Stable operation of the DNS server becomes difficult, and DNS service stops when reloading

Founded in 1934, Fukuoka University has over 80 years of history and tradition. It has a campus of approximately 600,000 square meters in the Nanakuma district in the southwestern part of Fukuoka City. It is one of the leading comprehensive private universities in western Japan, with more than 1,000 students enrolled and two university hospitals.

The Fukuoka University synthesis Information Processing Center (hereafter referred to as the Center) is working daily on planning, construction, and operation management related to informatization, with the aim of further developing educational, research, and medical activities and improving operational efficiency. It has a long history, starting from the computer office in 1967, and in 1994, the computer center was transformed into an advanced information network and educational research system called "FUTURE" (Fukuoka University Telecommunication Utilities for Research and Education). and evolved. Since then, we have continued to develop a future-oriented advanced communication network and information system environment for students and researchers while repeating updates every five years.

Among them, the update from "FUTURE 3" (updated in 2005) to "FUTURE 4" in September 2010 made a revolutionary change in the configuration of the DNS/DHCP server. Up until FUTURE 3, the standard BIND (free DNS server software) was installed and operated on a Linux server, but that was a major issue.

Mr. Susumu Fujimura, an associate professor at the Research and Development Office of the Integrated Information Processing Center, Fukuoka University, who has been in charge of introducing FUTURE over the years, explains the situation at that time as follows. "When changing BIND records, center staff used to connect with telnet and perform maintenance using vi commands, but the management by command line input was a psychological burden for staff. Regularly Due to personnel changes, it was difficult to pass on skills, and since it was a manual, human error occurred, making it difficult to operate the DNS server stably.In addition, security holes were found one after another in BIND, and they were repaired. It also required a lot of time and effort.”

IP address management was also performed on the DNS server, so it took a lot of time for visual work such as checking the availability of IP addresses by looking at a large number of zone files, issuing and collecting IP addresses, and so on. In addition, reloading of zone files caused several minutes of downtime, and there were concerns about the impact of DNS server outages.

Abolition of BIND and use of Infoblox Significantly reduced management burden and improved human error

As a result of repeated consideration of countermeasures at the center to solve such problems, from FUTURE 4, we changed our policy to abolish the BIND server and use a dedicated appliance. After researching several products, they chose "Infoblox-1552-A" (at that time), which has DNS server and DHCP server functions, automates network management, and reduces operating costs.

A total of four Infoblox units are installed in server room 1 and server room 2. Two units are used for both DHCP and internal DNS, and the other two are for external DNS. Infoblox's unique high availability function and redundant configuration with a load balancer. and One of the units installed at the liberal arts center serves as the grid master (management server), and the other three units can be centrally managed via the Web GUI, greatly reducing the burden of record change work and IP address management work. In addition, setting errors due to human error have decreased, and patch work can be automatically reflected in other Infoblox simply by applying it to the grid master.

According to Mr. Fujimura, it was rare in Japan to use appliances for DNS/DHCP servers in university education and research systems. "Since the introduction of Infoblox enabled all operations to be performed using a GUI, there was no need to train staff in UNIX technology and operational skills, which had been a high hurdle, and we were able to reduce the time and burden of handing over responsibility due to personnel transfers. That was a big advantage."

Separation of cache side and content side to realize DNSSEC in FUTURE 5

Five years later, in September 2015, it was updated to "FUTURE 5", but even in the examination of FUTURE 5, the ease of operation, stability and reliability of Infoblox in FUTURE 4 was evaluated, and it was decided again. The Infoblox family was adopted for the DNS/DHCP server. This time, one "Infoblox Trinzic DDI TE-1410" and two "Infoblox Trinzic DDI TE-1420" have been introduced.

The biggest goal of the FUTURE 5 update was to support DNSSEC (DNS Security Extensions), which guarantees the validity of DNS responses. DNSSEC uses public key cryptography and digital signatures to verify whether the response from the authoritative DNS to the cache DNS server is valid and whether the response has been forged or tampered with. Therefore, we used TE-1410 as a DNS content server (DNSSEC authority) for both internal and external use, and TE-1420 as a DNS cache server and DHCP server (DNSSEC cache), and separated it from the content server side to achieve DNSSEC. . In addition, in FUTURE 5, a DNS content server (Linux) is also set up in the public cloud, and the BCP aspect has been strengthened so that operation can continue even in the unlikely event that a problem occurs with the on-campus network.

DNSSECではセキュリティ強度を維持するために、権威DNSサーバにおいて各ゾーンの署名に用いられる署名鍵（鍵署名鍵KSKとゾーン署名鍵ZSK）の生成と再署名など更新作業を定期的に実施する必要があり、従来のDNSサーバ運用に加えてさらにいくつかの慎重さが求められる運用業務が発生する。それがDNSSEC導入の大きな障害になっていた。

Infoblox automates most of the updating of signing keys used in DNSSEC, and its ease of operation is a feature not found in other products.

“It has been our long-cherished desire to provide a safe and secure network to students and researchers by introducing state-of-the-art DNSSEC and operating it meticulously. I'm very happy with what we've achieved with 5."

Automate IPv6 forward and reverse registration with Infoblox DNS host records

In the current FUTURE 5, about 1,500 net-boot thin client terminals can be used in 20 PC classrooms and 11 open terminal rooms based on an advanced on-campus network, as well as about 4,000 DHCP information outlets and wireless terminals. BYOD is also possible through a LAN network, etc., and an environment is prepared in which the Internet and personal files can be accessed from anywhere on campus.

In the future, we will focus on the stable operation of Infoblox, which supports them, and we will work hard to support IPv6. Infoblox will automatically generate forward and reverse lookups when DNS records are registered, and will effectively utilize this function even in support of IPv6.

Mr. Fujimura said, ``Infoblox has achieved a stable DNS/DHCP environment with no Macnica failures, has easy-to-understand operation, and has made firmware updates easy. I look forward to continuing to rely on their high technical capabilities and support capabilities."

Macnica also hopes to support FUTURE's future by proposing more diverse solutions in order to realize Fukuoka University's advanced education and research environment.

User Profile