Peterborough City Council
About Peterborough City Council
Peterborough City Council (www.peterborough.gov.uk) is a unitary authority providing local government services to 170,000 residents of Peterborough and its surrounding villages, including social care, housing, education, transport and planning. It supports the IT requirements of over 5000 employees.
Reduce time spent on DNS administration and server management
Peterborough City Council previously relied on a DNS server built in-house to manage core IP services for around 500 devices across two sites. However, DNS management using this turned out to be a demanding task. Administering DNS records was time consuming and tedious – and had to be supervised by senior staff to ensure no mistakes were made.
Then there was the task of having to regularly patch both BIND and the server operating system. Peterborough’s Networks and Schools Technical Manager, Paul Barnes, recalls: “Managing our DNS system was the responsibility of a few senior members of our support team. The workload – editing DNS records, configuration for web and e-mail, as well as countless server updates and upgrades to keep the system secure – was all increasingly tedious and time consuming. We knew that upgrades were vital to our system’s safety but we couldn’t stay on top of all the tasks and often had to forego server updates to keep up with regular tasks. Ideally we wanted to delegate some of these responsibilities to junior team members, but at the time there wasn’t any easy way of doing this.”
The council was also concerned with the security and reliability of its system. DNS servers are one of the most popular targets for hackers and there’s a significant risk of users losing internet access if queries are being resolved by a compromised DNS server. If the server was poisoned and started redirecting people to the wrong site – for instance to steal log in details – it could even threaten the council’s data security. Equally, failure of the DNS service because of server failure or operator error would have serious consequences – and was seen as a risk with the existing setup which might be mitigated by a more robust solution.
Robust appliances, deployed for security and reliability
To address its concerns, Peterborough City Council sought a solution that would be easy to use and maintain while providing a high level of security and reliability. DNSBOX was the answer.
The council deployed a pair of master DNS servers (DNSBOX300) and three DNS slaves (DNSBOX300). The masters provide secure and automated authoritative DNS management. Two of the slaves serve external queries in each of the two main sites and one is deployed in a disaster recovery site. An extra layer of redundancy is provided by the failover DNSBOX300 master.
The DNSBOX feature that first caught the interest of the council is ‘User Groups’, which allows it to distribute the workload between junior and senior staff. Each DNSBOX user requires a username and password and has an assigned role. Different roles can be defined for accessing different parts of the appliance’s services and functions and a central super-administrator can maintain tight control over the rights of delegated administrators.
As a long-established and stable appliance solution, the DNSBOX300/200 combination also offers a wealth of features which address the council’s concerns on security and reliability.
Enhanced security features include IPsec and TSIG support. VPN IPsec connections are used by DNSBOX200 to communicate with DNSBOX300 and other primary servers. All traffic passing through the tunnels between the units is both authenticated and encrypted. TSIG support allows for validating DNS changes to the slave records. By default, no one is allowed to take a zone transfer from DNSBOX200. To allow this, the addresses of specific servers must be added to the zone(s) in question as ‘sub-slaves.’
In terms of hardware, the appliance platform uses specially selected carrier-grade hardware and software. Moreover, DNSBOX300/200 models run entirely from CompactFlash – there are no disks in the system at all. Two CompactFlash cards are used: one holds the Linux operating system and application and is mounted as ‘read only’; the other card holds the system configuration and DNS data.
Stable, secure and easy to manage
The solution has made dramatic improvements to the council’s DNS management. All web administration can now be done via a user-friendly SSL encrypted web interface.
“We can now quickly set up domains or make changes to the master and it automatically updates the slaves. Thanks to the user groups feature we can delegate simpler tasks to more junior staff. There are many validation and error checking features that protect us against mistakes. We are also able to track who did what and when – and even undo actions when necessary,” says Paul.
Moreover, the council no longer has to worry about patching the software for security vulnerabilities in BIND – ApplianSys always issues these soon after they are discovered.
“The technical team is great: they are very responsive and precise,” comments Paul.
With multiple security features, Peterborough City Council has removed the security risks that came with its previous system. ApplianSys Support Engineer Matthew Harrodine explains how TSIG and IPsec enhance the system’s security:
“The use of IP sec connections is ideal in environments where the slave units are exposed to the outside world, as the master can be kept inside a secure network with only the IPsec tunnel connecting the servers. As for the TSIG support, it ensures that only secure, authenticated masters can update the slaves. This way zone transfers cannot be sniffed, spoofed or hijacked.”
The risk of losing data in the unlikely event of hardware failure is now eliminated as the flashcards can be easily ejected and inserted into a different device. And with its failover master unit, the council can provide a continuous service.
Peterborough City Council is very pleased with its DNSBOX solution. It fulfilled the technical conditions for a stable, secure and easy to administer DNS service.