NameVault™ DNS Appliance FAQ

Windows

Q. Does NameVault™ provide DHCP services?
A. No. NameVault™ is a dedicated DNS appliance. NameVault™ does however support dynamic updates from DHCP servers (see below).

Q. Does NameVault™ support Windows Active Directory integration?
A. Yes, NameVault™ fully supports Active Directory integration. Active Directory support is available as a zone option (described in the product specific section below).

Q. I’m currently running Windows DNS services and I would like to use my existing DNS files. Is this possible?
A. NameVault™ has a Windows migration tool that will allow you to migrate your existing Windows DNS files to NameVault™

Q. Does NameVault™ support Dynamic DNS Updates (DDNS)?
A. Yes, NameVault™ supports Dynamic DNS. Since many ISPs and organizations use DHCP servers to dynamically assign end stations IP addresses, DNS servers must be able to keep up by supporting the dynamic addition and deletion of records. This feature allows users to perform Dynamic DNS (DDNS) updates to the authoritative DNS records without using the management console or editing zone files. The process involved in configuring this is similar to that used for Active Directory support.

Q. How do I enable support for Windows Active Directory to an existing zone?
A. Right-click the zone in question within the Management Console and select the option Enable Active Directory. This will being up the Active Directory Wizard which will guide you through the process of adding Domain Controllers and DHCP servers, to the zone update list for NameVault™ .

General

Q. What makes up the NameVault™ DNS Appliance product offering?
A. The NameVault™ DNS Appliance is a dedicated DNS appliance. The product offering is a solution comprised of: the hardware appliance itself, the secure OS, the DNS Server is based on Bind 9 (see the NameVault™ product brochure for details) and the powerful cross-platform Java®-based management console application, which is the heart of the NameVault(TM) product. The NameVault™ management console allows for the quick and simple configuration and management of the entire DNS architecture.

Q. What operating system does NameVault™ run on?
A. The NameVault™ appliance runs a customized version of Debian Linux. The kernel version currently in use is 2.4.x. The operating system has been hardened and all non-essential services / ports have been removed and locked down.

Q. Does NameVault™ provide any firewalling functionality?
A. For additional security above and beyond the hardened operating system, NameVault™ includes a built-in packet filtering firewall. The firewall is configurable and drops all incoming requests that are not DNS or handled by the management software.

Q. We manage a very large DNS infrastructure and performance is critical to us. How many queries per second (QPS) can NameVault™ handle?
A. In house tests have shown that NameVault™ can deliver upwards of 26,000 QPS. These tests were conducted using 2,000,000 queries with 5% being invalid. Considering the fact that root DNS servers are required to only handle 3,500 QPS, NameVault™ can scale to meet the needs of the most demanding organizations and networks.

Q. What type of system do I require to run the NameVault™ Management Console?
A. Since the NameVault™ Management console is a Java®-based application, any system that supports Java® version 1.3 or higher, will support NameVault™. The management console has been tested on the following platforms: Windows? (Windows?95 and higher), Linux and Solaris. Other platforms may work, but have not been verified.

Q. What does the Live Data Check feature do?
A. Once a configuration is deployed to the NameVault™ appliance the Live Data Check feature can be utilized. This feature performs a brute force lookup on a live server for every record in the DNS configuration. Missing or different data is flagged and displayed to the user.

Q. Does NameVault™ maintain system logs? If so, how can I view them?
A. Yes, NameVault™ maintains System and Synchronization logs. To view them, simply select the Log option from the left pane of the Management Console. You can then select the log you would like to see, and in the right pane, chose whether to view the Entire Document or the Last N Lines. When you have selected your choices, click the Download Log button to view the log file within the Management Console. You also have the ability to Search, Cut, Copy and Paste items within the log file.

Q. How do I update the software on my NameVault™ DNS Appliance?
A. NameVault™ includes a appliance Auto Update feature that solves this problem by providing updated versions to BIND within 48h of their release. Appliance and client software are also updated online to keep your configuration current. The process is initiated and monitored via the management console.

Q. How does BorderWare diagnose hardware problems with NameVault™?
A. Part of BorderWare’s warranty involves our hardware replacement service. Since DNS is a critical network service, we do not waste time diagnosing hardware failures. Instead, BorderWare will replace your damaged appliance (hardware) within one business day. Once the hardware arrives and gets physically installed, you can simply re-synchronize your configuration, using the Management Console, and within minutes, the new appliance is fully functional again.

Q. How much does NameVault™ cost?
A. The price for the NameVault™ DNS Appliance is $11,995 USD, which includes the hardware (1U appliance), licensed client software, and a one-year extended warranty which includes all patch/client/kernel updates, security vulnerabilities (addressed within 48hrs), updates to BIND (we are enrolled with the CERT advisory), Next-Business-Day Hardware Replacement, phone/email support during business hours, and 24/7 Level II Emergency Response.

Configurations

Q. I’m currently running BIND and have very detailed and large DNS configuration files. Do I have to start from scratch when using NameVault™?
A. No. NameVault™ includes a powerful import tool that allows users to import multiple versions of BIND including 4.x, 8.x and 9.x. Once the configuration files have been imported into NameVault™, the data checking and validation feature can be used to verify the configuration and correct any errors found.

Q. My DNS configuration is very large. Is there a way that I can find errors without having to manipulate large text files on individual DNS servers?
A. Yes. A powerful feature of NameVault™ is its ability to check a configuration for syntactical and logical errors before its even deployed. This feature analyses how the DNS resource records are named and how they are interlinked with each other. Syntactical errors such as invalid space characters, from imported data, or absolute names that are relative are located and can be quickly corrected. Once a configuration is deployed to the server the Live Data Check feature can be utilized. This feature performs a brute force lookup on a live server for every record in the DNS configuration. Missing or different data is flagged and displayed to the user.

Q. I’ve accidentally deleted an entire zone and all records associated with it. What can I do about this?
A. NameVault™ includes multi-level undo/redo support for up to 100 operations back. This flexibility lets the user try different configurations without penalty and loss of data. As well, any accidentally deleted data can quickly be recovered. Cut, copy and paste features allow the user to move data between zones without re-entering it.

Q. Can the NameVault™ Management Console store multiple DNS configuration files?
A. Yes. The management console stores multiple DNS configuration files as flat files on the management PC. These files can be stored offline or on a shared network drive, which will assist in disaster recovery if required.

Q. How does NameVault™ manage more than one DNS appliance?
A. The management console manages your entire DNS infrastructure as a single view. Any changes or additions made to master appliances are automatically reflected to the appropriate slave appliances. The advantage of this type of management architecture is that the process of connecting to individual appliances to perform management functions is now eliminated. As well, errors associated with multiple appliance environments are also eliminated, especially when the data checking and validation features are used.

Q. I’m not too sure what type of DNS architecture I should be using. Can NameVault™ help?
A. Yes. A powerful feature of NameVault™ is the DNS Architecture Wizard. Many system architects spend many hours determining the best DNS configuration for their enterprise. Implementation of the chosen architecture can additionally take time and extensive testing. The NameVault™ simplifies this task through its DNS Architecture Wizard. This system guides the user through the selection and configuration of the appliances. The resulting architecture contains the correct rules to ensure proper and secure DNS operation. The wizard handles standalone, master-slave, hidden/stealth master, active directory and caching appliance configurations.

Q. Once my base configuration has been built, how do I add a new zone?
A. The NameVault™ Management Console provides a New Zone Wizard, which guides you through the process of setting up new zones in your configuration file. The Wizard allows you to create the following types of zones:

•Master forward zone – contains the DNS resource records for outward transfers from other servers;
•Master reverse zone – contains the DNS resource records for inward transfers from other zones;
•Slave zone – replicates data from a master zone;
•Forwarding zone – creates a zone that forwards to another server;
•Caching zone – caches zone data.

Q. How do I delete a zone I no longer require?
A. Within the Management Console, click the zone of interest, and then click the garbage can icon on the main toolbar at the top of the screen. Alternately, you could right-click the zone of interest, and then click Delete on the pop-up menu. Another alternate is to click the zone of interest and simply press the Delete key on the keyboard.

Q. How do I add a new resource records to a zone?
A. The Management Console provides the Resource Record toolbar (located at the top of the right pane when a zone is selected). The toolbar buttons allow you to create the following types of resource records:

•Host;
•Alias;
•Name server;
•Mail exchanger;
•Service;
•Pointer;
•Custom resource.

The console also includes a button (auto-generate), which allows you to generate your records incrementally.

Q. How do I import my existing BIND files into the NameVault™ Management Console?
A. The Management Console includes a Wizard that allows you to import your existing BIND configuration files. You can easily import existing BIND (4/8/9) configuration or database files. The Import Wizard is initiated by selecting File / Import from the Management Console. You then simply follow the prompts of the Wizard to complete the import process. Once the configuration files have been imported into the NameVault™ Management Console, you can verify the configuration before live deployment, using the Data Check and Live Data Check features.

Security & Availability

Q. Does NameVault™ provide load-balancing services (like the F5 products)?
A. No. However, NameVault™ can work alongside load balancers like F5.

Q. Are there any security measures in place to protect communications between the management console and the appliance itself?
A. Yes. The management console software supports SSL and TrueAuthentication™. The software connects and deploys configurations to the NameVault™ appliance through a 128-bit connection using certificates on both ends. This connection protects against unauthorized connections and packet snooping. Since the appliance requires that the incoming connection be authenticated with a certificate, port scans will show the management port as "empty". TrueAuthentication™ system is used to authenticate user connections through the use of self-generated certificates.

Q. Does NameVault™ support transaction signatures (TSIG) for securing DNS messages?
A. Yes. NameVault™ can be configured to perform transaction signatures as a means of securing and authenticating DNS updates and zone transfers. Using a shared 3 secret between the two appliances, a hash value is computed to determine if the request was authentic.

Q. How do I protect my DNS infrastructure from a failure of my master appliance?
A. NameVault™ DNS Appliances support high availability configurations. NameVault™ DNS Appliances can be connected to form a high availability Master cluster. Two NameVault™ nodes will act as an active / passive pair to handle fail-over conditions (should the active master appliance fail). During a failure, the passive node will take full control of all active appliance functions and traffic load in less than two seconds.

Q. I have several DNS servers in my network. Can I manage them all at once from the management console?
A. Yes. Another key strength to the NameVault™ solution is its powerful One-to-Many configuration capability. The NameVault™ Management Console allows the configuration of multiple servers in a single project file. This removes the tedious task of making sure that the slave (secondary) zones match their corresponding masters (primaries). Resource records can be "Linked" between servers and/or zones to create configurations that update themselves based on key records. The one-to-many relationship is also used to further validate the data using the consoles "Check Data" feature to make sure that authoritative records can be resolved correctly.

Q. I’ve recently heard of a CERT Advisory that affects DNS servers running BIND 9.x. What do I do about it?
A. NameVault™ includes a appliance Auto Update feature that solves this problem by providing updated versions to BIND within 48h of their release. Appliance and client software are also updated online to keep your configuration current. The process is initiated and monitored via the management console.

Q. Can I temporarily enable Ping on my NameVault™ appliance?
A. Yes. The built-in Firewall can be managed under the Security / Firewall option on the left pane of the Management Console. To enable ping or any other ICMP filtering option, simply place a check mark next to the option Allow incoming ping request. To disable ping, simply remove the check next in the box (by clicking the box to the left of the option).

Q. My company is fairly large. High performance and stability is critical to us. What types of customers are running NameVault™ DNS Appliances?
A. BorderWare’s NameVault™ DNS Appliance is based on the Award Winning Adonis DNS Server by BlueCat Networks. BlueCat Networks has had the number one DNS appliance for the last 2 years running. Customers range from small companies managing one or two zones, to very large companies managing thousands of zones. Some clients include General Motors, US Navy, Lockheed Martin, Federal Aviation Administration, Airlines Reporting Corporation, DTE Energy, Ernst & Young, BP, CB Richard Ellis, FT Interactive Data, Bosch, Ziff Brothers Investments, Sybase, Sony, USLEC, ADP, AC Nielsen, TaylorMade Golf, McCoy Corporation, RICOH, ILC Dover, Charter Communications, Nationwide Provident, Dade Behring, Purdue Pharma, Boise Cascade, and many more.