Doesn't control over DNS require blocking port 53 against rogue (non-official) DNS servers?
Yes. This is a critical best practice for all customers, with or without BlueCat Edge.
Does introducing another DNS layer decrease performance, or increase latency?
Not in any meaningful way. If BlueCat Edge service points are deployed as intended, close to client networks, DNS latency and response time should be improved overall versus a remote caching server.
How do we direct DNS traffic to service points? Do we have to re-IP existing DNS or update DHCP and DNS IPS on servers?
Our suggestion is to start with redirecting DHCP clients to the IP address of the service point, and then work through statically-configured hosts as needed. It's possible to re-IP the existing DNS infrastructure instead, but this is potentially more disruptive.
How can I safeguard my clients against possible DNS Resolver Service failure?
If you're worried about this, add the IP address of your original DNS server to your clients as a secondary DNS server, after the Service Point's IP address.
What is the Edge caching performance?
- The Service Point was running on a BDDS 50 hardware appliance with Service Point software version 4.6.2 and DNS resolver service version 3.10.0.
- All queries were answered from the cache.
- The Service Point was running only DNS resolver service. No other services were running.
- The Service Point was configured to process queries on the physical interface (NIC) with a single primary address. No additional VIPs were configured.
What's the impact of number or size of policies on QPS?
We don't have a full spectrum of policy complexity versus QPS as a measurement. We have successfully tested multiple policies with hundreds of thousands of domains associated with them. There has been no measurable impact to QPS in these tests, and we will continue to work with customer use cases to ensure we maintain this level of performance.
What about DDNS updates? What about zone transfers?
DDNS clients and DNS servers communicate directly to perform DDNS updates and zone transfers. BlueCat Edge doesn't interfere with this communication.
Wouldn't a compromised client just use IP addresses (or its control channel for resolution) and avoid DNS?
This is certainly possible, however the vast majority of malware relies on DNS because the location of the command and controls (C2) resources must be constantly moved to avoid other security controls, which makes DNS even more critical for them to function properly.
What actions are available using the API? If I can do it in the GUI can I do it using the API?
Yes: all operations/actions are available using the API. For detailed information about the API, see the BlueCat Edge User Guide (click in the top navigation bar in BlueCat Edge), which includes API documentation.