DNS Edge architecture best practices - BlueCat DNS Edge

DNS Edge Deployment Guide

BlueCat DNS Edge

Understanding the existing DNS architecture is critical to deploying DNS Edge. DNS Edge will become the first-hop DNS servers for the endpoints leveraging it for security and visibility.

BEST PRACTICE: BlueCat recommends that you document the existing architecture with the goal of understanding where the groups of endpoints are, and which DNS servers they currently use. This allows the service points to be inserted into the architecture appropriately.

As with all DNS architectures, the network should be configured to control access to DNS servers. When the service points are deployed, firewall rules or access control lists should be updated to only allow DNS resolution through the service points, and exclude the existing DNS servers.

Client primary and secondary DNS servers

Most endpoints make use of primary and secondary DNS servers (some operating systems require both primary and secondary DNS servers).

BEST PRACTICE: BlueCat strongly recommended that you provide primary and secondary DNS Edge service points for redundancy purposes.

Careful consideration and planning should also be given to the virtual hosts the service points are deployed to. If the service points are deployed on the same virtual host server, a failure of that single host would take down all of the service points running on it. Any clients leveraging those hosts would lose the ability to resolve DNS queries.

BEST PRACTICE: Deploy DNS Edge service points on different virtual hosts to provide node redundancy for the endpoints.

Client DNS server IP addressing – DHCP or static

It's important to understand the mix of clients the service points will be supporting. Are they primarily DHCP clients, or are they statically assigned?

If the clients use DHCP for assignment, modifications will be necessary by modifying DHCP scopes or options to indicate new DNS servers. For statically assigned DNS endpoints, a manual reassignment can be tedious and undesirable.

In environments where clients are predominantly statically assigned, it may be more efficient to have the service point assume the IP address of the existing first-hop DNS servers. This transition needs to be planned and implemented in a methodical manner.

Service point traffic load

DNS Edge service points are capable of handling millions of queries per day. In some cases of extremely high load, there can be a slight lag between the query being serviced and the events being logged to the DNS Edge query log.