Why DDI Solutions Are Not Always Ideal for Authoritative DNS

The distinction between “internal” and “external” networks has always been somewhat misleading.

Clients are accustomed to thinking of a firewall as a barrier between network elements exposed to the Internet and backend systems that are accessible only to insiders. However, as the delivery mechanisms for applications, websites, and content become more decentralized, these barriers are becoming more permeable.

The same goes for the people who manage those network elements. The same team (or the same people!) are often responsible for managing internal network paths and external delivery systems.

In this context, it is natural that the DNS, DHCP, and IPAM (DDI) systems used to manage the “internal” network also influence the management of authoritative external DNS. In small companies, this problem typically means IT managers spin up BIND servers on both sides of the firewall to handle network traffic. Midsize and large businesses often use commercial DDI solutions for authoritative DNS as well.

Most network administrators use a DDI solution for authoritative DNS because they have one less system to manage. Manage both sides of the network from a single interface. Combining internal and external network management means your team only needs to learn how to operate a single system, eliminating the need to specialize on one side of the network or the other.

Disadvantages of using DDI for authoritative DNS

Simplicity and ease of use often turn DDI into the default solution for authoritative DNS, but there are some compelling reasons to separate the two systems.

security

If you run authoritative DNS on the same servers and systems as your internal DDI solution, you run the risk of a DDoS attack taking both sides of the network down. This is not a trivial risk. The frequency and severity of DDoS attacks continue to increase, and most businesses will experience one at some point.

Using the same infrastructure for internal and external operations increases the impact of outages and significantly increases recovery times. If you can’t connect with your end users, that’s fine. The situation gets even worse if you also don’t have access to your internal systems.

Unfortunately, most companies will not invest in the server capacity or defense measures necessary to absorb a significant DDoS attack. Over time, paying for all that idle capacity, along with the staffing and resources needed to maintain it, can get very expensive very quickly.

Separating authoritative DNS from internal DDI systems creates a natural gap that limits exposure in the event of a DDoS-related outage. This means you have two systems to manage, but it also means that those systems won’t go down.

Scale

Network infrastructure is expensive to purchase and maintain. (Trust us, we know!) Most small businesses that use DDI solutions for authoritative DNS don’t have the resources to set up more than three or four locations to handle inbound traffic from around the world.

As a company grows, the load on its servers quickly becomes unsustainable. The experience for both customers and internal users begins to suffer in the form of increased latency and poor application performance. It is very difficult or impossible to coordinate traffic based on geography or other factors. DDI solutions simply aren’t designed to do that.

In contrast, a managed solution for authoritative DNS provides immediate global coverage with spare capacity. End users get a consistent experience that can be optimized to account for geography or many other operational factors. Internal users do not use the same resources for their work. You also get a consistent and predictable user experience.

BIND architecture limitations

The DDI solution is designed primarily for internal network management and not intended to provide an Internet-facing authoritative DNS solution. DDI vendors grudgingly support authoritative DNS use cases, recognizing that a certain percentage of their customers require it. However, we are not prepared to provide long-term support. This is why most DDI vendors offer plugins and partnerships as a way to outsource authoritative DNS functions to other vendors.

Architecturally, this means that the DDI provider typically acts as a hidden primary, while the authoritative DNS partner is advertised as a “public secondary” system. This is an awkward workaround that can limit network functionality. The BIND architecture used by most DDI vendors limits their ability to support common authoritative DNS use cases, especially when partners are involved.

Vertex’s ALIAS record support is a good example. This solution is common for sites with complex backend configurations, but unfortunately it is not possible to implement with BIND-dependent DDI, making name redirection tricky to handle at zone vertices.

DDI vendors typically do not support traffic steering, but this is a table stakes feature for authoritative DNS solutions. This is an important consideration as even basic traffic adjustments based on geographic location can significantly improve response times and user experience.

expense

From an infrastructure perspective, deploying a DDI solution for authoritative DNS is similar to building your own authoritative solution. All servers must be purchased, distributed globally, and maintained over time. The only difference is who you purchase the server from (in this case the DDI vendor).

As mentioned above, the significant costs of procuring and deploying a solution in this manner typically lead companies to minimize the number of servers they purchase. This results in limited global coverage and lower performance compared to managed DNS services like NS1. Not only will you end up paying more, but you’ll also have a smaller footprint, compromising the user experience.

Cost calculations don’t end with initial deployment. Operating and maintaining a DDI infrastructure is a daunting task that may require significant commitment of dedicated (and specialized) resources over time. If you outsource that maintenance to a DDI provider, be prepared to pay more for a professional services contract. DDI companies often have very short equipment replacement cycles, so “maintenance” often equates to “replacement” over a three to five year period.

From a cost perspective, the benefits of a managed DNS service like NS1 over DDI providers are very clear. Managed DNS services provide extended global reach, built-in resiliency, and extensive functionality at a fraction of the cost charged by DDI providers. Add to this the lack of maintenance and replacement costs, and it really becomes a no-brainer.

It’s true that managed DNS providers charge usage fees if the DDI appliance can handle a huge number of queries. However, even considering the volume of queries, the price of a managed solution is very attractive.

Path from DDI to Managed Authoritative DNS

If you’re already using a DDI solution for authoritative DNS, switching to a managed provider may seem a bit daunting at first. There are many operational considerations to consider as part of a cutover, and there are inherent risks to flipping the switch completely.

That’s why we recommend starting with NS1 as a secondary option for authoritative DNS. This allows the network team to test the system with some production traffic and become familiar with how it works. You can gradually migrate traffic over time, phasing out DDI system workloads on a workload-by-workload basis and scaling your managed DNS solution.

Are you ready to see the benefits NS1’s managed DNS solution offers over DDI? Contact us today to receive a proof of concept.

Discover the benefits of NS1’s managed DNS solution.