Every organization needs DNS services. The question is one of location. Should the DNS services reside inside the organization on in-house servers, at an ISP or hosting facility, or should an organization use a combination, often called the “split-DNS” approach? Let’s go over the pros and cons for each solution, as well as some important factors that have to be considered.
Defining our terms
When we use the term “in-house DNS” services, we are talking about DNS that is run on servers controlled by your organization’s IT department. “Outsourced DNS” services reside at an ISP or Web hosting provider.
In or out?
Many organizations make use of some kind of in-house DNS service, even if it’s just to maintain Active Directory in Windows 2000 or 2003. However, many of these same organizations also rely solely on the DNS servers at their ISP for their Web browsing needs, when these companies could benefit from handling some of their Web browsing DNS chores in-house.
Table A breaks down some factors that we need to consider when making a decision regarding DNS.
|Administration||DNS can be a fairly complex service. For organizations that face staffing problems or don’t have in-house IT staff, outsourcing DNS can be very useful. Any problems, additions, and deletions can be simply passed along to the outsourcing company. Also keep in mind the knowledge factor: ISP staff does this stuff for a living and probably runs into more problems with it that they know how to fix immediately than most small company administrators.||X|
|Bandwidth||If you have a high-traffic Web site that is accessible to the public and it’s in a hosting facility, having the DNS traffic traverse the corporate Internet connection can be inefficient and may result in slower Internet access for employees. ISPs and Web hosting facilities have plenty of bandwidth to handle this traffic. It’s good to get any unnecessary traffic off the expensive corporate connection in order to prevent the need to upgrade it.||X|
|Control||As a critical service, DNS needs to be closely controlled by an administrator. When you host DNS in-house, control rests in the hands of the organization and not with a vendor that doesn’t have a vested interest.||X|
|Cost||Since most operating systems (including Linux/UNIX and Windows) come with a DNS server of some kind, the only cost to running the service is the administrative cost and the most basic hardware and software fees. However, see the bandwidth section for another discussion about cost because bandwidth is expensive.||X|
|Flexibility||You can manage the DNS service any way you want when it’s in-house. When in the hands of a provider, you are bound by their rules and you may not be able to customize and extend the service in a way that you want or in the time frame that you demand.||X|
Most ISPs run redundant DNS servers. Since the service is so critical to the workings of the Internet, when it’s unavailable, most of your users will be stuck without being able to use the Internet. In addition to multiple servers, most ISPs also have multiple paths to the Internet. If one goes down, the DNS services are still accessible via a separate Internet connection. Redundancy is especially important when you have Web sites that have to be accessible 24/7. Finally, most ISPs also have backup power systems that are adequate to run the services for an extended time even when their facility has no power.
For small organizations that host Web sites outside their company, it makes a lot of sense to outsource DNS services to their ISP or to the Web hosting provider. Smaller organizations don’t usually have multiple servers or multiple connections to the Internet, which means that a failure of the Internet connection results in customers being unable to access the organization’s Web site, regardless of where it’s hosted.
Split DNS = Best of both worlds
In many cases, you need a combination of solutions, especially when using NAT to access the Internet. It can be a bit of a headache to get DNS to properly resolve names for your internal network as well as Internet and company resources outside your firewall. To solve this problem, you can configure a “split DNS” solution, resolving names both internally and externally to your network. This basically means that you use both internal DNS servers and your ISP’s DNS servers.
In split DNS, you set up a locally administered DNS server with a small zone file that only has entries for resources located inside the firewall. You configure the DNS server to answer all requests from workstations on the local network and forward any requests that can’t be resolved to the external name servers. You might consider adding internal DNS records that point to your external services along with their public IP addresses. This removes one hop from the name resolution process for services that your users depend on, but it will add a step to the process if you need to change one of those IP addresses later on.
Split DNS has a number of benefits. First, you can access local resources as seamlessly as external resources, without the need to set up hosts or lmhosts at your workstations. Second, since local workstations will use the internal DNS servers as their primary means of name resolution, the DNS server addresses at each workstation don’t need to be changed if the external DNS server’s IP address changes. If you’re using DHCP to provide DNS server addresses, this isn’t generally a big deal, but it does give you one less thing to worry about when network settings change.
How my organization handles DNS
I am the IT Director for a small nonprofit association. Our Web site, while not getting the number of hits of e-commerce sites like Amazon.com, does manage to get over a million hits per month. Each of those hits requires a DNS lookup of some kind. Of course, because of DNS caching at the client and other DNS servers, our DNS servers don’t see anywhere even close to a million requests. However, we only have a T1 to the Internet, which supports our 50 staff members, VPN, and intranet access.
Our public Web site is hosted at a hosting facility, while our intranet site runs on a Web server on our DMZ. All traffic out to the Internet (including servers in the DMZ) uses NAT with static addressing providing access back into the DMZ from outside. Thus, I don’t want external users who access our hosted Web site to have to resolve the DNS address over our slow, non-redundant T1 connection.
For these reasons, we use a split DNS solution. Outside access to both the external Web site as well as our intranet is resolved by our ISP’s DNS servers. Users behind the firewall use our Windows Server 2003-based DNS servers to resolve the internal addresses for things like our intranet, Web mail, etc. I have also configured these servers to handle all internal requests for all of our domains, even those that are hosted externally. This just saves the server from having to query the upstream DNS servers for requests relating to our domains. This can simplify things and result in better performance.
Take a look at your network and use Table A to help determine the factors that are most important for deciding your DNS needs. Also, consider split DNS servers to help optimize the situation and to cover all the bases if you have services that need to be accessible to both internal and external clients.