As a follow up to our post on naming conventions, today let’s talk about the aliases that every company should populate in DNS and use internally. These aliases will be for well known and well used services, that might just move from server to server over time. By placing CNAMEs in DNS, and promoting their use through publishing standards, best practices, and the judicious use of the hose, we can make everyone’s life easier. We can also migrate services with little to no impact or service interruption. By specifying easy to remember aliases, you’ll find that folks who need to use these services, but don’t have administrative duties supporting these services, will have a much easier time remembering these, and you will be able to move these services as necessary without having to go back and reconfigure systems.
RFC 2219
RFC 2219 Use of DNS Aliases for Network Services discusses this, and this RFC is catagorised as a Best Current Practices for a reason. This makes good sense, will ease configuration, and help users. Sounds like it’s full of win to me. I do depart from the RFC in a couple of instances, based on the more commonly interpreted meanings for a couple of the names listed below. Read on for more.
CNAME or A record?
Strictly speaking, you should be adding CNAMEs into DNS and resolving them to the A record of the host that provides services. Unfortunately, you can only have a single instance of any one CNAME, so if you have two or more servers offering the same service (fault tolerance, load, anything AD based) you will have to bend the rules and use A records.
What services do I want to alias?
These can be divided into two groups; those for end-users, and those for IT administrators. The first group may include records for both internal and external use. The second group will probably only matter to various systems admins, but may be even more important since those are the ones who might hard code ip.addrs into config files, or create other little landmines /// I mean, workarounds that will come back to haunt you in the future.
So what aliases do we add?
Start with these, and then add to the list anything unique to your environment that I didn’t think of.
| name | type | internal/external/both | notes |
| sharepoint | CNAME | both | Alias this to the WFE for your SharePoint site. Use A records if you have multiple WFEs. |
| intranet | CNAME | internal | Same approach as above, especially if you don’t use SharePoint…but that would be silly. Of course you use SharePoint. |
| hr | CNAME | internal | Assumes you have a separate HR portal. |
| vpn | A | external | The bad guys are going to know that you have VPN, and will scan for PPTP/IKE/SSL, so opt for the convenience factor here and connect your clients to vpn.example.com. |
| A | both | Ever had a user whose Outlook client borked, or even worse, whose Notes client bit the dust? Use webmail, internally and externally. | |
| smtprelay | CNAME | internal | Point this to your SMTP relay host. This could be A’s if you really have more than one SMTP relay agent on your network. |
| smtp | CNAME | both | If you support direct SMTP connectivity to your mail servers. |
| pop3 | CNAME | both | If you support direct POP3 connectivity to your mail servers. |
| imap | CNAME | both | If you support direct IMAP connectivity to your mail servers. |
| autodiscover | CNAME | both | Exchange organisations will want this for the CAS. |
| www | A | both | Folks should access your public facing website the same way whether they are on the network or off. |
| ftp | A | both | Finding your FTP server is trivial for the badguys…why make it difficult for your users? |
| ldap | A | internal | Point these to a subset of your domain controllers in the datacenter, close to things that want to do LDAP auth. This gives you an alias for LDAP operations without having devices potentially go to ANY domain controller. Think VPN concentrators and other, Splunk>, and other non-MS based stuff. Site aware services should just be pointed to the domain fqdn. |
| adfs | CNAME | external | If you are using ADFS, you should make it easy for your partners to find. |
| ntp | CNAME | internal | Set this for your master time server. If you are only using Windows Time Services, resolve this to your PDCe and make sure you enable NTP so that it can provide time to your routers/firewalls/non-MSFT hosts. Just remember w32time, while very good, does NOT guarantee NTP style accuracy. See this post for more. |
I hope you find these as helpful as I have. I was going to end this post with a music video from 80′s group Alias, but their label, EMI, is apparently managed by a bunch of ankle-biters, and embedding is disabled, because, you know, exposure is bad, right? However, I did find a collection of bloopers from the show Alias, which I used to really be into. So have a laugh instead of a sing-along.
direct link for RSS and email subscribers…http://www.youtube.com/watch?v=DTsZXnRrtEU
Interesting trivia…Greg Grunberg, long time friend of J.J. Abrams, has been in practically everything Abrams has done. He was unavailable for Star Trek due to scheduling conflicts, but his is the voice of the young James Kirk’s stepfather when he steals the car. <♫> The more you know </♫>
What other aliases do you use in your environment?
You might also enjoy:
