition to efficient management by server administrators, DNS Commander has an optional plug-in, DNS Web Console, which allows customers to manage their own domains.
DNS Commander is available for Windows NT/2000, Solaris, and Linux. The minimum requirements for the server are a Pentium 100 CPU, 64 MB of RAM, 20 MB of hard drive space, and Messaging Application Programming Interface support, which should be enabled by default on most systems.
There are two components to a basic DNS Commander installation: the server and the client. The server was written from scratch to be a secure, RFC compliant, scalable DNS server. The client, called the Incognito Management Console (IMC), is available as a Windows-based application that integrates with the server or a Web-based version that runs in a browser. The IMC sends management updates to the server, in an encrypted format, on port 228.
Installing the software
The server installation is very simple, with prepackaged versions of the software available for all the supported operating systems. Version 3.5 of the software was tested on a Red Hat Linux 7.2 server. The installation is a simple matter of installing two Red Hat Packet Manager (RPM) files.
First, the server itself:
[root@test tmp]# rpm -Uvh DNSCmdr_35A_Linux_i386.rpm
1:DNSCommander ############################# [100%]
Then the Web interface:
[root@test tmp]# rpm -Uvh DNSWeb_32C_Linux_i386.rpm
Preparing... ################################ [100%]
1:DNSCommanderWeb ########################## [100%]
After both components are installed, DNS Commander needs to be started:
[root@test tmp]# /etc/rc.d/init.d/dnscmdrd start
Starting DNS Commander: [ OK ]
To configure DNS Commander, download the Management Console from your DNS server. When the installation of DNS Commander has been completed, a file called DNSCmdrIMC.exe will be placed in the /usr/local/ib/incognito directory. Download this file to a Windows machine and run through the install process. After the Management Console has been installed, run the application to connect to your server. When you first run the Management Console, it will take you through a configuration wizard that will help you create a basic configuration for your zone files, and convert any existing zone files into DNS Commander format (DNS Commander can convert both BIND and Windows DNS zones).
One of the Management Console's nice security features is that the administrator account for DNS Commander is not a Unix account. Because the account only exists in the DNS Commander software, even if someone were to find out the user name and password, it would not provide direct access to the server. Unfortunately, the administrator and other DNS Commander passwords are limited to eight characters, a number that should be increased for added security. Another nice feature of DNS Commander is it allows RADIUS (Remote Authentication Dial In User Service) authentication. Hosts will find this is an especially nice feature, allowing clients to administer their own zone files; thus, they will not have to worry about clients having to juggle multiple user names and passwords for DNS administration and site administration.
DNS Commander allows multiple levels of configuration. A DNS server administrator can allow or deny Dynamic DNS updates, limit servers that are allowed to perform recursive lookups, and give other users the ability to manage certain domains. Individual domain administrators cannot overwrite server-wide security settings; however, a system administrator can allow the administrator of a specific domain to control security settings for that particular site.
DNS Commander has excellent logging tools; it will allow very detailed information, if desired. In addition to the usual logging done by BIND, DNS Commander will also track logins and changes that were made during a session. If an error is made in a zone file change, DNS Commander allows an administrator to quickly revert to a previous iteration of the zone file. Another distinguishing feature is the Flying Logs function, which lets you log on to the server to see all of the logs as well as all packet activity to and from the server - similar to a packet sniffer. This is a great tool for troubleshooting.
The DNS Commander Web Console has the same level of functionality as the Management Console. The Web Console is configured as a virtual server on either Apache 1.3x or Microsoft's Internet Information Server (IIS); the only requirement is that the virtual server must have CGI support enabled. The Web Console, which is included with the standard DNS Commander package, requires a license key from Incognito in order to be activated.
An application programming interface (API), which allows a hosting provider to custom brand the Web Console to maintain the feel of the rest of the site, has also been incorporated into the DNS Commander. The API also allows a provider to create Java, XML, and console applications that tie directly to the DNS Commander server.
One area that needs improvement within the Web Console is documentation. The configuration guide for creating a virtual server under Apache and IIS is incomplete, and includes no discussion about configuring the Web Console to support SSL connections. According to Patricia Steadman, the chief executive officer and cofounder of Incognito Software, this is a problem that is currently being addressed.
Although the installation of DNS Commander is a fairly simple
task, Incognito Software, through a partnership with Cubix (www.cubix.com),
also offers DNS Commander as an appliance on a blade server.
The blade servers are built on the Cubix Multiple Security Appliance
(MSA) platform, which allows up to eight blades to be plugged
into a single chassis, leaving a lot of room for growth. The
appliances are available in Windows and Linux versions.
A commanding future
Incognito Software has made several high-profile deals with industry leaders recently. Two of the largest registrars signed agreements to repackage DNS Commander and offer it to their enterprise customers and their resellers. Incognito Software is offering DNS Commander to a large segment of the dedicated hosting space through its recent partnership with Plesk. Incognito Software has also recently signed a deal with Ensim to incorporate DNS Commander into its hosting automation packages. Several hosting companies have also signed on to offer DNS Commander to their clients.
Continuing in the tradition of making security a top priority, DNS Commander 4.0, scheduled for release in June 2002, will add further security enhancements to DNS administration. Version 4.0 will allow an administrator to require certificates for DNS transfers and updates. It will also feature a more robust API that allows a host to tie additional features into the DNS Commander application.
Overall, DNS Commander is an excellent product, and it can certainly save any hosting company a lot of time and money by simplifying and securing DNS administration.