…and the problem with relying on Microsoft alone
It’s an interesting problem that we are seeing time and time again.
Companies (and I’m not talking small ones either) relying on Microsoft to be their IP Address Management tool or to be their main source of DNS. To be honest Microsoft is great at a lot of things but managing a DDI (DNS / DHCP / IPAM) environment is just not one of them….. and we haven’t even started talking about security.
There is a great white paper from EfficientIP titled ‘Is Microsoft’s DDI Good Enough?‘ . But let’s look at this from what we see in the marketplace.
The days of not being able to track IP addresses should be long gone. Unfortunately this crops up time and time again and usually it is because users just can’t get the visibility out of Microsoft.
IPAM today is also much more than what a spreadsheet can give you.
The IPAM system should be the cornerstone in planning and managing the IP space as well as integrating technologies such as DNS and DHCP.
IPAM should be a fundamental solution that helps with the challenges enterprises face today. Case-in-point in having visibility into your AWS / Azure / GCP environment as well as your internal DNS or DHCP.
DDI solutions that are worth their weight are able to manage the environment end-to-end providing unified management of DNS-DHCP and IP addresses with virtual LANs and device interfaces.
Ultimately, DDI simplifies the processes of design, deployment, and management of the network through policy driven automation.
An IPAM system must be extensible and have a mechanism to share data with other applications.EfficientIP
Because an IPAM system contains information about all devices, it follows that IP addresses and other IP-related information, should be integrated with a firewall-rule system to enforce IP address blocks.
The IPAM system should also integrate with an asset tracking system to associate a device with asset information.
From all the many demos and discussions we have had and done, this statement reflects a recurring requirement.
DNS from Microsoft is in a word poor. Zone management is not easy, nor is the ability to enforce standardisation. The whole concept of a SMART environment where master and slaves, or mutli-master or hidden masters all work cohesively is just not something that Microsoft handles well.
This is the benchmark of a true DDI solution.
Also what should now come with DNS but generally is missed is DNS Security. There are no tools in Microsoft to secure DNS let along protect it. And this does not mean a next-gen firewall.
We are talking about specific DNS protection for exploits and attacks that are crafted to within TCP/UDP Port 53 which is always open. This feature is non-existent with Microsoft.
In this day and age with data coming from DNS Threat Reports (2022 IDC Global Threat Report) 70% suffered application downtime, 51% were a victim to a phishing attack and 24% had data stolen as a result of an attack.
Wouldn’t it be good if there was a way to protect against this…..well there is, and sadly whilst it seems to be critical to most organisations, proper DNS security is not deployed.
Another interesting trend is that those who see the issues with Microsoft DNS at times want to leave DHCP with Microsoft. The problem is Microsoft has a number of weaknesses in terms of setup and configuration.
Microsoft suits basic needs but certainly isn’t reliable for a high load or distributed environment. Scalability is a an area where Microsoft just can’t keep up with a specific DDI solution.
At the end of the day DHCP performance can critically affect end user devices.
As mentioned above security is just not part of the Microsoft environment. The ability to quarantine users that are exposed to phishing sites or have malware running and exfiltrating data via DNS port 53 is really what users should be looking at today.
Additionally being able to have a DNS specific firewall (and blacklist / whitelist updated feed) to protect the DDI environment from blacklisted sites is also a fundamental feature of DDI security.