Home Products Adonis DNS/DHCP
Adonis - BlueCat Networks

Adonis - Rock Solid DNS and DHCP

Overview

Adonis ensures that your DNS and DHCP services are secure, configured correctly and highly available. Features include:

  • Support for IPv4 and IPv6 DNS and DHCP.
  • Advanced VoIP support, including definable DHCP configuration options, built-in vendor profiles, support for ENUM and NAPTR records, as well as an integrated TFTP server to manage distribution of VoIP firmware.
  • Certified interoperability with Microsoft Active Directory and Windows® DNS services.
  • BlueCat’s Cross Over High Availability (XHA™) and integrated ISC DHCP Failover to deliver up to 99.999% service availability.
  • A full complement of security provisions, including; a hardened Linux OS, built-in firewall, MAC filtering, pre and post-admission NAC, and transaction signatures that shield your DNS services against cache poisoning, zero-day, spoofing, ID hacking and denial of service attacks.
  • Seamless integration with Proteus IPAM.

The Adonis family of appliances are available as hardware or a virtual solution. Adonis. There is an Adonis appliance available for almost every environment from the carrier-class 1750 to the XMB, designed for branches and small offices. The virtual Adonis is based on the hardware appliance and can be deployed into your existing virtual infrastructure.

High Availability

Adonis appliances offer redundancy with failover, automated software updates, error correction utilities, and a number of security provisions to deliver up to five nines (99.999%) availability for DNS and DHCP services. With Adonis, mission-critical applications always have access to DNS and DHCP.

Achieving High Availability DNS

Primary-Secondary DNS Architectures

DNS is a scalable, distributed service, with provisions for failure conditions. A primary-secondary server architecture offers redundancy and load balancing in which the primary DNS server hosts ‘master’ copies of the zones while one or more secondary servers host secondary, or ‘slave’ copies. All DNS updates are made to the primary server, which then propagates the updates to secondary servers through a mechanism known as the zone transfers. Secondary servers resolve DNS queries to relieve the primary of some (or all) of the workload. Secondary servers also provide service continuity should the primary server go off line.

The failure of a primary server in a primary-secondary configuration can still cause serious problems. DNS data on secondary servers is given an ‘expiration time’, after which it is deemed obsolete. When a secondary server ‘expires’, it enters a failure state and ceases to answer queries. Since the primary server updates the secondary servers, if the primary is offline long enough, all secondary severs eventually expire and DNS name resolution ceases.

Adonis Offers High Availability

For most organizations, a DNS service outage results in lost productivity – and perhaps lost revenues – as business applications slow down or cease functioning all together. Prudent organizations with mission-critical DNS applications augment the failsafe provisions of DNS with Adonis highly available DNS / DHCP appliances.

Adonis appliances are hardened, and purpose-built for the secure, reliable delivery of DNS and DHCP services. They are considerably more robust than general-purpose servers ‘out of the box’. To enhance resiliency further, Adonis incorporates BlueCat’s DNS Crossover High Availability or XHA™.

Adonis DNS Crossover High Availability (XHA)

In a DNS XHA configuration, two Adonis appliances are deployed in an active-passive high-availability pair. You can deploy DNS primary servers, secondary servers, or even caching servers in a  XHA configuration.The two appliances share an IP address that DNS clients use for queries.

The appliances connect over the network to keep the passive unit apprised of the ‘health’ of its active partner. If the active appliance should fail, control is transferred to the passive unit and it assumes the active role. When the original active unit is restored, it takes on the passive role.

Many DNS HA systems handle DDNS poorly. The active node receives updates but the passive unit does not, leaving it ill prepared to assume active duty in the event of failover. XHA uses an enslaved primary as the passive node. Updates sent to the active unit are automatically propagated to its passive partner as standard incremental zone transfers. Since both appliances are kept in sync, failover is automatic without manual intervention. Automatic failover ensures customers do not experience a service disruption and resolution latency remains consistent.

 

'Self Healing' Utility

Adonis DNS appliances feature a Self Healing Utility that ensures a valid configuration exists before a passive Adonis appliance joins an XHA cluster. It guarantees that the passive unit is always synchronized with its active partner, even if the passive appliance was unavailable at the time the active unit was configured. The Utility also provides repair tools to resolve broken HA configurations, and ease swap-out of either appliance in the cluster, should replacement be required.

Security

DNS is the number one point of attack on corporate networks, due in no small measure to the number of security vulnerabilities that exist when the service is delivered on general purpose Windows platforms. Adonis is a purpose-built DNS/DHCP appliance, representing a significant improvement in system security. It provides a number of safeguards to protect against cache poisoning, DNS amplification, denial-of-service, zero-day and other attacks.

Hardened Linux Kernel

Adonis security begins with a hardened Linux operating system kernel.

  • All non-essential OS services and network service daemons have been removed
  • All required modules have been compiled into the kernel (to help ensure that rogue modules cannot be easily inserted)
  • The firewall and IP stack have been hardened
  • The BIND and remote control daemons are started with control scripts, instead of the inet daemon

These modifications provide greater control over what services are running and when they are started. Collectively, they harden the platform against attack. In fact, in over 4,000 deployments, the Adonis OS has never been breached.

Adonis’ full complement of security provisions are summarized below.

Integrated Firewall
  • Blocks all incoming non-essential service requests including harmful ICMPs.
  • Exposes only essential ports including 53 (DNS), 67 (DHCP) and Port 10042 (Client/Server Control) thereby limiting exposure to non-essential data traffic.
  • Contains attackers who are able to compromise the exposed services.
  • Negligible performance impact (~0.5%).

DHCP MAC Filtering

  • Adonis maintains a list of authorized MAC addresses and distributes IP leases only to devices with addresses on the list.

Pre-Admission Network Access Control (NAC)
  • Strong complement to DHCP MAC Filtering.
  • Adonis DHCP interoperates with popular authentication and directory services such as LDAP, RADIUS, Active Directory and Kerberos, to authenticate end users. Adonis assigns IP addresses only to those users who have been properly authenticated.
  • Pre-admission NAC can be used to control users’ access privileges (e.g. authenticated users may be restricted to pre-determined subnets).
  • Improves network security, reduces network congestion and helps organizations comply with security policies.

Support for Transaction Signatures (TSIGs)

  • Transaction Signatures employ a ‘shared secret’ – a symmetric, cryptographic key ­– that allow primary and secondary DNS servers to authenticate each other.
  • A form of digital signature, TSIGs ensure the integrity of DNS zone transfers – either the primary or secondary server can determine if transaction data has been modified enroute.
  • TSIGs complement access control lists to restrict DNS zone transfers to explicitly authorized secondary servers (Only holders of the TSIG shared secret are granted zone transfers, making it extremely difficult for an attacker to spoof the identity of a secondary server.) They ensure that DNS information purporting to be from a certain server is actually from that server.
  • Similarly, TSIGs authenticate DNS clients and recursive name servers.

Masked BIND Version Number
  • Network administrators can configure the exact response they want returned when an Adonis appliance is queried for its BIND version.
  • Obfuscates sensitive version information from potential attackers. 

Certificate-based Security
  • Proteus communicates securely with Adonis appliances with SSL.
  • Mutual, certificate-based authentication allowsProteus to verify the identity of an Adonis appliance (and vice versa) prior to establishing a connection with that appliance.
  • Certificate-based authentication, based on public-key cryptography, augments the administrator-supplied passwords required to connect to an Adonis appliance.
  • 128-bit encrypted communication sessions between the Proteus and Adonis appliances protect against packet snooping. Configuration data remains confidential during deployment.

Adonis Remote Management Agent
  • Prevents buffer overflow and DDoS attacks, intrusions, and resource abuse on Adonis appliances.
  • Enforces data integrity and flow control by using a custom wire protocol for server communications.
  • Limits the number of incoming connections and provides a configurable ‘timeout’ for connections.
  • Adonis’ remote management agent prevents buffer overflow attacks. Further protection is afforded by low-level buffer overflow checking provided by the Java Runtime Environment (JRE).

Jailed Environment for BIND

  • Adonis executes the name server daemon within a ‘jailed environment’, with access to only a limited number of system resources. The jailed environment contains only the data that BIND uses – there are no executables or system scripts.
  • In addition, BIND runs under user level privileges.
  • With these safeguards in place, an attacker – somehow able to compromise BIND – is ‘sandboxed’ within a restricted server directory structure without the privileges required to control the server, or use the compromised daemon to attack other networked systems.

Patch Management
  • Older versions of BIND software are vulnerable to attacks that can cause outages in IP-based applications and Internet access.
  • Software updates are available within short period of time of issuance by the ISC.
  • Download critical BIND software updates to Proteus.
  • Upload updates to the Adonis appliances.

Active Directory

Microsoft Certified Partner

Active Directory, Microsoft’s implementation of LDAP, provides a means to centrally organize, manage, and control access to IT resources. Used primarily in Windows environments, Active Directory (AD) is a database application providing directory services, authentication, DNS name resolution, and other services.

DNS plays an important role in the Windows network architecture. It provides the name resolution services required by the Windows Domain locator service to connect with AD.

Adonis DNS is certified by Microsoft to interoperate with Active Directory and Windows® DNS services. Adonis performs Dynamic DNS (DDNS) updates to authoritative DNS records without manual intervention or configuration changes. The appliance supports SRV records (per RFC 2782) and configurations that incorporate an AD master.

Adonis Management Console includes an Active Directory Integration Wizard that steps through the process of integrating Adonis with AD. The Console also provides Configuration Migration Tools to easily import existing DNS configurations to Adonis.

Return to top

 
© 2001-2010 BlueCat Networks - All Rights Reserved

Secure, Simplified Next Generation DNS management, DHCP and IP address management Network Appliances. Security - hardened and purpose - optimized, BlueCat Networks'
Appliances are a leading choice for DNS Security Servers, DHCP Servers and Web based IP Address Management (IPAM) solutions. IPv4 and IPv6 DNS and DHCP compliant.