Thursday, September 22, 2011

Assigning DNS names to IP addresses

Why is it so important to configure proper DNS names for all used IP addresses? A few reasons:
  • To make people remember the names and not IP addresses
  • To simplify the communication with customers during a troubleshooting session
  • To easily detect and trace possible security events recorded in log files
  • To simplify the reading of ping and traceroute results
Or in one sentence - to simplify the troubleshooting process and system management.


Before proceeding reading the article I would recommend that you have a look at my post describing my view on equipment naming policy.

A few words about domain names. It is widely accepted to use "company.COM" domain for corporate web site and email addresses (like "www.company.com" and "vgartvich@company.com"), "company.NET" for production network/system computer infrastructure (like "crt01-nyny01.company.net" for a Cisco router), and "company.LOCAL" - for internal corporate IT resources which should not be accessible from the Internet (like "wiki.company.local"). The post does not cover the naming of office workstations - I'll probably discuss this later a separate article.

Since in the post we are talking about production computer infrastructure I'll use fake "company.net" domain name for all specified DNS name examples.

I'm a big fan of using UPPERCASE letters in host and DNS names - this significantly improves the readability of logs and configuration files.

A regular server typically has the following types of IP addresses assigned:
  • public IP address
  • private IP address for management
  • private IP address for backup transfers (normally via a dedicated Ethernet network)
A regular router typically has the following types of IP address configured:
  • Loopback public IP address used by routing protocols
  • Loopback private IP address for management
  • Public or private IP addresses assigned to broadcast interfaces (with networks of hosts attached to them)
  • Public or private IP addresses assigned to point-to-point (serial) interfaces (normally /30 blocks)
What DNS name should say about an IP address assigned to a host network interface:
  • What is the device's host name
  • To which kind of network the leg is attached to
  • What is on the second end of the connection (for point-to-point links).
I would recommend to use the following domains for different types of IP addresses:
  • for public IP addresses - "company.net"
  • for private management IP addresses - "VPN.company.net"
  • for backup network IP addresses - "BACKUP.company.net" or "BACKUP.VPN.company.net"
Examples for servers:
  • Public IP address 4.68.94.26 on monitoring server MONITOR01-LSAG01 - assigned DNS name "MONITOR01-LSAG01.COMPANY.NET"
  • Private management IP address 192.168.100.30 on database server DB02-LOND01 - assigned DNS name "DB02-LOND01.VPN.COMPANY.NET"
  • Private backup network IP address 192.168.82.30 on Solr server SOLR02-AMST01 - assigned DNS name "SOLR02-AMST01.BACKUP.COMPANY.NET"

For loopback interfaces on routers the schema is similar to the servers' one:
  • Loopback public IP address 69.9.33.238 on Cisco router CRT01-DALL01 - domain name "CRT01-DALL01.COMPANY.NET"
  • Loopback private IP address 10.1.20.1 on Juniper router JRT02-CHIC01 - domain name "JRT02-CHIC01.VPN.COMPANY.NET"
While configuring DNS service for private IP addresses it is important for security reasons to set proper DNS access lists to block the access to internal DNS zones from the Internet.

For router IP addresses assigned to different router legs the policy is becoming more complicated. To make the route traces more readable it is acceptable to split the router name and site name to different subdomains. For better network topology visibility it is also convenient to code interface names and media speed inside a separate subdomain. Using the approach the DNS name for a router interface is built from the following components:
  • interface speed (like "ge" for Gigabit links and "xe" for 10 Gbps links)
  • interface number in slot/port format (like "2-10" for slot 2, port 10)
  • for VLAN interfaces - the VLAN number in "vlan243" format
Examples of DNS names assigned to router legs:
  • "GE-1-1.CRT01.LGA4.COMPANY.NET" - Gigabit interface 1/1 on Cisco router CRT01 located on NYC site LGA4 
  • "GE-4-23.FRT02.SANF03.COMPANY.NET" - Gigabit interface 4/23 on Foundry router FRT02 located on San Francisco site SANF03
  • "VLAN45.LRT02.NYNY01.COMPANY.NET" - interface VLAN 45 on Linux router LRT02 located on NYC site NYNY01
The provided convention is quite suitable for medium and large deployments where the network part is no more than of 30-50% of the whole system (large network providers normally have more sophisticated naming conventions which also covers the hierarchical structure of backbone/access network devices).

To make sure that all assigned IP addresses are registered in DNS and the configuration is consistent between forward and reverse DNS zones I recommend to create a small script which will ICMP-scan one by one all allocated IP networks, and for active IP addresses perform simple DNS resolving tests in both forward and reverse zones.

9 comments:

  1. Thanks! Just what I have been trying to define for our infrastructure You saved me a lot of thinking time :)

    ReplyDelete
  2. A LAN (Local Area Network) is a gathering of PCs and system gadgets associated together, for the most part inside a similar building. my ip

    ReplyDelete
  3. I absolutely agree with the beauty and the info you shared with us! what is my router ip

    ReplyDelete
  4. These codes make up for an IP address, a unique identity for every online person.wearable technology definition

    ReplyDelete
  5. My motto in life has never been healthy. I should have considered a healthier approach: "An ounce of prevention is worth a pound of cure." Yet, how many people work at prevention?ip booter

    ReplyDelete
  6. In the end true physical well-being lies in my own hands. No-one else can achieve the ultimate for me. If I want to feel healthy, I need to deal with stress. The first step is to perhaps change my lifestyle.free ip stresser

    ReplyDelete
  7. By doing this, you can pick between a few servers accessible to you and select the one with minimum association time. You ought to likewise pick the server which is nearest to you. router access

    ReplyDelete
  8. Such a very useful article. Very interesting to read this article.I would like to thank you for the efforts you had made for writing this awesome article. lemigliorivpn.com

    ReplyDelete
  9. Couldn't have improved myself. Wonderful!
    192-168-01.com

    ReplyDelete