How to budget for a DNS, DHCP, and IPAM solution

DDI done right—or wrong—can have very real financial impacts on your organization.

A DNS, DHCP, and IP address management (together known as DDI) solution is not only a critical component of your core network services. It is also an opportunity to bring much greater simplicity—and, thereby, long-term cost savings—to a complex, manual network.

However, budgeting for this part of your network infrastructure is hard. There are ROI calculators out there, yes, but do they work? Debatable. Some argue that the formula math is pretty fuzzy or they don’t account for real costs.

Only you can come up with the answers to make the right spending call for your organization. But BlueCat wants to help you get there.

This post will first define what is meant by DIY versus enterprise-grade DDI. Then, it will examine the right way to approach your DDI solution budget. Next, it will explore all the categories of costs (including the hidden ones) to consider when budgeting for a solution for your organization. Finally, it will touch on why BlueCat is offering up this insight in the first place.

The difference between DIY vs. enterprise-grade DDI solutions

A DIY solution for managing DDI can take many forms.

Many organizations manage DDI with a simple, out-of-the-box Microsoft DNS solution. It’s the default choice for Active Directory, and for small networks, it probably works fine.

Furthermore, BIND (Berkeley Internet Name Domain) is an open-source solution for DNS which is still commonly used to manage network infrastructure on enterprises around the world.  Administrators often turn to BIND DNS when standing up new networks because it’s simple and free. Many administrators like the open nature of BIND because it allows them to build their own custom tools to address specific use cases and operational requirements.

DIY solutions often also include IP address management with an IP address spreadsheet.

Meanwhile, enterprise-grade DDI is a purpose-built, commercial solution that provides a unified platform for DDI management. It gives you centralized visibility and control over all of your DNS traffic. It can support automation, leverage DNS data for security, integrate with third-party tools, extend visibility to the cloud, and optimize routing pathways for DNS traffic.

The right way to approach your DDI solution budget

Some enterprise-grade DDI solution costs are obvious. Direct costs, like licensing or subscriptions, professional services, and administration, are fairly straightforward to cost out. And they can seem pricey when compared to something that’s considered free.

But when it comes to budgeting for DDI solutions, merely calculating direct costs is not the right way to approach it.

This completely misses all the downstream costs (or lack thereof), which are equally important to consider. Many of these costs—or savings—are hidden. They’re far more difficult to capture in a straightforward budget calculation.

During one of BlueCat’s Critical Conversations on Critical Infrastructure, Frank Seesink, a BlueCat customer and senior network engineer in higher education, noted that an organization he worked for realized it was far better not to DIY.

“In the long run, it saved a lot more money,” Seesink says. “But it was hidden money.”

In the end, there is no such thing as a free lunch DDI. Enterprises either pay for an enterprise-grade solution or pay to cope with the limitations of a DIY approach such as Microsoft DNS or a homegrown BIND architecture.

Cost categories to consider for a DDI solution

The table below lists the various cost categories for a DDI solution, including the hidden ones. It also indicates how the cost impacts for both enterprise-grade and DIY are experienced relative to each other.

As you review this information, remember to consider it within the context of your own enterprise. The specific scenarios that you encounter will be different than anyone else’s. These tools are intended to help you formulate your own decision for what is best for your organization.

Below are more detailed explanations of what each of these cost categories entails, as well as some industry cost figures for points of reference.

Direct costs

Licensing and subscriptions

Solutions like Microsoft DNS seem free because they are included with things you already purchase from Microsoft. But there are real costs to using a solution that is ‘free’. Ditto for homegrown BIND architectures or other DIY approaches.

Meanwhile, for an enterprise-grade solution, licensing and subscription costs can be fair and flexible relative to your needs. (Granted, some vendors have complicated pricing structures that seem like they’re made to take your money.)

Administration

DNS administration costs are often high for Microsoft DNS or homegrown BIND architectures because they are difficult to automate. As a result, network teams spend a lot of person-hours on DNS-related tickets and regular maintenance. (Patch Tuesday, anyone?)

According to research conducted by IDG, 56% of IT managers said that their network teams were “overwhelmed” with DNS tickets and service requests.

With the average U.S. salary for a network engineer more than $87,000 and the average U.S. salary for a network administrator more than $70,000, the cost for adequately resourcing the demand for fulfilling tickets and service requests adds up.

On the other hand, a centralized DDI solution is built to be automated. Some BlueCat customers have achieved reductions in manual tasks associated with DNS by up to 94%. Team members are freed up to work on more strategic projects.

Professional services

True DIY approaches don’t come with any professional services or outside support. It’s DIY, after all.

Furthermore, many organizations turn to outside support from managed services as an alternative to DIY. But EMA research found that, for enterprises that consume DDI as a managed service, around two-thirds of them are using Microsoft DNS or homegrown BIND. Managed service providers are probably spending a lot more time—and client money—managing and configuring DDI behind the scenes.

The choice to use an enterprise-grade vendor’s professional services offerings depends on an organization’s internal skills and resources. While there are direct costs, it can result in a well-architected and well-implemented solution.

Even for managed service providers, a purpose-built platform would make better use of their network admin resources, likely lowering your costs.

Downstream costs

SIEM tool and other stack component integration

DNS logs can provide a trove of data about what’s happening on your network. With complete information about every query and response on the network, administrators can do more than just see activity—they can gauge intent. As a result, they can root out malicious patterns of behavior or identify infected devices.

Most organizations simply dump all their logs into their security incident and event management tool (SIEM). Doing so can take up a lot of storage space in a hurry and cost a lot of money. Furthermore, Microsoft DNS and homegrown BIND architectures have no pre-built integrations with third-party tools like SIEMs.

BlueCat customers can take a more efficient approach. With BlueCat’s enterprise-grade solution, an integrated SIEM tool need only ingest DNS logs that have been flagged by certain policies. This reduces data storage requirements (and costs) by as much as 99%.

Other on-premises infrastructure

Most DIY networks don’t make optimal use of infrastructure resources because of their inevitably messy architecture. As a result, more often than not, enterprises end up paying for more infrastructure than they need.

For example, one customer reduced their virtual machine server hosting needs by nearly 90% after migrating to BlueCat. Their network was cleaned up and optimized during the migration process, which allowed them to shed some bloat.

Cloud infrastructure

Research conducted by EMA found that not aligning cloud and network teams leads to security, compliance, operations, and business-level consequences. In fact, 72% of enterprises fail to get a full return on their cloud investment.

With Microsoft DNS or a homegrown BIND architecture, IP address provisioning can be slow. Cloud teams and DevOps get frustrated with the pace and use a corporate credit card to get the resources they need. Now cloud and DevOps are doing their own routing between applications and on-premises resources. This is hard for network teams to see. And they’re stuck paying for redundant data ingress and egress.

Meanwhile, an enterprise-grade, centralized DDI solution allows for quick IP provisioning, giving cloud and DevOps what they need to innovate quickly. As a result, you can get full visibility into all network traffic paths and optimize them.

Outages

With a DIY solution, the slip of a finger can result in misdirected traffic that snowballs through chains of connected servers. Microsoft’s DNS tools have no mechanism to identify or correct the source of a ‘fat finger’ issue. Tracing the origin of a problem can result in hours or days of downtime.

In an IHS study released in 2016, companies surveyed reported an average of five downtime events each month, with the cost of downtime ranging from $1 million a year for a typical midsize company to more than $60 million for a large enterprise. The main cost of downtime is lost productivity and revenue, IHS reported. The cost to fix the problem itself is usually minor.

Meanwhile, a centralized DDI solution provides visibility into your entire enterprise and role-based access control (RBAC) to help prevent those costly errors. Furthermore, it reduces overall outage risk because it’s easier to manage and scale infrastructure. Enterprise-grade solutions also make it much simpler to investigate root causes and undo mistakes, accelerating your time to remediation.

Breaches

Microsoft’s DNS tools were not built with security in mind, even though an estimated 91% of malware uses DNS to maneuver through target networks. In general, breaches are more likely to occur with DIY tools because it’s easy to misconfigure something or leave a security hole.

However, when a breach or incident occurs, the patchwork nature of Microsoft DNS also makes it difficult for network administrators to identify, isolate, and mitigate harmful activity.

According to IBM’s annual Cost of a Data Breach Report, the global average total cost of a data breach is $4.24 million.

Meanwhile, Enterprise-grade DDI solutions have numerous enhanced security features, reducing the risk of a breach in the first place.

But when one does happen, enterprise-grade solutions make it easy to correlate a source IP address with a DNS query, cutting down on investigation time. You can keep track of who made changes so you aren’t scrambling to map actions to users. Furthermore, you can easily configure and deploy DNS-based security policies to block known malicious queries in real-time.

Compliance

Whether it’s adhering to payment card industry (PCI) or NIST 800-171 cybersecurity standards, compliance can take many forms. But no matter your industry, Microsoft DNS and homegrown BIND architectures make it difficult—if not impossible—to comply.

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) recently released guidance for using protective domain name system (PDNS) services to curb cyber threats. It also points to several providers—BlueCat among them—for organizations to consider. Microsoft DNS? Not on the list.

While there is no single, silver-bullet solution to meet all of an industry’s compliance requirements, an enterprise-grade DNS solution checks several compliance boxes to lower your risk of audit penalties or business interruptions.

Turnover

High-stress environments that demand too much—and, in the case of DIY manual work, too little that is interesting—of skilled technical employees breed turnover.

The annual Work Institute Retention Report costs turnover at 30% of salary. Using the average salary figures of $87,000 for a network engineer and $70,000 for a network administrator, that’s between $21,000 and $26,100 in turnover costs for each employee lost.

On the flip side, an easy-to-manage enterprise-grade solution can keep your technical staff from drowning in rote tasks. Instead, they can engage in more strategic, high-value work, which encourages them to continue their career with you.

Intangible costs

Latency

Complex, overlapping zones in Microsoft DNS often lead to latency and dropped connections. It can sometimes take several hours for IP address changes to filter through a Microsoft-based DNS schema spread across multiple regions.

Meanwhile, centralized DDI solutions make it easier to keep a network well-organized. Routing can be arranged much more efficiently, reducing latency.

Visibility and central control

As Microsoft DNS and other homegrown architectures evolve, so does complexity, putting more strain on the system. Information inevitably gets lost in the shuffle. Overlapping or non-standard data bogs down efficiency. Queries end up routed in odd ways that negatively impact network performance.

DNS records that are misconfigured, stale, or incorrectly deleted can halt network traffic altogether. In particular, deleting records can be a scary prospect with DIY. As the impacts of deletions or scrubbing records are largely unknown, it’s often avoided altogether.

Meanwhile, an enterprise-grade DDI solution provides single-pane-of-glass visibility and centralized control of DNS, DHCP, and IP address management. Admins can find lost information and reduce or eliminate overlapping or non-standard data. A single point of truth can identify and correct broken DNS records, keeping queries humming. A centralized management platform enables a strategic view to centralize operations.

Automatability

Beyond administrative savings, every enterprise places some level of value on the upside of automation.

However, Microsoft DNS tools do not support automation in any form. Many network managers have their hands on keyboards, performing repetitive, error-prone network configuration and provisioning tasks. Performing these processes manually consumes valuable IT resources.

An enterprise-grade DDI solution automates many everyday network tasks and functions, taking the repetitive, time-consuming work off of your network team’s hands. This could include the ability to stand up and tear down domain names quickly or leverage APIs.

Furthermore, with automation workflows, applications, and plugins, you get the most use out of your existing infrastructure by integrating DDI with the applications and services you already use.

Why we are sharing this advice

For many organizations with massive network complexity, a DDI solution can make long-term financial sense.

In the end, there is no such thing as free DDI. Enterprises either pay for an enterprise-grade solution or pay to cope with the limitations of a DIY approach such as Microsoft DNS or a homegrown BIND architecture.

Regardless of how ready you are to invest in a DDI solution, you should at least know your options. This information can shed more light on all the direct, downstream, and intangible costs involved. It will also help you put a number on the savings and ROI it can bring to your organization.

In fact, if you call BlueCat, we’ll help you dig even deeper into the numbers to figure out whether an enterprise-grade solution is right for you.

Ready to ask questions about the cost of a BlueCat solution? We’re ready to help.

PS: If you’re looking for guidance on what questions to ask a potential DDI vendor, or how to talk to your boss about buying a DDI solution, we’ve got some suggestions for that, too.