We graded each product on ease of setup, overall usability, error-checking capabilities and security features. The results: BlueCat's Adonis won our Editor's Choice award by a whisker. Its superior security and overall usability put it on top, though ApplianSys' DNSBox300 was hot on its heels.

Dishing Up DNS

Managing and maintaining DNS for any size shop can be a challenge. While small companies rely on their ISPs to provide DNS, most companies rely on internal resources running some variant of Unix or Microsoft. Let's face it: If your DNS goes down, you lose touch with the outside world, customers included.

Acknowledging the importance of healthy DNS configurations, the conventional approach requires someone with high-level administrative skills and understanding of your network's topology, so highly compensated individuals wind up devoting a large portion of their time to designing, setting up, maintaining and troubleshooting DNS. The approach works, but the consequence is that DNS often ends up being a large, hidden expense in the IT budget.

So here's our answer to the question of why you need a DNS appliance: All three of the products we tested help manage those hidden expenses by greatly reducing the effort required on the setup, care and feeding side of the equation, freeing up those big-dollar folks to focus on higher-level issues. The goal of these appliances is to make DNS easier to live with. And after extensive testing, we believe that, if your budget allows, these boxes are a worthwhile investment.

All three products can scale and support large installations via additional appliances, up to the DNS limit of 13 name servers per zone. BlueCat and Infoblox offer high-availability (HA) installations; more money will get you additional boxes and better theoretical uptime. We played with the HA setup from Infoblox and liked what we saw. (Without having equipment on hand from BlueCat, we couldn't provide a comparison, and ApplianSys' HA solution is in development. HA on primary DNS is not a high priority, as most shops are running multiple secondary servers.)

Big hosting companies like UltraDNS have reason to be nervous. Although it may take a highly technical person to design a DNS architecture for a global company, these products mean big talent is no longer required to maintain DNS.

Each of our contestants lets an administrator control the appliance (reboot, shut down, hardware and software status, autoupdate of OS and security patches) via remote client software. Standard DNS configuration (time to live and refresh) modifications also are implemented from the client interfaces. All are DHCP- and Dynamic DNS-compatible, and Infobox's DNS One and ApplianSys' DNSBox300 can function as DHCP servers. Although we couldn't test Microsoft Active Directory compatibility in our Macintosh OS and Linux shop, each vendor offers extensive documentation for integrating with a Microsoft environment and can provide customer references for successful implementation in Windows environments.

DNS Appliance Features click to enlarge

Of course, if you're not using Active Directory in a disparate environment, setting up these appliances is simple. Once configured properly, all the units performed perfectly as primary DNS boxes both in our production environment and under test load. We experienced no outages or interruption of service with any of them. From a user's standpoint, our appliance testing was uneventful. To simulate heavy query volumes, we used the queryperf tool from ISC (available with BIND 9.2 sources, in the contrib folder) to pound the heck out of all three contenders. We ran our tests off a Red Hat Linux client and never stressed CPU or I/O loads above 40 percent. We couldn't quite generate the numbers promised by the vendors (Adonis claims 8,400 queries per second, or 725 million theoretical queries per day, for example), but we could consistently get between 2,000 and 6,000 queries per second on all three appliances using queryperf, for a simulated 172 million to 517 million queries per day.

Each product hosts DNS from a streamlined, hardened OS environment where any services or devices not used to provide name resolution have been stripped from the kernel. (For more on hardened Linux setups, see "Hardened Linux Puts Hackers EnGarde".) Compared with our network's Red Hat Linux box running a GUI tool like QuickDNS 4.x from Men&Mice, life is more convenient with any of these boxes and their autoupdate capabilities. Although we continue to be satisfied with the features and performance of QuickDNS, keeping up with fixes and security patches for the OS platform it rides on can be a bear. Each appliance provides secure DNS functionality in an easy-to-manage box that keeps itself up to date.

Infoblox DNS One provides solid client-to-appliance communication via SSL, and ApplianSys DNSBox300 offers solid primary-to-secondary communication via TSIG (transfer signature). BlueCat Adonis does both. And thanks to blocked ports and hardened Linux setups, all three products offer much better security than BIND on a Unix or Windows Server right out of the box.