Appliances replace DNS, DHCP software

In 2004, the Slammer virus took the city of Houston by storm. The powerful, fast-spreading virus penetrated the Red Hat Linux servers running Berkeley Internet Name Domain software that handled naming resolution for the city's Web sites. The airport system, public library and health department were among the many city agencies whose Web sites suffered outages as a result of the virus.

"The Slammer virus affected all the naming resolution pieces in the city," says Mark Whitt, IS administrator for the city's IT department. "We couldn't get the vulnerability under control. So we began looking for a device to reduce our vulnerabilities.''

Enter Infoblox, one of several start-ups offering special-purpose, hardened appliances that handle resolution for key Internet protocols including DNS and DHCP. The city of Houston bought eight Infoblox appliances - which cost $54,000 - that will be fully deployed this summer.

"All of our Web presence is using DNS services from Infoblox. We're also using Infoblox for our internal name resolution,'' Whitt says. "The performance has been great. I haven't seen any degradation, and we have the enhancements of increased manageability and dynamic DNS updates.''

The city of Houston is not alone. Many organizations are replacing aging DNS software and servers with modern appliances that offer enhanced security and easier management. Other organizations that have made the switch to DNS and DHCP appliances include EMC, Banker's Life and Casualty, and Pima Community College.

"We've seen a lot of renewed interest in IP address management, DNS and DHCP over the last 18 months,'' says Dan Golding, senior analyst with Burton Group.

For the last 20 years, most IT shops have used free software such as BIND running on Unix or Linux servers to handle DNS resolution. However, BIND as well as free DNS software from Microsoft are increasingly under attack by hackers. Today, network managers are becoming aware of the vulnerabilities of these older software applications as well as the affect DNS or DHCP outages can have on corporate productivity.

IP address management "was very low down on the priority list,'' Golding says. "People sort of woke up one day and noticed that their authoritative DNS servers were supporting major Web services and were running on Pentium or ancient Solaris boxes. They were very rickety. The software was old and might have been running on Windows. Then they started reading about all these DNS-based attacks.''

Some companies use special-purpose IP address management software such as Cisco Network Registrar (CNR), Lucent's QIP or Nortel's NetID. However, these products are expensive to operate and are infrequently updated. (Read our Technology Insider on IP address management .)

"The older IP address management platforms are software based, and they require systems administrators, database administrators and network engineers,'' Golding says. "They require a team of high priests to keep them running, so it is very expensive. A lot of them require Oracle licenses, too."

Without protocols such as DNS and DHCP functioning, corporate networks don't work. Web sites go down, e-mail won't go through, and mission-critical ERP applications that depend on the Internet won't function.

"DNS has become critical to IP networks,'' says Cricket Liu, vice president of architecture at Infoblox. "DNS is the preferred method for internal naming, as well as the Internet. It handles resolving URLs and sending e-mail. DNS is also used by Microsoft Active Directory implementations. All of a sudden, the dependency on DNS goes from network domains to network servers to desktops.''

At the same time that DNS has become more critical to corporate networks, it has also become more complex. The basic documentation for BIND is more than 100 pages. In addition, BIND is more vulnerable then ever, with the CERT issuing regular warnings related to BIND and other DNS-related issues.