BlueCat DNS Edge Service Point v4

We have deployed BlueCat Edge  across our organization globally. Regional-based queries are directed to BlueCat Edge , and they are resolved within the regions themselves. For instance, we have an Anycast setup with a single IP assigned to specific regions, allowing queries to be resolved efficiently without needing to reach out to different locations.

The namespace and access control features are notable. The caching parameter resolves challenges effectively. Another valuable aspect is the conditional forwarding based on region and IP. BlueCat is doing a good job with DNS threats detection and identifying malicious queries. 

We can track where queries are coming from, especially in DDoS attacks. The security dashboard and discovery features are useful. Additionally, there has been a significant cost reduction with BlueCat Cloud DNS handling external solutions.

BlueCat should consider deploying feature enhancement requests faster, especially if they are simple to implement. They need to focus and deploy such features in the next version itself, which would be beneficial for the end user and improve customer satisfaction.

We have been using BlueCat Edge for the past three years.

BlueCat has increased security efficiency tremendously within the first month of deployment.

The support we receive is prompt and follows up thoroughly to resolve issues. Unlike other companies where the support has degraded, BlueCat’s support remains excellent.

Positive

Before BlueCat, our organization used Windows-based DNS set up for regional solutions.

The setup was manageable after initial training. Initially, it was a bit challenging due to the new technology, but it became easier once we started using it.

A team of six people from our organization was involved in the implementation.

I'm not aware of the exact pricing and licensing as I was not part of the procurement process. However, there was a significant cost reduction thanks to BlueCat Cloud DNS managing external solutions.

We have not evaluated any alternate solutions.

BlueCat Edge receives a rating of nine out of ten overall. 

Any advice for others would be to ensure all future product developments are promptly addressed.

We have Edge deployed at roughly forty locations and use it as the primary DNS server for all our locations. Each location points to an Edge instance, which then points back to the Integrity instance.

Edge has reduced the complexity and has been more reliable. We replaced one infrastructure with the BlueCat infrastructure which has offered marginal cost savings without increasing costs.

The ability to route different domains to different DNS resolvers. I refer to Edge as a DNS router.

I would like to see improvements in threat detection and the ability to add categorization for blocking queries, such as those related to adult entertainment. Also, some features to filter out valid threats would be useful. Additionally, having a standardized location for query redirection without needing to stand up a server instance would be beneficial.

We have been using BlueCat Edge for a little over two years.

The stability has been fairly good, though we encountered an issue with a bad update. BlueCat worked with us to resolve this by reverting us to a stable release and later moving us to a fixed one.

It is fairly scalable. We have a one-to-one and one-to-many deployment schedule where each location with an Integrity set up also has an Edge, and we have several Edge instances in our data center serving multiple locations.

The standard support was fairly good; response time varied depending on the issue. We have since upgraded our support level and now have a dedicated team. Bringing their support in-house has greatly improved the support experience.

Positive

We previously used Microsoft's DHCP DNS and were utilizing BlueCat to manage it. We needed to choose a platform when BlueCat ended a product we were using for IPAM, so we decided to go fully with BlueCat.

The initial setup was fairly easy, though the last release has made it easier. A lot of planning was required.

We used BlueCat's services for implementation. Internally, it was myself and another person, and we were not dedicated full-time to the task.

The pricing for BlueCat Edge  is not horrific. While it's not as inexpensive as I would like, we are subscription-based and have unlimited implementation.

We looked at Men and Mice, now part of BlueCat, and Infoblox, though not in-depth.

New users should know how they want their queries to route, especially if they are operating internationally where they might want to route some queries internally and others directly to the Internet.

I'd rate the solution eight out of ten.

In our network, BlueCat Edge acts as the central point of contact for all DNS requests. It essentially functions like a DNS resolver, directing our internal devices to the correct resources. This makes BlueCat Edge the first stop for all DNS traffic within our organization.

While BlueCat Edge can identify DNS threats like typos, tunneling, and DDA, for our specific needs we use Cisco Umbrella to analyze all our external DNS traffic. This integration between the two platforms sends all external queries to Umbrella, though BlueCat Edge still offers valuable security insights through its reporting.

Our company currently leverages BlueCat Edge, within Microsoft Azure. This flexibility allows us to deploy BlueCat Edge not only across our on-premise data centers but also within Azure. This approach ensures consistent functionality regardless of the deployment environment, and future integrations with cloud providers offering a single pane of glass with any Cloud vendor.

While the full security features of BlueCat Edge might take time to assess, the benefits in data visibility and flexibility were immediate. We gained instant traffic visibility, which was incredibly helpful. For example, troubleshooting with internal server management teams became much smoother - I could simply share my screen and show them their traffic data, leaving them impressed with the newfound transparency.

Since implementing BlueCat Edge, we've observed a reduction in viruses, ransomware phishing, and malware attacks. The increased visibility it provides allows us to target and address specific threats within our environment. We've also seen a decrease in DNS-related issues.

By centralizing management with BlueCat Edge's flexible solution, our company has reduced operational expenses. Easy deployment across our global footprint and improved visibility through centralized logging allow for faster troubleshooting and resolution of DNS issues. Additionally, the enhanced security features help to minimize problems and improve overall network health.

The most impressive feature of BlueCat Edge is its versatility combined with robust security. It acts as a central platform that intelligently routes traffic to the correct resolver while simultaneously enforcing security policies. This includes the ability to blacklist malicious domains or redirect traffic, providing a significant security advantage. In my experience, I've successfully migrated nearly 100,000 internal IP addresses across 14 global data centers using BlueCat Edge, handling a substantial amount of traffic with ease.

The interface is user-friendly, and what I find most helpful is the ability to quickly view logs. These logs contain all the queries from internal clients and the corresponding responses from the DNS service, making troubleshooting DNS traffic significantly easier. In the past 24 hours, we've seen 86,000 unique IP addresses using the service, though this number likely fluctuates seasonally. Overall, it's the best solution I've found for troubleshooting DNS traffic.

The unparalleled visibility offered by BlueCat Edge is arguably the most critical benefit we receive.

The main improvement for BlueCat Edge's security configuration would be more granular control. Ideally, it would allow for filtering by categories like gambling, adult content, drugs, etc. This is because the current list provided by CrowdStrike, containing millions of URLs, lacks transparency and might block useful sites for our military company. For instance, we might want to allow consulting sites that are currently blocked. In essence, BlueCat Edge needs to function like a DNS-based HP proxy with selectable categories, making it a near-perfect product.

I have been using BlueCat Edge for three years.

BlueCat Edge gets a solid nine out of ten for stability. While it's not flawless, occasional downtime is inevitable. However, their anycast implementation, where the same IP address is advertised by multiple servers, ensures automatic failover. Additionally, our load balancing setup reroutes traffic when any server goes down. This minimizes user impact, which is ideal – after all, the less they notice us, the better it means our service is running smoothly. It's not perfect, but with their help, our architecture keeps user disruptions to a minimum.

BlueCat Edge is a flexible solution that scales well to meet our growing number of services. Load balancers distribute traffic across any available resource, making it easy to add new capacity on demand. DNS, a simple protocol relying on UDP for communication, further contributes to BlueCat Edge's ease of use. Caching is a valuable feature for most users, and vulnerability protection is another important consideration. Overall, BlueCat Edge's scalability, ease of use, and robust feature set make it a strong solution.

We're very impressed with BlueCat's premium support service. They're highly engaged, holding bi-weekly meetings to discuss our open cases and promptly involving other internal teams as needed to expedite resolutions. Their client-centric approach is evident in their transparency, keeping us informed of any issues and readily sharing relevant data. Overall, they're one of our favorite vendors to work with.

Positive

Before BlueCat Edge, we lacked functionality, flexibility, a unified management panel, and strong security features. Edge filled this gap with new features, but we continue to use another BlueCat product for classic DNS.

The initial deployment of BlueCat Edge service points in Azure was simple. We have a large, geographically distributed infrastructure with fourteen data centers, some containing four service points and others with two. This brings our total to potentially over 50 physical boxes plus the four in the cloud, for nearly 60 edge service points in all. Due to our company's size, the implementation was phased by region and country, with each location completed at a different time. The Edge installation and configuration itself did not impact the project timeline because subsequent deployments were replications of the initial setup. This efficient process allows us to create a new service point in under an hour thanks to our centralized management system, which stores configurations for easy deployment and replication.

Setting up BlueCat Edge requires creating a host environment first. However, the Edge configuration itself is fairly straightforward and can be done by one person in about 30 minutes. This assumes we already have a clear understanding of our requirements. For the larger project spanning data centers across 12 countries, cloud environments, and involving other BlueCat products, we needed a few people.

We implemented 90 percent of the product ourselves with minimal help from BlueCat. While the product documentation was excellent and the team was familiar with the environment, some initial uncertainty led us to consult with BlueCat for a few hours during implementation. We haven't needed much ongoing support; occasional questions are handled through their ticketing system or professional service reports.

The licensing model for BlueCat Edge seems very good, although I can't confirm if it's specific to our contract. There are no restrictions on the number of Edge devices we can deploy. The pricing is bundled with other BlueCat products we use through our BlueCat Shop. Since we purchase a variety of BlueCat products, I'm unsure of the individual cost of Edge or if it's even factored into the overall bundle pricing.

I would rate BlueCat Edge ten out of ten. Edge is my favorite BlueCat product that we use. 

Our typical maintenance routine involves updating BlueCat Edge whenever the company releases new versions and security patches. In the past, troubleshooting specific issues has occasionally required waiting for updates to external libraries used by BlueCat Edge. While waiting isn't ideal, it's important to understand that BlueCat relies on these libraries. During such times, we implemented workarounds until the necessary updates were available. Additionally, some major upgrades have required rebuilding our entire environment, which we accomplished through a batched virtual machine recreation process. This was necessary because the upgraded software involved significant technological changes, including a new underlying Linux version.

The effectiveness of a next-generation firewall depends on its features. While some offer limited functionality, I'm satisfied with our current product's flexibility, improved log visibility, and strong security, especially its DNS features like tenant detection and global availability. However, there might be even better options out there. For instance, while web proxies can handle some modern threats, DNS security offers a more targeted approach. Overall, I wouldn't change BlueCat Edge unless a new option demonstrably surpasses its capabilities.

For a new BlueCat Edge implementation, I'd prioritize high availability using an Anycast architecture. Even the best solution is useless if unavailable. Secondly, implement security features as early as possible to avoid later complications and permission requests. Finally, establish a schedule to review generated reports, take action on observations, and closely monitor infrastructure for optimal performance and availability.

We primarily use BlueCat Edge for our entire internal infrastructure and all internal clients for all DNS resolution needs. We also leverage it for DNS redirects, integrations between cloud and on-premises providers, and as a sorting engine to direct queries to the appropriate internal DNS infrastructure. This is necessary because we have multiple internal infrastructures for resolving internal system queries.

We implemented BlueCat Edge to solve the visibility and security issues we were having.

Our infrastructure, including both Edge and BlueCat components, utilizes a full hybrid cloud and on-premises model.

We encountered some malicious queries, and BlueCat Edge proved invaluable in detecting these DNS threats. While currently only operating in monitor mode, its biggest benefit has become its instrumental role in diagnosing performance issues. It serves as a crucial troubleshooting toolset within our infrastructure, helping us identify and resolve outages effectively.

BlueCat Edge's ability to provide agnostic DNS discovery and resolution across multiple cloud environments is fantastic. I even use it for various DNS providers, including Active Directory, F5, Route 53, and GCP. This capability makes it a key component for me, as it allows me to seamlessly navigate the same DNS namespace across different infrastructures, something that I've found only BlueCat can offer.

The main benefits of BlueCat Edge are its improved performance over our previous infrastructure and its large cache management capabilities. Both contribute to exceptional performance gains. Additionally, it provides valuable visibility into DNS activity, revealing which clients are making what queries and enabling detailed investigation. As we migrated more of our infrastructure onto BlueCat, beyond just the Edge product, we observed immediate benefits in terms of visibility. The biggest hurdle we faced was redirecting our internal clients to use Edge over existing internal DNS solutions. This initially slowed down our metrics, but we still had access to the data. As more systems started using Edge, the benefits became increasingly apparent.

BlueCat Edge has helped our organization reduce operational expenses by decreasing our downtime and providing better DNS performance for queries, as well as helping us identify misconfigurations within our clients' networks.

I have concerns about several aspects of BlueCat's site management. Firstly, the cleanup process doesn't seem thorough enough, leaving behind residual data. Secondly, the logging duration has been significantly reduced. When I started using Edge, I had access to 3-6 months of historical data, but now this window has shrunk to just two weeks.

I understand that the platform processes over one and a half billion queries per week, which necessitates data management. However, I believe access to longer-term logs would be beneficial for our analysis. The current two-week window limits our ability to identify trends and track historical events effectively.

BlueCat Edge has a limitation of 10,000 records for exports. While I understand the need to export all data, it would be more efficient if I could selectively export the data I need. Currently, there is only one export mechanism that provides all 10,000 records. I would prefer the ability to select specific values and export more records at once, as I don't require all the data available.

I have been using BlueCat Edge for five years.

I would rate the stability of BlueCat Edge a nine out of ten.

On a scale of one to ten, I'd rate its ability to scale as a nine. In that regard, it's very robust. However, the complexity of scaling brings it down to a seven. Scaling out can be intricate, involving many adjustments and configurations. However, once everything is well-tuned, it functions flawlessly.

Technical support responsiveness presents a concern. While it's comparable to other vendors like Microsoft, I expect someone to answer my call within five minutes. Unfortunately, that wait often extends to an hour. The knowledge base, however, seems adequate. I believe BlueCat is rebuilding its content, as it was exceptional when I first started using it. While the current support team is competent, it pales in comparison to their previous level of expertise.

Positive

We migrated all DNS records from our Active Directory infrastructure. Previously, each domain within our internal network had its own separate DNS server on Active Directory. These servers hosted a variety of zone types, including public, private, and antivirus-specific zones. We consolidated all of these records onto BlueCat Edge.

This architecture can be complex, but I initially found it quite simplistic. However, it's significantly more intricate than single-service systems like Active Directory due to its multiple components. I managed to perform Edge upgrades, BDDS deployment, and BAM deployments simultaneously. By implementing a full DDI configuration from the outset, the system gained further complexity. However, I found the logic behind it intuitive. While slightly more intricate than freely available versions, I didn't find the architecture or deployment overly challenging, thanks in part to collaboration with BlueCat's architecture team. 

Our Edge deployment took four to six months and required a hybrid infrastructure with specific virtual infrastructure, firewalls, and connectivity at 18 sites. However, much of the delay stemmed from the need to upgrade our infrastructure, which involved additional legal work due to our status as a financial fintech company. We faced stricter regulations regarding permissible connections to the SaaS portal, resulting in delays related to whitelisting and verifying data security and privacy.

I was the only one involved in the deployment from our organization. 

We leveraged BlueCat's migration services during our Edge deployment to migrate our DNS Active Directory zones to the BlueCat platform.

We find the current pricing model more reasonable compared to the previous per-IP pricing. BlueCat was competitively priced against Infoblox during our evaluation. While currently using their maintenance support only, BlueCat is certainly an expensive product. However, considering our company's growth and performance, we believe it's a necessary investment. While free solutions like AD DNS exist, BlueCat offers significant added value, justifying its cost. Our senior leadership shares this view and is pleased with the results.

I evaluated Infoblox five years ago when we had a specific need: our use case involved having multiple SOAs for the same Route Zone. At that time, BlueCat offered a resolution method that could handle this scenario by querying multiple SOAs to find the desired answer. 

While Infoblox has since improved its capabilities, BlueCat was the only solution that met our requirements at the time of our analysis. During the initial phase of our migration, we indeed had multiple SOAs, and we needed the ability to send queries to different name servers for the same zone. BlueCat was able to fulfill this requirement, while Infoblox was not.

I would rate BlueCat Edge nine out of ten.

BlueCat Edge will release optics patches which will require manual deployment by our IT team. Due to company policy, automatic updates are disabled, even though BlueCat Edge offers an auto-upgrade feature. This aligns with our general policy of avoiding automated tools in certain situations.

DNS-specific security solutions offer the first line of defense by providing greater visibility and control compared to traditional methods like individual firewalls. Consolidating all DNS queries in a central location enhances effectiveness and simplifies management, making it superior to utilizing a basic firewall for DNS security, such as a Cisco firewall.

I recommend completing the Edge homework. Make sure to understand the main list, name servers, resolution process, and similar concepts. It's also crucial to grasp the nature and function of caching. Remember, thorough understanding is key.

We are utilizing it as DNS traffic management and security solution. This way, we can capture and utilize BlueCat's cloud AI solution to find malicious DNS requests, get them over to us, and take corrective actions on those.

BlueCat Edge ’s ability to detect DNS threats and identify malicious queries comes in quite handy. We can keep track of the low or minor things. It has even helped us track down misconfiguration, which was great. We have had some situations where we had to take corrective action on malicious intent going outward. For example, we had a particular machine going to a malicious site at 2 AM, and we had to take that proactive or automatic action to stop it from going there. We can deny them the ability to even connect. A lot of companies use what is called web content filtering. They want to prevent you from going to certain websites. For example, on your work machine, you want to go to playboy.com. Your machine makes the DNS call, gets the IP address, and attempts to make that connection to that website. The web content filtering at that point will jump in and say, "Hey. You are trying to go somewhere that you are not supposed to be going to." It blocks you. It happens very fast. When you make the DNS request to find out where playboy.com is located, before you even get the DNS response to try and connect to the site, you are blocked. It happens at a level much faster than web content filtering because in some cases, when you try to connect, you might even get a payload that comes down to you before your web content filtering kicks in.

BlueCat Edge  offers provider-agnostic DNS discovery and resolution across multiple cloud environments. We are using it because routing DNS traffic is critical to the operations of our business. We have the ability to define rule sets and be able to say that this traffic is destined for Cloud A and then we are going to forward that over there. When a request comes in for Cloud B, we are going to set it over there. If a request is for something on-prem in our data center, it is going to get routed over there. I love that ability of BlueCat Edge. It has made our life very easy.

We use the Security Dashboard, and we have the ability to see situations happening realtime. We also have CrowdStrike threat protection features turned on, so we get to see other issues flowing as realtime can get. We have DGA and top-level DTLD that you are not supposed to go to. We could have that visibility at a finite level, which is great. This visibility from the Security Dashboard has helped save time when not only troubleshooting but also with any configuration issues. If there is a configuration issue, we have to go look and figure out a fix for that configuration issue that we may have created accidentally.

In terms of securing our infrastructure from end to end so that we can detect and remediate threats, we do get the flags that are thrown as soon as something comes up from something within our internal network. The DNS queries are immediately dumped to our SIEM  solution in our security team's purview where they could immediately take action. We also have some of the automations turned on to generate emergency tickets to the appropriate team. It makes life so much easier.

BlueCat Edge has probably reduced our threat risk by 68%.

What I found most valuable is the ability to put it in place and integrate it very quickly. It allows us to create routing rule sets to route DNS traffic where it needs to go most efficiently in our environment.

About Nine months ago, we were still using their Edge endpoint version 3. We recently moved to version 4 of their Edge endpoint. In Edge endpoint version 3, we did not have the ability to clean up our dashboards properly. As we decommissioned sites and commissioned new sites, we were left with a mess of data still sitting there because of the way they had originally designed version 3. Now the old data is gone, and the function of the new version 4 has really helped with that. It was a nuisance for the past few years.

One pain point concerning DNS Edge is the inability to see per Edge endpoint, what devices are querying against it. They do have the capability for you to look at that data, but the data is roughly 24 to 48 hours old. I am looking for real-time data, and I cannot get that per Edge endpoint.

I would call it a work in progress. I am still finding things that bug me in terms of how something functions. I might find out how to do something when it is not documented. That is great, but documentation becomes an issue with me on that.

We have been using BlueCat Edge since 2015 when it first came out. We were one of the early adopters.

Going back to version 3.X.X it has been a very solid solution, in all the years running this solution (going on 12yrs soon) only 1 issue has had an impact and it was quickly resolved. 

With the current version 4.X.X platform, it has revolutionized out of the box DNS solutions to date.

I would rate them a solid nine out of ten. They are there. They always jump in when we have an issue. The issues are far and few. I am told I am one of the early adopters. We are using the tool on the bleeding edge. What makes us a little bit special is that we pay extra for their enterprise support, so we have a dedicated team for us in BlueCat. If I ever have an issue, they are on top of it immediately, and it is the same group of people over and over again. I do not get a new person who does not understand our environment. Their enterprise team is engaged. They have our architecture documents. They know our environment just as well as I do. They know all the configurations, so when somebody from their enterprise support team jumps in, three-quarters of the battle of explaining everything is pretty much done because they know how everything is, but I cannot say how the process would work if somebody calls their general support number and puts in a general ticket.

Positive

No similar solution existed for us.

Our implementation was assisted thru BlueCat's Professional Services team. Due to our complexity, legal issue with data, they were very knowledgeable and expedient.

One of the nice benefits of getting DNS Edge is that you buy the subscription, and you are allowed to deploy as many Edge endpoints as you need. You do not need a separate license for each one. If you deploy 20 of them, you will not be billed for that many. It is one subscription. You can deploy as many as you need and consume as much as you need. The cost comes in based on the number of IPs that you are consuming and running through DNS Edge. We have that pretty much locked in for what we need for internal purposes. Being able to save money on deploying Edge endpoints has saved us drastically from deploying other BlueCat products in lieu of that.

Nothing on this level existed on how we handle DNS in our environment. We could not get Infoblox or Micetro  to handle this complexity.

If a colleague said to me that their next-gen firewall and other security tools mean that they do not need a DNS-specific security solution, I would say that DNS is the heart and soul of your firewall to begin with. Without that, you are not going to know where things are coming and going. 

I am going back to the old adage. The company that I am with right now has been bought and sold a few times. Back in 2012, during the course of a sale, we were being spun off to a new entity. Nobody took into consideration DNS, and I raised my hand in the meeting with only six days to go to launch as a new entity and asked, "What are we doing for DNS?" I was told that they would just stand up a couple of servers and dump information there. I said no because DNS is not just a name and an IP. DNS goes way beyond that. There is so much more than that. You get management making decisions and people who do not understand solutions generalizing. Once they got the third-party company that was assisting in the transition involved, they started to see all the nuances of what DNS entails. They did not realize the complexities and should have had it on the tote board long in advance. That is the analogy I use for how general people do not understand the complexities of DNS.

I would rate BlueCat Edge a solid nine out of ten just for the fact of how well it provides ease of use and time savings for us. We can also use Edge endpoints wherever we need to deploy them. The reason why I am not giving it a ten out of ten is that it is always a work in progress.