Active Directory Security Concern

Kevin Darcy kcd at
Wed Dec 4 00:59:13 UTC 2002

tom thumb wrote:

> All,
> Unfortunately we are going to be upgrading to Active Directory

Sorry to hear it.

> and
> would like to maintain using UNIX for our DNS infrastructure.  What
> are the security concerns in disabling name checking and allowing
> dynamic dns?

Disabling name checking isn't particularly high risk in security terms,
although the fact that you have to do it implies that you're running
BIND 8, and from a security standpoint, you may be better off with

Dynamic DNS is a bigger concern, since the flavors of
crypto-authentication used by Microsoft products is incompatible with
that used by BIND and _vice_versa_. So you're limited to authenticating
by source IP address, which is pretty weak. For these reasons and other,
some folks prefer a "half-and-half" solution where they just delegate
the "underscore" subdomains, e.g. _tcp, _udp, _msdcs to a Microsoft
DNS/AD server and let it manage those itself. This leaves the main
domain(s) running on your existing DNS infrastructure without having to
open up Dynamic Update.

Alternatively, you could -- as we do -- have AD use a completely
different namespace.

- Kevin

More information about the bind-users mailing list