Reliable and Resilient DNS and DHCP Core Services
BlueCat Networks’ Adonis is a powerful DNS and DHCP solution that reduces the time and effort required to manage core network services. Available as either a physical or virtual appliance, Adonis is purpose-built to deliver DNS and DHCP services with the highest levels of performance, scalability and availability. Adonis seamlessly integrates with BlueCat Networks’ Proteus IP Address Management (IPAM) platform to provide a complete IPAM, DNS and DHCP solution. With advanced features and functionality, as well as future-ready support for IPv6 and DNSSEC, Adonis is designed to meet the business-critical DNS and DHCP needs of any organization.
Benefits
- Deliver business-critical DNS and DHCP services with 99.999% availability
- Safeguard DNS services against exploits and attacks
- Simplify the provisioning of hosts and IP addresses in physical, virtual or cloud environments
- Lowest cost of implementation with simple, intuitive wizard-driven set-up and deployment
- IPv6-ready out of the box – support for DNS and DHCP in IPv4 and IPv6
- Future-ready support for DNS Security (DNSSEC) and DNS Anycast
Efficient Core Services Delivery
Simplified Address and Host Provisioning
Adonis simplifies the management of core services by combining DNS and DHCP and integrating the two services into a single management interface. Updates made to DNS from a client or server will update DHCP and vice versa. You can also handle both IPv4 and IPv6 networks on the same Adonis appliance. This unified view keeps DNS and DHCP systems synchronized, allowing Adonis to relieve the administrative burden of trying to manually ensure data integrity. In addition, Adonis provides the ability to easily add and configure new servers so your organization can scale to support growing network demands.
Active Directory Integration
Adonis easily integrates with Microsoft Active Directory, ensuring that all necessary Service records are published correctly within DNS to identify the location of Active Directory services. BlueCat Networks is a Microsoft Gold Certified Partner, demonstrating integration with Active Directory along with our ability to manage and control Microsoft DNS and DHCP services.
Support for BIND Views
This feature enables a single Adonis DNS name server to return a different response, based on the origin of the query. For example, the Adonis appliance will return an intranet response if a query originates from within your organization or an external address if the query came from an external IP address.
Built-in TFTP Server
The Adonis integrated TFTP server simplifies firmware distribution and the management of VoIP networks.
Integrated Network Time Protocol (NTP) Server
The Adonis NTP server sets and maintains an authoritative 'system time' for the Adonis appliance and other devices on your network.
High Availability and Resiliency
DNS Crossover High Availability (XHA)
In a DNS XHA configuration, two Adonis appliances are deployed in an active-passive high availability pair. You can deploy DNS primary servers, secondary servers, or even caching servers in a XHA configuration. The two Adonis appliances share an IP address that DNS clients use for queries. The appliances connect over the network to keep the passive unit apprised of the 'health' of its active partner. If the active appliance should fail, control is transferred to the passive unit and it assumes the active role. When the original active unit is restored, it takes on the passive role.
'Self Healing' Utility
Adonis DNS appliances feature a Self Healing utility that ensures a valid configuration exists before a passive Adonis appliance joins an XHA cluster. It guarantees that the passive unit is always synchronized with its active partner, even if the passive appliance was unavailable at the time the active unit was configured. The utility also provides repair tools to resolve broken XHA configurations, and ease swap-out of either appliance in the cluster, should replacement be required.
DHCP Failover
DHCP Failover provides protocol-level redundancy for DHCP network services. DHCP pools are divided between two Adonis appliances which function as active-active peers. The peers communicate with each other to maintain a common pool of IP address leases. Each peer assesses the other's state and if one appliance fails, its peer can readily continue in its place. Because both peers maintain common information, failover and load sharing are transparent to DHCP clients. Failover Adonis servers may be placed on different subnets or on opposite sides of a WAN link to provide distributed services with full geographic fault tolerance.
Security
Hardened Linux Kernel
Adonis security begins with a hardened Linux operating system kernel. All non-essential OS services and network service daemons have been removed. In addition, all required modules have been compiled into the kernel to help ensure that rogue modules cannot be easily inserted. The firewall and IP stack have been hardened and the BIND and remote control daemons are started with control scripts, instead of the inet daemon. These modifications provide greater control over what services are running and when they are started. Collectively, they harden the Adonis DNS/DHCP platform against attack.
DNSSEC
Adonis provides the ability to secure DNS data through DNSSEC, allowing organizations to both serve and validate DNS information to ensure the authenticity and integrity of DNS records and servers being accessed.
Integrated Firewall
The Adonis firewall blocks all incoming non-essential service requests including harmful ICMPs. Only essential ports including 53 (DNS), 67 (DHCP) and Port 10042 (Client/Server Control) are exposed to limit exposure to non-essential data traffic. The integrated firewall has a negligible impact on performance (~0.5%).
DHCP MAC Filtering
Adonis maintains a list of authorized MAC addresses and distributes IP leases only to devices with addresses on the list.
Pre-Admission Access Control
Adonis DHCP interoperates with popular authentication and directory services such as LDAP, RADIUS, Active Directory and Kerberos to authenticate end users. Adonis assigns IP addresses only to those users who have been properly authenticated. Pre-admission access control can be used to control users' access privileges (e.g. authenticated users may be restricted to pre-determined subnets). This measure reduces network congestion and helps organizations comply with security policies.
Support for Transaction Signatures (TSIGs)
Transaction Signatures employ a ‘shared secret’ – a symmetric, cryptographic key – that allow primary and secondary DNS servers to authenticate each other. TSIGs ensure the integrity of DNS zone transfers – either the primary or secondary server can determine if transaction data has been modified en route. TSIGs complement access control lists to restrict DNS zone transfers to explicitly authorized secondary servers. Only holders of the TSIG shared secret are granted zone transfers, making it extremely difficult for an attacker to spoof the identity of a secondary server. Adonis TSIG support helps ensure that DNS information purporting to be from a certain server is actually from that server. TSIGs also authenticate DNS clients and recursive name servers.
Masked BIND Version Number
Network administrators can configure the exact response they want returned when an Adonis appliance is queried for its BIND version. Masking the BIND Version Number obfuscates sensitive version information from potential attackers.
Certificate-based Security
The Proteus IP Address Management solution communicates securely with Adonis appliances via SSL. Mutual, certificate-based authentication, based on public-key cryptography, allows Proteus to verify the identity of an Adonis appliance (and vice versa) prior to establishing a connection with that appliance. 128-bit encrypted communication sessions between the Proteus and Adonis appliances protect against packet snooping. Configuration data remains confidential during deployment. Certificate-based authentication augments the administrator-supplied passwords required to connect to an Adonis appliance.
Remote Management Agent
The Adonis remote management agent prevents buffer overflow attacks, intrusions and resource abuse on Adonis appliances. This feature enforces data integrity and flow control by using a custom wire protocol for server communications. The agent limits the number of incoming connections and provides a configurable 'timeout' for connections. Further protection is afforded by low-level buffer overflow checking provided by the Java Runtime Environment (JRE).
Jailed Environment for BIND
Adonis executes the name server daemon within a 'jailed environment', with access to only a limited number of system resources. The jailed environment contains only the data that BIND uses – there are no executables or system scripts. In addition, BIND runs under user level privileges. With these safeguards in place, even if an attacker is somehow able to compromise BIND, he/she is 'sandboxed' within a restricted server directory structure without the privileges required to control the server or use the compromised daemon to attack other networked systems.
Patch Management
Adonis appliances are updated regularly to address new vulnerabilities, reducing the time and effort required to monitor CERT vulnerability and OS patches. Critical BIND software updates issued by the ISC are downloaded to Proteus and can be applied to all Adonis appliances.
