Reaching DNS Nirvana with BlueCat Networks

Reaching DNS Nirvana with BlueCat Networks

Achieve DNS Nirvana with BlueCat

Mike Matchett: Hi. I'm Mike Matchett with Small World Big Data. We're going to talk about something that we've all been using. It's probably the dawn of networking and computing. That is DNS. That's the domain name service. It's fundamental to everything you do on the Internet and even within your local networks.

How is DNS Affected by Complex IT Environments?

Mike Matchett: How do you find one computer or device from another? You use DNS and look it up. But DNS isn't just a fundamental component, it's a key component. And in today's ever complex world of a globally distributed computation networking multiclouds and enterprises that are spanning continents, if not the world, maintaining DNS and keeping it secure for your company is a big challenge.


Mike Matchett: Today, I have Andrew Wertkin who's the chief product and technology officer at BlueCat here today to tell us about enterprise DNS and how you really make DNS bulletproof. And more than that, we're going to find out some of the opportunities that having a good DNS implementation can provide you in terms of looking at security performance and some other things. Welcome, Andrew.


Andrew Wertkin: Thank you very much. Happy to be here.


Mike Matchett: All right. So tell us just a little bit about BlueCat and enterprise DNS and what you guys do fundamentally.

Who is BlueCat Networks? 

Andrew Wertkin: Yeah. BlueCat has been in the DNS business for almost two decades and we're thrilled to have well over a thousand customers that count on us as they provide DNS and DHP services inside of their enterprise. And those requirements have been steadfast over the last 15 or 20 years. We have to provide reliable services. If DNS goes down inside of a large enterprise, everything from the phones to data centers, everything goes down. It's bad. So we prevent that.


Andrew Wertkin: And what's changed over those years and especially over the last five years is how rapidly this stuff needs to change. Normally, when you think of systems that have to be reliable, you want to change them as little as possible. Less change, more reliable, let's just scale it. But now, we have to change this thing and change it rapidly because the business demands during -- I mean it's all about digital transformation. It's about acquiring data, building apps, building services, getting to market quickly and moving workloads around. And in every way you described in your introduction, those things require DNS changes.


Andrew Wertkin: So we have a massive amount of investment and capability to enable automation at scale on our customers, automation from non-expert users. And that's a critical component of our systems today.


Mike Matchett: So I mean you mentioned things like voice over IP and that -- it just got me thinking like we're not just networking computers these days. With the Internet of Things, with the mobile devices, with the more things on the Internet, those all depend on fundamental network functions like DNS. In fact, they all start with DNS, right? So when you say everything, we really do mean everything from the thermometers on the wall now to the elevators to the phones.


Andrew Wertkin: Yeah. There's, of course, alternative peer to peer protocols and everything else but 99.9, I mean the vast majority of network compute out there relies on DNS. And the amazing thing quite frankly about public DNS, you know, we really work in private DNS and bridging to public DNS but this system that was was invented decades ago is scaled to the requirements today. It's pretty remarkable.

The Enterprise View of DNS Traffic 

Mike Matchett: All right. Before we dive into BlueCat's solution in particular, let's just talk a little bit about the vantage point of looking at DNS and DNS data as well. I mean obviously, the changes are important, the rate of change is an important thing. But when we're sitting and we're holding, we're looking at all the DNS stuff that's going through a large organization that has hundreds of thousands of people and who knows how many devices, that's really a critical perspective for looking at things like application performance and enterprise security and the rest of it. And it's not simply the yellow pages lookup. Tell us a little bit about what you can do with that enterprise view of DNS traffic.


Andrew Wertkin: Right. I mean if you had access to every single DNS query from its originating source as opposed to as it was leaving the firewall going to the Internet, if you had access to every query from its originating source, then it allows you to -- it's a proxy for the intent of that device.


Mike Matchett: Okay.


Andrew Wertkin: I don't know it made a connection to point A to point B but I know it wanted to. And there was an intent to and that basically allows you to use that data in a variety of different ways if I can track it all. Part of it, as you said, is application performance. I mean it's amazing how many times DNS is stopped right in the middle of that performance problem and that because the way it was coded or where that zone is in the enterprise, you're doing tons of queries something on the other side of the world, there's high latency. Maybe I can change this or change this. Lots of different ways to look at it but it is a rich source of information that's small in nature yet there's in a large organization, billions if not trillions of queries every year. But it's -- for us, it just means visibility big time and then control.

Updating DNS Attributes in Complex Environments 

Mike Matchett: Control. And so we have the fact that the rate of change is increasing. You're telling me some interesting numbers about in the old days people would do manual updates to DNS. I can remember doing some of those on very small networks myself 30 years ago to what goes on today in terms of thousands and thousands of DNS updates and they all have to be bulletproof, right. They can't -- you can't just let anybody make any change. But you can't have a single choke point of a manual person doing it.So how do you balance that?


Andrew Wertkin: Yeah. And it's for sure. And I've got to delegate to the many so that tons of changes can happen. And yet, as you said, I don't wanna give anybody access to the button that's going to take down the system or it's going to miscue the system. And so therefore, I've got to take the complexity out of it.


Andrew Wertkin: A user wants to add a new host record, delete a new host record, add a new zone. There's higher level concepts of what they want to do where all of those can be abstracted at a simple web page level or at an API level so they can be done at scale. If I'm deploying a new network, that network might be of a certain type.


Andrew Wertkin: Let's say it's segmented. Therefore, it gets these DHCP options. Therefore ,it has these ACLs and DNS. It could end up being 30 or 40 steps inside of a management system. But if I can expose all of that with one API saying create a network with this security classification, automate everything else. That's what I mean by business level API as opposed to a low level API that requires knowledge of the inner workings of the vendor systems. Ironic as it might be, I work with our customers and I tell them you should build business focused APIs on BlueCat so it would be easier to replace BlueCat. Like you shouldn't have to teach your internal employees a vendor specific API, it's bad for you. So it should be about business APIs.


Mike Matchett: You make your own domain specific language so to speak and really own that at a business value, a language level, and then you could replace the infrastructure underneath that A point in the future which is really a great thing. And I.T. automation is one of the top initiatives every year perennially and we see it now today as much as ever.

The Role of Automation in DNS Availability 

Mike Matchett: One of the things that comes up with DNS that is this idea that -- and, of course, we're talking about rate of change of what's in the DNS but there's this rate of change also of the network functionality itself and how often you can patch and upgrade a DNS server. The thing's got to be rock solid. You never want to touch them. But now you guys are helping customers do something faster with bringing their DNS architecture forward.


Andrew Wertkin: Right.


Mike Matchett: What does that involve?


Andrew Wertkin: Yeah. I mean we look at the SLA is getting more and more narrower. Like the amount of downtime they can stay with DNS is absurdly low. And our systems architect in general so you would never have to take down every single node, it should be deployed in a way where one node or another is available. But if we want to implement more capability to add more value to our customers, then they need to be willing to upgrade the system more often. If upgrading the system requires some sort of maintenance window, then we're lucky if they upgrade every six months. We would love them to upgrade every or add new capabilities whenever we've made them available.


Andrew Wertkin: So we've delivered capability that allows for in-service upgrades so the system can be upgraded in a failsafe way where there's not a loss of service during the process of upgrading a DNS server. It's up for the majority of time and we -- well, for the complete time. And we do that in a way where we can all sort of roll through so you're not putting the entire state of risk at once. And where our customers are using things like any cast along with DNS, you can even use routing to help with that process as well to make sure that queries are steered appropriately.

Cybersecurity, Anomaly Detection in DNS 

Mike Matchett: Right. So we can now deploy -- we can agile -- we can be more agile. We can now deploy upgrades. We can also deploy some new functionality I'm hearing. And some of that new functionality as it's emerging has to do in one sense with cyber security stuff that's fascinating. We do have a lot of time to go into it in this thing today. But just tell me quickly what kinds of cyber security things you guys are doing and helping your customers with because you do sort of some remote management. What are some of the analytics that you help people look out now?


Andrew Wertkin: Yeah. We look for behavior that looks risky. We look for things that have indicators are compromised. That's the easy stuff. You're looking at domains that are known to be compromised but we're also looking at other heuristics. We're looking at things like frequency analysis. We're looking at for things like DNS tunneling or domain to look computer generated. Or in some of our customers cases, the geolocation of the IP address of the response is of interest to them because where the server is matters for instance or who registered the specific domain.


Andrew Wertkin: So we're -- yeah, we're -- we think DNS is highly relevant to the cyber security team. And the cyber security team usually has a lots of asks along these lines. And so for them, the data doing some analyst in analytics and also providing control point, we think we can add value. We can increase the security posture of our customers.


Mike Matchett: So in 18 years, you've gone from being just kind of lookup Yellow Pages service for computers to something that's really sitting at the central point of understanding the behavior and the posture of the entire enterprise, which is just fascinating to me.


Andrew Wertkin: Yeah. As we say, the market's coming to us.


Mike Matchett: All right, Andrew. Where should someone go if they want to learn a little bit more about DNS, a little bit more about enterprise DNS, and if they should be taking a stronger posture with their DNS? I assume you have a website but is there some specific things you'd recommend people look at?


Andrew Wertkin: Yeah. Look at for sure. And we are trying to do more and more videos, more and more recorded webinars trying to get information out there in more interactive ways. And you'll see plenty of that in our content.


Mike Matchett: All right. Well, thank you, Andrew for being here today.


Andrew Wertkin: Thank you for having me.


Mike Matchett: And thanks for watching. We'll definitely have some more spots talking about security. I'm just excited by DNS again. So keep on watching. I'm sure we're going to talk about more network functionality coming soon. Thanks.