DNS for Internet Service Providers

You have high-performance DHCP that handles millions of addresses. Now you need to reliably answer one question: Which customer has this IP address right now? InkBridgeDNS exports DHCP lease data via standard DNS queries so carrier partners, monitoring systems, and compliance platforms can get the information they need without custom APIs.

By Alan DeKok.

ISPs with hundreds of thousands or millions of subscribers routinely need to map IP addresses to customers for abuse handling, partner integrations, lawful intercept, and network monitoring. The data already exists in the DHCP database; the hard part is providing controlled, auditable access without building and maintaining one-off APIs for every external system.

This paper explains how InkBridgeDNS uses standard DNS queries to export DHCP lease information so external systems can ask “who has this IP address?” using protocols they already understand. The result is simpler integration, less custom code, and a clearer security and policy model than custom REST APIs, file exports, or direct database access.

​

Paper Outline (Download the PDF for more information)

Key takeaways 

• InkBridgeDNS exports DHCP lease data via standard DNS queries instead of custom REST APIs.
• External systems and carrier partners get the data they need using protocols they already support.
• ISPs keep control over what information is returned, based on policies and source of the query.
• The solution is designed specifically for ISP use cases, not enterprise IPAM or DDI scenarios.
• DNS export avoids schema lock-in and works across multiple database backends (MySQL, PostgreSQL, Redis, LDAP, and more).
• Integration is measured in minutes instead of months because there is no custom API surface to document, secure, and maintain.

The DNS use case for ISPs 

ISPs face recurring scenarios where they must identify which customer is using a particular IP address at a specific point in time: abuse complaints, carrier billing correlation, lawful intercept, and monitoring. All of this information lives in the DHCP lease database; the question is how to expose it safely and efficiently.

Traditional approaches include custom REST APIs, batch file exports, or direct database access, each of which introduces latency, security risk, or significant development and maintenance overhead. The InkBridgeDNS approach is to export DHCP lease data via DNS, so external systems query a DNS server instead of an HTTP API.

Why ISPs don’t always need full-featured DNS 

The paper draws a clear distinction between ISP and enterprise address management. ISPs allocate from large dynamic address pools and track subscriber sessions via RADIUS accounting, while enterprises rely on static assignments, device-specific DNS names, and Active Directory integration. 

As a result, ISPs usually do not need complex DDI/IPAM platforms, DNSSEC, or DNS over HTTPS/TLS for this particular problem. They need a focused way to expose real-time lease data to trusted systems, not a general-purpose authoritative or recursive DNS infrastructure.

The advantages of convergence 

The positioning paper also highlights the benefits of converged DHCP and DNS built on the same policy and database infrastructure. When DHCP and DNS are supplied by the same vendor and share a datastore, configuration changes and exports stay in sync without manual synchronisation or fragile glue code.

InkBridgeDNS works against existing databases and schemas instead of forcing migrations into proprietary schemas, reducing vendor lock-in and making it easier to add new attributes or data fields without waiting for a product release.

Compliance and monitoring applications 

Common compliance and monitoring applications include DMCA takedown notices, spam complaints, incident response, lawful intercept, and ongoing capacity or security monitoring. With DNS-based export, these systems query IP addresses and receive exactly the customer or device identifiers the ISP has configured to expose, without needing full database access.

Because monitoring and security tools already support DNS lookups, integration is typically a configuration change rather than a development project. Policy controls ensure that different requesters can receive different levels of detail as needed.

Policy capabilities beyond standard DNS 

Unlike traditional DNS servers, which return the same answer to every query for a given name, InkBridgeDNS supports policy-driven responses based on who is asking and what they are asking about. Internal systems might see full lease and device details, while carrier partners or abuse systems receive only minimal customer identifiers.

The same policy engine that InkBridge uses for RADIUS and DHCP also applies to DNS queries, which means a single policy language across AAA components and less duplication for operations teams.

Deploying and integrating 

The paper describes two main deployment options: integrated (DNS on the same systems as DHCP, sharing a database) and separated (DNS on its own systems, still reading from the same datastore). Both approaches scale horizontally and use standard databases such as Redis, MySQL, PostgreSQL, LDAP, and others.

From an integration perspective, DNS is a stable, well-understood protocol. Carrier partners, monitoring tools, and compliance platforms can use existing DNS client capabilities instead of custom API clients. This avoids the work of specifying, implementing, documenting, and versioning REST APIs.

When to consider InkBridgeDNS 

The positioning paper outlines scenarios where InkBridgeDNS is a strong fit: exporting DHCP lease data to external systems, meeting compliance requirements for customer identification, avoiding custom APIs, enforcing policy-based information access, and reducing vendor count in the infrastructure.

It also clarifies when InkBridgeDNS is not the right tool: enterprise environments with heavy static assignment needs, general-purpose DNS needs, public DNSSEC use cases, and recursive resolution for end users.

Why InkBridge 

InkBridge Networks engineers, supports, and deploys DHCP, DNS, RADIUS, and TACACS+ solutions for organisations that need their network infrastructure to be reliable, auditable, and easy to integrate. The team behind InkBridge created and maintains the open-source FreeRADIUS project and contributes to standards that define how modern network access works.

InkBridgeDNS focuses specifically on ISP use cases where external systems and carrier partners need controlled access to DHCP lease data. By exporting this data over standard DNS, InkBridgeDNS reduces integration friction, avoids custom APIs, and gives operations teams policy-driven control over who sees what.

FAQ

What problem does InkBridgeDNS actually solve? 

InkBridgeDNS solves the problem of giving trusted systems and partners controlled access to DHCP lease data so they can answer “who has this IP address right now?” without building and maintaining custom REST APIs or granting direct database access.

Why use DNS instead of a custom API? 

DNS is a stable, widely supported protocol that every carrier, monitoring platform, and compliance system already understands. Using DNS avoids API specification work, authentication frameworks, client library development, and versioning issues, while still allowing the ISP to control what information each requester sees.

How does InkBridgeDNS handle privacy and policy? 

InkBridgeDNS lets ISPs define policies based on the source of the query and the type of information requested. Internal systems can receive detailed device data while external partners receive only the minimal identifiers they need, helping maintain privacy and regulatory compliance.

Does this replace a full DDI/IPAM platform? 

No. The paper is clear that InkBridgeDNS is not a full IPAM or general-purpose DNS platform. It is designed to solve a specific ISP use case around lease data export, not enterprise-style static address management or public authoritative DNS.

When is InkBridgeDNS not a fit? 

InkBridgeDNS is not the right tool for environments that primarily need DNSSEC, DNS over TLS/HTTPS for end-user privacy, general-purpose authoritative DNS, or recursive resolution services. It is targeted at ISP DHCP lease export scenarios rather than enterprise IPAM use cases.