TCPWave's DDI solution centralizes the DNS management in the organization. In the TCPWave managed DDI design, each domain controller points to a cache-only TCPWave DDI appliance. The cache-only DNS appliances would fetch the DNS answers from the TCPWave authoritative DDI appliances. The TCPWave IPAM, running in a HA (High Availability) mode, manages the authoritative and the cache DNS appliances. Each domain controller in each AD forest would update the authoritative DNS zone hosted on the TCPWave authoritative DDI remote. The TCPWave IPAM can configure an IP-based ACL to accept the DNS updates from the domain controllers. Since a UDP-based update controlled with an IP-based ACL is subject to spoofing or hijacking, the TCPWave goes one step further and secures the DNS update using GSS-TSIG. GSS-API algorithm uses Kerberos for passing security tokens to provide authentication, integrity, and confidentiality. The web interface of the TCPWave IPAM provides a simplified method to manage the Kerberos configurations, Service Principal Names (SPN), secure DNS update policies, TSIG keys, etc., across all the AD-enabled DNS zones. The TCPWave design provides a seamless AD integration with auditing, reporting, disaster recovery, monitoring, role-based access control, and many more features.
The TCPWave DDI administrators can define the active directory enabled zones on the TCPWave IPAM. When a new Microsoft Active Directory Domain Controller is provisioned, the AD installation wizard creates a file known as netlogon. dns. The netlogon process takes the contents of this file, and an attempt is made by the domain controller to register those resource records into DNS. The TCPWave DNS infrastructure can be pre-configured to accept the updates from the domain controller. When the TCPWave DNS remote sees an incoming dynamic DNS registration from the domain controller, it accepts it, and the slave DNS remotes are updated automatically. The TCPWave DNS remote management agent then sends the newly learned AD resource records to the TCPWave DDI Management. These records are stored in the replicated database of the TCPWave DDI management. Since the TCPWave design uses DNS Zone templates, users can enforce the standards and changes with a few mouse clicks. The overall size of the AD replicated database shrinks when DNS is decoupled from the domain controllers. Another significant advantage of migrating the DDI management to TCPWave is - It resolves AD replication delays.
It is common to see many organization deployments utilizing Microsoft's in-built AD integrated DNS. These distributed deployments typically keep growing without following the best practices recommended by TCPWave. The failure to follow a common set of standards across a global infrastructure by a bunch of different individuals reporting to separate management chains is why a large-scale AD deployment is complex to maintain. The configuration of multiple conditional forwarders makes it extremely difficult to maintain, manage, monitor, scale, and troubleshoot. It is also common to see various large-scale AD integrated DNS deployments have frequent DNS blackouts because of improper designs. The Active Directory trusts require DNS resolution to the root forest, child forests, and possibly some standalone forests depending on the deployment of the AD forests. The resources in one AD domain can be used by the users in another AD domain as long as the DNS resolution is functioning correctly. When data centers move or new network topology is designed, a single DNS change in one forest for a re-IP of a set of domain controllers could cause a blackout in other forests if multiple de-centralized administrators do not conduct the change properly with proper co-ordination. Forwarders will stop work, and delegations will become lame if all the distributed AD integrated DNS configurations are not updated accordingly.
Although Windows Server ships with the Microsoft DNS service, many network administrators use a non-Microsoft implementation of DNS. TCPWave provides a powerful platform to manage the active directory DNS records and zones.
The TCPWave DNS Appliance is based upon ISC's BIND, adopted as a global standard and widely used across the public Internet and many large enterprises. Existing AD deployments that rely on a BIND-based design can interoperate easily with the TCPWave DNS Appliance.
Existing BIND-based configurations can be quickly imported and deployed to TCPWave DNS Appliances using a powerful DIY (Do it Yourself) wizard.
The TCPWave DNS Appliance contains an elegant and user-friendly interface for manipulating DNS configurations and recording data. Powerful features found in most applications include multi-level undo/redo, cut/copy/paste, and data checking functionality that is not present in the Microsoft DNS application.
Changes are not visible on
the DNS appliances until the user has deployed the configuration. The
current implementation of the Microsoft DNS application applies the
changes to the DNS appliance. It creates issues for the applications
when simple typos are present in the configuration.
It is because records can be cached for a defined duration. It can lead to network
application/ service outages and stability issues. This issue is
because some applications do not respect DNS Time to Live (TTL)
values and will hold onto invalid data until restarted. Changes in
TCPWave can be staged so that a pre-staged change can automatically
occur at a scheduled time.
DNS security is often overlooked for private networks because an internal network is secure and separate from the outside world. The real problem lies with the sheer volume of exploits in the Windows operating system that plague network administrators. Worm viruses can unload payloads that attack internal systems and replicate while bringing a network to its knees. The SQL Slammer worm that exploited a known vulnerability in the Microsoft Data Engine (MSDE) attacked available root servers by generating bogus queries. These queries resulted in many ICMP packets being sent out, which eventually rendered some of the root servers offline. The internal DNS appliances got attacked in many organizations. The TCPWave DNS appliance contains an integrated firewall, IP packet spoofing, and a hardened Linux operating system that resists these attacks. Indeed, it is common knowledge that heterogeneous networks are more resilient to effective attacks since only some of the servers will be vulnerable to system-specific exploits.
The total cost of the TCPWave DNS Appliance is considerably lower than that of a Microsoft DNS server solution. Considering the volume of Windows updates, vulnerabilities, and scheduled maintenance combined with the Windows solution's simplistic management, the TCPWave solution offers a lower cost of total ownership, even within the first year of deployment.
