It’s a common question: “We just want to gain visibility and control over our existing Microsoft DNS infrastructure, but aren’t quite ready to move to a full enterprise-grade DNS solution. Does BlueCat offer an ‘overlay’ which would allow us to separately manage our core Microsoft DNS?”
The answer is not as simple as it might seem. Having been down this road many times during our twenty years in the business, BlueCat has a hard-won perspective on this which deserves a more detailed explanation.
The overlay temptation
There is a clear pattern when it comes to decentralized models for DNS management. It goes something like this:
- Server teams or Active Directory admins start with a Microsoft DNS as a default solution that meets basic needs.
- The network scales and grows more complex. Mergers, acquisitions, cloud migration, automation initiatives, IPv6 transition, new security and compliance initiatives increase the pressure on back-end DNS management. Patches and custom fixes proliferate.
- The network reaches a breaking point. The torrent of network outages, DNS help desk tickets, complex routing rules, and security challenges becomes untenable.
- IT executives and managers start looking for ways to rationalize and future-proof their DNS infrastructure.
Many network administrators who have been through this cycle believe they can solve the underlying problem of compounding complexity in their DNS by continuing to adjust around the margins. This is what an overlay represents – an attempt to keep the tangle of Microsoft DNS patches and fixes underneath a new UI.
So why isn’t this the ideal solution?
Delaying the inevitable
Overlay solutions fail to address the underlying issue of how the network is architected and managed. They are essentially a Band-Aid which pushes out the necessary decision to abandon a decentralized approach to core DNS services.
How do we know this? First-hand experience.
BlueCat used to offer an overlay system which allowed customers to manage parts of their Microsoft infrastructure as completely independent operating units. Our thought was that network administrators needed a half step toward the ultimate goal of a true enterprise-level DNS solution. If they could prove out the concept with a limited deployment, the full solution would be an inevitable next step.
We quickly discovered that only a system-wide approach to DNS can offer the consolidated DNS architecture which large networks need over the long term. As long as there are separately managed fiefdoms of DNS, DHCP, or IPAM, the network won’t benefit from a single source of truth.
Any network which has outgrown Microsoft DNS will soon outgrow an overlay solution as well. Overlay solutions may provide slightly better functionality and convenience than standard Microsoft, but they are not a substitute for a centrally managed, fully functional DNS. When you have two systems trying to do the same thing, conflicts and dysfunctional networks are the inevitable result. Only a system which offers a true single source of truth for DDI resources will support automation and other higher level functionality which most large, complex networks require.
To be clear, the problem isn’t Microsoft DNS in and of itself. Microsoft DNS can perform well in the proper context of small, simple networks. The problems is when administrators try to scale that decentralized approach across a large, complex enterprise – a use case which Microsoft DNS was never designed to support.
It’s also necessary to distinguish between interoperability and overlays. Interoperability – orchestrating DNS across platforms and environments – is a necessary component of any DNS architecture. Interoperability creates visibility and resilience across the enterprise, and allows administrators to control the DNS resource implications of disparate applications. This is why BlueCat supports interoperability with Microsoft DNS, Active Directory, BIND, Route 53, and other third party services.
We’ve found as well that a temporary form of interoperability is often necessary when migrating enterprises from a decentralized Microsoft DNS architecture to a centralized BlueCat Adaptive DNS platform. The ability to ingest records from Microsoft DNS and view them in a central location is a huge plus for network admins who are simply trying to get the lay of the land before making a change.
Overlays, on the other hand, attempt to straddle separate DNS management systems. They try (unsuccessfully, in our opinion) to move from mere visibility into actual management of DDI infrastructure. In this situation, the roles and responsibilities for DNS management overlap, creating confusion about which system is truly “in charge”. Overlays defy orchestration – there’s a fundamental conflict over which system operates as the source of truth.
Adaptive DNS is the solution
Given the time, investment, and inherent risk involved in any core services migration, it makes more sense for networks to make a single leap from decentralized DNS to BlueCat’s Adaptive DNS. Incremental approaches simply drag out the pain of trying to manage disparate resources at scale.
For this reason, BlueCat made the strategic decision to move away from overlay solutions. We continue to offer interoperability with Microsoft DNS and ingestion of Microsoft DNS records as a necessary precursor to migration. Yet unlike our competitors we don’t believe that there’s room for two DNS management planes to operate in parallel. We are fully committed to the vision of Adaptive DNS – one that requires a single, unified form of management.
Migrating to an enterprise-level solution opens up a whole new world – one that simply isn’t available for users of overlay solutions. Rationalizing DNS infrastructure dramatically simplifies network operations, reduces the amount of time and effort devoted to DNS maintenance, and paves the way for higher level functionality.
We know that some network administrators still aren’t ready to make that leap to full Adaptive DNS. They think they can continue to patch around a rotting network foundation. Some industry analysts still believe that overlay solutions work, and point to “deployment flexibility” as a reason to prefer vendors who offer this option.
We respectfully disagree. There’s no such thing as partial centralization. Either your DNS is fully centralized, or it isn’t. You either have one source of truth for DDI, or you have multiple sources. Overlay solutions aren’t a long-term fix. In the end, they create more problems than they solve.
Critical conversations on critical infrastructure
Find out how your peers are managing their networks through profound change. Watch this series of live interactive discussions with IT pros & join the debate in Slack.
9 tech leaders’ advice on running a technology organization (part 2)
A compilation of 8 tech leaders’ (+ BlueCat CSO Andrew Wertkin) advice on driving innovation and achieving overall success as a tech organization.
9 tech leaders’ advice on sustaining business alignment (part 1)
Now that Season 1 of the popular podcast Network Disrupted has wrapped, it’s time to parse insights from the show and share them with you.
Temporary workaround for SAD DNS
Ahead of Linux’s patch taking effect, BlueCat Labs has a temporary workaround for protecting against the revived Kaminsky DNS cache poisoning attack.
IT pros debate: Should you DIY your DDI?
Five IT pros get real about DIY vs. enterprise DNS solutions during the second Critical Conversation on Critical Infrastructure hosted in Network VIP.