Never-die network services

If a network is like a car, then DNS is the ignition key. To extend that analogy, DHCP might be the battery. These two services are among the lightest available on any network, but no network can function without them. Without DHCP, address management becomes a nightmare. Without DNS, no one can access much of anything at all.

In an enterprise network, these services usually reside on the same local server or on a central server pushing DHCP scopes to remote sites and serving DNS requests across WAN links. Though this architecture ties the fate of remote networks to the WAN, network managers typically choose it to avoid installing servers at remote sites where administrators are loath to tread. Providing DNS and DHCP services in an easy-to-cluster appliance, Infoblox offers a way to bring never-die network services to remotely (or scarcely) supported environments.

The Infoblox-1000 DNSone is simple to configure. When first powered up, the box assumes a 192.168.1.2 IP address and is immediately accessible via the Web, or you can configure the IP parameters using the LCD panel on the front or through the serial interface.

Entering the DNS Zone Once on the network, the device is managed from a Java interface served via SSL to a Web browser. I had no problems working with the interface while running Firefox on Linux, Mac, and Windows, nor did IE show any problems. Two caveats: The client is best suited to running on Java 1.4 rather than Java 1.5. And certain administrative tasks that involve changing core parameters of the device require a full restart of the Web browser. In some instances I had to reboot my client PC to resume using the Web interface.

The administration console is well laid out. Adding and removing zones and scopes is simple, and comfortable views of current zone data are easily had. Because the Infoblox runs Internet System Consortium’s BIND (Berkeley Internet Name Daemon) and DHCPD (Dynamic Host Control Protocol Daemon) packages, every option you could desire is available. Microsoft’s AD (Active Directory) is directly supported, so the Infoblox easily serves as the DNS server in an AD environment. The solution also fully supports dynamic DNS registration, and it’s much better at handling dynamic DNS scavenging than is Microsoft’s DNS server. Because host information is located in a central database on the Infoblox, a DHCP lease expiration will automatically remove address and pointer records, eliminating the problem of DNS ghosts.

Impressive HA (high-availability) and clustering capabilities allow you to configure two Infoblox-1000 devices to work as an active/passive cluster, bringing together custom synchronization and working with VRRP (Virtual Routing Redundancy Protocol). Intracluster communication is nicely handled by an encrypted tunnel between the devices. Beyond this, you can cluster HA nodes into a single entity, or grid, allowing for management of the whole cluster from a master console. This includes automated OS upgrades to cluster nodes, automated zone synchronization, and overall zone management, all of which the Infoblox makes simple and straightforward. The $4,995 per node clustering cost is steep, but the ability to manage all the devices across the network from a single console eases administration significantly.

Feeds and Speeds In the lab, I built two HA clusters of Infoblox-1000 devices on separate VLANs on a Layer 3 switch. A few laptops served well as DHCP and DNS clients, and a dual-Xeon Dell PowerEdge 2600 running Red Hat Advanced Server 4 served as a load generator.

I created a DNS zone of 100,000 records on a second Linux server and configured the same zone on the Infoblox. Handily, a feature in the zone-creation dialog box allows you to configure a master zone and import the zone via DNS AXFR (Asynchronous Full Transfer Zone) from another server. I then transferred the 100,000-record zone into the cluster and transferred the corresponding reverse zone. Here I experienced a hitch. During the import of the large reverse zone, the cluster fell off the network. After probing around the boxes with the serial console, I couldn’t get any response from them. Power cycling the units didn’t alleviate the problem either, but when given enough time (presumably to do file system checks on the boot disk), the cluster did reboot back to its previous state. A subsequent reimport of that zone did not trigger the same problem.

Once I had the large zone in place, I ran query performance benchmarks against the cluster. At the top end, the Infoblox appliances handle about 22,700 queries per second, which should suffice for almost any application. I did note that the queries per second rate dropped significantly when importing larger zones using the GUI. The Infoblox-1000 performs well when compared to a Dell PowerEdge 2800 with dual 3.4GHz Xeon EM64T CPUs running Red Hat Enterprise Linux 4 and a stock BIND name server, which handles about 36,000 queries per second. I conducted my query tests against a 100,000-record zone, but the seed list was limited to 100 records to better simulate real-world experience. Using a seed list of 100,000 records, the Infoblox’s performance fell off significantly due to opportunistic cache aging. The PowerEdge nearly maintained its previous performance level.

Next I tested the clustering fail-over speed. I ran a script to continuously query the VIP (Virtual IP Address) of the cluster every second. I then forced a fail-over. Initially this did not go as planned, with the passive node failing to assume the primary role. I replaced the questionable node with another Infoblox unit and brought it into the HA cluster. This configuration worked flawlessly. I witnessed successful fail-over events completing within five seconds.

Clustering Infoblox-1000 devices is unbelievably simple. From box to cluster node, it took five minutes to configure the node, and only a few more to synchronize the zone and scope data. Infoblox has done a remarkable job. If you need to guarantee DNS and DHCP availability for a substantial network, these appliances deserve a close look. Although DNS and DHCP aren’t especially challenging to administer, the out-of-the-box high-availability clustering combined with the ease of configuration provided by the Infoblox-1000 is attractive.