Poll: Curious: a question for IT Professionals about what group should handle DNS

gorfias

Unrealistic but happy
Legacy
May 13, 2009
7,082
1,849
118
Country
USA
Your thoughts:

What IT group handles DNS? Can it be more than one group, a shared responsibility?

Looking forward to your thoughts.
 

faefrost

New member
Jun 2, 2010
1,280
0
0
It doesn't really matter which. But it needs to be restricted and assigned to just one.
 

JustAnotherAardvark

New member
Feb 19, 2015
126
0
0
Me. If I can't resolve it where I need it, I have to dance around various network segments until I can ping the URI I've been given, then access it by IP from the location I need to access it from. :p
 

gorfias

Unrealistic but happy
Legacy
May 13, 2009
7,082
1,849
118
Country
USA
JustAnotherAardvark said:
Me. If I can't resolve it where I need it, I have to dance around various network segments until I can ping the URI I've been given, then access it by IP from the location I need to access it from. :p
Have you ever had to ask a member of your organization to create an URL for you? Do you know anyone who has? Say you try to ping url JustAnotherAardvark.frommyorg and it doesn't answer what you want, 10.10.10.10, can you open a trouble ticket? If so, to what group would that ticket be assigned?
 

Albino Boo

New member
Jun 14, 2010
4,667
0
0
If you are running AD, then theres is high chance that you are using MSDN for DNS. So its who ever runs AD.
 

DoPo

"You're not cleared for that."
Jan 30, 2012
8,665
0
0
Gorfias said:
What IT group handles DNS? Can it be more than one group, a shared responsibility?
What do you mean by DNS? Is it the top level DNS, so the question is which global group does it? The DNS in your workplace, so which part of the IT department does that? The DNS as a whole, so which group (say, IEEE or a specific subdivision) does the planning and control?
 

Albino Boo

New member
Jun 14, 2010
4,667
0
0
DoPo said:
Gorfias said:
What IT group handles DNS? Can it be more than one group, a shared responsibility?
What do you mean by DNS? Is it the top level DNS, so the question is which global group does it? The DNS in your workplace, so which part of the IT department does that? The DNS as a whole, so which group (say, IEEE or a specific subdivision) does the planning and control?
He mentions active directory in the poll so its workplace DNS.
 

DoPo

"You're not cleared for that."
Jan 30, 2012
8,665
0
0
albino boo said:
DoPo said:
Gorfias said:
What IT group handles DNS? Can it be more than one group, a shared responsibility?
What do you mean by DNS? Is it the top level DNS, so the question is which global group does it? The DNS in your workplace, so which part of the IT department does that? The DNS as a whole, so which group (say, IEEE or a specific subdivision) does the planning and control?
He mentions active directory in the poll so its workplace DNS.
He also mentioned Linux which was quite bizarre.

EDIT: Anyway, OT - I don't really know the structure of IT departments, so I am not totally sure, but I guess it depends on what the division between them is. Which, in turn, may be governed by size - at my job, IT is really just a few people so if we did have an issue with DNS, we can contact any one of them in order to sort it out. If it grew, say, twice the size, I guess it would get more focused divisions, so DNS should be with whoever manages the network.

I think if the size was bigger even more focused parts of IT would spring up, so...I suppose by induction I think it would be up to whoever is left in charge of Active Directory. Of course barring any politics or legacy stuff, that is.

But again, I don't know what the structure of a really big IT department would be. It might be more in the domain of somebody else. And if you don't have completely dedicated groups within IT (security, networking, hardware, for example), I think it would be quite fair, and better, if they shared responsibility. For example, the security and the AD (assuming they are different) groups may both have overlapping interests in DNS.
 

Albino Boo

New member
Jun 14, 2010
4,667
0
0
DoPo said:
He also mentioned Linux which was quite bizarre.

The only thing I could think off was running a BIND9 server under Linux. Personally I refuse to run BIND on windows, the GUI overhead defeats the point of BIND.
 

Whoracle

New member
Jan 7, 2008
241
0
0
Inhouse: Whoever handles network operations should have the say of what names get assigned. The guys who run your internal DNS servers are the ones who have to implement your DNS record.

Globally: A shared authority group that is NOT based in any one country.
 

gorfias

Unrealistic but happy
Legacy
May 13, 2009
7,082
1,849
118
Country
USA
albino boo said:
The only thing I could think off was running a BIND9 server under Linux. Personally I refuse to run BIND on windows, the GUI overhead defeats the point of BIND.
The guy that implemented it used BIND and more. Sadly, he had to do it with Windows, but he got the job done.
ITMT, our boxes run on a Linux kernel as well. Knowing Linux to do command line maintenance is a plus.
DoPo said:
...at my job, IT is really just a few people so if we did have an issue with DNS, we can contact any one of them in order to sort it out.
Thanks. Do you have your own in-house DNS or do you use external DNS servers? A big part of the duties we deal with: DHCP and DNS are done in the same set of boxes. If someone has a request (make gorfias.batcave.org point to 10.10.10.10) that group would handle it.

I imagine it would be different if your org uses godaddy.com and wants a presence at Amazon.

Whoracle said:
The guys who run your internal DNS servers are the ones who have to implement your DNS record.
We have a guy saying that this task is done typically by the security group (who handle firewalls). I think he is full of it. From what I'm reading on this thread, any number of groups might be assigned this task.
 

Whoracle

New member
Jan 7, 2008
241
0
0
Gorfias said:
We have a guy saying that this task is done typically by the security group (who handle firewalls). I think he is full of it. From what I'm reading on this thread, any number of groups might be assigned this task.
Well, again this depends. Many Firewall appliances are the DNS server for an internal network, at least in smaller networks, so yeah, in that case the firewqall guys might be the right ones.

Generally, it's a layered process:

Security Guys (not neccessarily the firewall guys, but the ones who make the security policies): They decide on a policy regarding who can request DNS entries. This is because a spoofed DNS entry is a security problem.

Network Guys: They decide on which DNS server (if there's multiple) and in which domain the Entry goes, in accordance with the security policy. Again, this is to limit security issues, and that way you have one single group of people who know what goes on in your network. Also, they might know of conflicts with external DNS entries and how it might affect a whole slew of other people, depending on the infrastructure.

DNS Server Admins: These guys are the ones to actually implement the entry in their server config.

Now, any one person might belong to one or more of these groups, depending on company structure.

The Message flow usually goes like this:

User: "Hey, I want lolwut.company.org to point to my smartphone!"
Network Guy: "Why would you need that? Isn't an /etc/hosts entry (or c:\Windows\system32\drivers\etc\hosts entry) enough?"
User: "Nope, the guys in accounting need to access that, too..."
Network Guy: "OK, Let me check if this is valid per policy." *checks* "OK, strangely enough this IS valid, even though by all means it shouldn't be... well, USER, we're on it." *calls admins* "Hey guys, make lolwut.company.org point to 10.10.10.10 as an A record!"
Admins: "*sigh* As if we didn't have anything better to do... why can't the users do simple stuff like that themselves? *eyeroll* OK, we're done!"
Network Guy: "OK, USER, we're done. Enjoy!"
User then goes on to whine about how it doesn't work, why he needs to setup his smartphone for a static address, etc...
 

DoPo

"You're not cleared for that."
Jan 30, 2012
8,665
0
0
Gorfias said:
DoPo said:
...at my job, IT is really just a few people so if we did have an issue with DNS, we can contact any one of them in order to sort it out.
Thanks. Do you have your own in-house DNS or do you use external DNS servers? A big part of the duties we deal with: DHCP and DNS are done in the same set of boxes. If someone has a request (make gorfias.batcave.org point to 10.10.10.10) that group would handle it.

I imagine it would be different if your org uses godaddy.com and wants a presence at Amazon.
I do run some sort of in-house DNS but I'm not fully aware of the specifics, actually. From just looking up some stuff it doesn't look like DHCP and DNS are on the same machine for us, but that's only judging from the IP addresses. Still, I think it's safe to assume they aren't. I am fairly sure the internal DNS is only used for lookups to internal resources in the 192.168.0.0/16 IP range, though I may be wrong.
 

Albino Boo

New member
Jun 14, 2010
4,667
0
0
DoPo said:
I do run some sort of in-house DNS but I'm not fully aware of the specifics, actually. From just looking up some stuff it doesn't look like DHCP and DNS are on the same machine for us, but that's only judging from the IP addresses. Still, I think it's safe to assume they aren't. I am fairly sure the internal DNS is only used for lookups to internal resources in the 192.168.0.0/16 IP range, though I may be wrong.
The normal setup is for the internal DNS to use forwarders to resolve external addresses with the well used addresses cached locally.
 

JustAnotherAardvark

New member
Feb 19, 2015
126
0
0
Gorfias said:
JustAnotherAardvark said:
Me. If I can't resolve it where I need it, I have to dance around various network segments until I can ping the URI I've been given, then access it by IP from the location I need to access it from. :p
Have you ever had to ask a member of your organization to create an URL for you? Do you know anyone who has? Say you try to ping url JustAnotherAardvark.frommyorg and it doesn't answer what you want, 10.10.10.10, can you open a trouble ticket? If so, to what group would that ticket be assigned?
Oh, I'm just being Mr Grumpypants about our matrix management setup.

Yes, you pop in a ticket, and it eventually gets over to network services (or whatever 'rebranded' name is being done this month).

Hopefully the cross-department billing is trivial, else it won't be approved and you'll have to wait for the annual budget so you can piggy back it onto someone else's project instead of getting it billed to department infrastructure.

I did mention Mr Grumpypants, didn't I? ;)
 

DoPo

"You're not cleared for that."
Jan 30, 2012
8,665
0
0
albino boo said:
DoPo said:
I do run some sort of in-house DNS but I'm not fully aware of the specifics, actually. From just looking up some stuff it doesn't look like DHCP and DNS are on the same machine for us, but that's only judging from the IP addresses. Still, I think it's safe to assume they aren't. I am fairly sure the internal DNS is only used for lookups to internal resources in the 192.168.0.0/16 IP range, though I may be wrong.
The normal setup is for the internal DNS to use forwarders to resolve external addresses with the well used addresses cached locally.
That sounds like what our setup does, with the addition that we do lookup 192.168.0.0/16 as the range spans the globe - we have several offices around the world. We're not, like, massive in staff (as evidenced by the fact we use the smallest private network address space) so mostly each office is given one /24 block for work machines or probably sometimes /23 or /22, if other services are required there, I suppose we may have /24 blocks dedicated to some more specific globally shared resources, e.g., various testing environments. That's as much as I know about our network layout, though and I really only know which /24 block we use in our office - the rest of the useful IPs are either in various documents or...well, in the DNS, so I don't really need to know where they are.
 

gorfias

Unrealistic but happy
Legacy
May 13, 2009
7,082
1,849
118
Country
USA
Whoracle said:
Generally, it's a layered process:
Sounds like your organization is huge. We're not as layered in mine.

The Message flow usually goes like this:

User: "Hey, I want lolwut.company.org to point to my smartphone!"
Network Guy: "Why would you need that? Isn't an /etc/hosts entry (or c:\Windows\system32\drivers\etc\hosts entry) enough?"
User: "Nope, the guys in accounting need to access that, too..."
Network Guy: "OK, Let me check if this is valid per policy." *checks* "OK, strangely enough this IS valid, even though by all means it shouldn't be... well, USER, we're on it." *calls admins* "Hey guys, make lolwut.company.org point to 10.10.10.10 as an A record!"
Admins: "*sigh* As if we didn't have anything better to do... why can't the users do simple stuff like that themselves? *eyeroll* OK, we're done!"
Network Guy: "OK, USER, we're done. Enjoy!"
User then goes on to whine about how it doesn't work, why he needs to setup his smartphone for a static address, etc...
Lol. You should see the kind of looney requests we get. Last one was, can you redirect traffic from the organization website to my laptop? Network: um, no. I mean, we could, but it would cause the end of time and space.

JustAnotherAardvark said:
Yes, you pop in a ticket, and it eventually gets over to network services (or whatever 'rebranded' name is being done this month).
Network Services sounds generic enough. Sounds like the DNS/DHCP architecture need not be in security only. Thanks!
 

Whoracle

New member
Jan 7, 2008
241
0
0
Gorfias said:
Sounds like your organization is huge. We're not as layered in mine.
The process is layered, independent of company size. Even if you're only one guy, that's the steps you go through. Only then you're responsible for every layer, and the question of "who does what" is kinda moot ;)

We're about 125 people spanning two offices, and in the above example, I'm every part of said process apart from the User. If a given department in your organization does more than one of these jobs, adjust accordingly :)

Lol. You should see the kind of looney requests we get. Last one was, can you redirect traffic from the organization website to my laptop? Network: um, no. I mean, we could, but it would cause the end of time and space.
And requests such as these are why I hate not having enough malicious energy to sometimes just do EXACTLY what they say. Let their teensy notebook chew on 10k or more hits/minute with their abysmal upstream on their 16k DLS connection, and when they come back and whine about "the internet being slow", just fall out of the chair laughing, then leave the job for good :)
 

gorfias

Unrealistic but happy
Legacy
May 13, 2009
7,082
1,849
118
Country
USA
Whoracle said:
And requests such as these are why I hate not having enough malicious energy to sometimes just do EXACTLY what they say. Let their teensy notebook chew on 10k or more hits/minute with their abysmal upstream on their 16k DLS connection, and when they come back and whine about "the internet being slow", just fall out of the chair laughing, then leave the job for good :)
In a way, I'm lazy enough NOT to do exactly as asked knowing I'm just going to have to revisit the issue if I don't educate the customer.

I will say, once in a while, I get a name request that appears spelled wrong and I copy and paste it. Not my job to second guess someone. Lot of odd names out there.

Only once in several years has anyone pretended that I got it wrong from the start. But the way they said they wanted it spelled is in the ticket.

Don't get me started on having to educate the customer on what internal, external, and FQD means to begin with. Or someone thinking a DNS name alone can redirect to a sub-directory on a server ie world.org/city/resident.

Educating them does keep me employed though!
 

DoPo

"You're not cleared for that."
Jan 30, 2012
8,665
0
0
Gorfias said:
Or someone thinking a DNS name alone can redirect to a sub-directory on a server ie world.org/city/resident.
Well, obviously whenever anybody has this request, they actually mean for you to submit an RFC, have it approved and accepted as a new DNS standard, have it be implemented everywhere, so it's actually usable and then do the change they wanted in the first place. If possible, have it done by 5 o'clock today.