bind vs. MS DNS

Robert Lowe Robert.H.Lowe at lawrence.edu
Wed Jun 16 15:55:24 UTC 2004 

Kevin Darcy wrote:

> huffman at graze.net wrote:
> 
> 
>>All,
>>
>>  Don't want to start any nasty feuds, but can anyone point me to pros / cons
>>of using bind in favor of MS DNS?  My company is currently looking at migrating
> 
>>from a UNIX / Bind DNS scenario to MS DNS / Active Directory.  I feel that the
> 
>>maturity, security, and stability of bind on UNIX are big wins, but currently
>>we're not hosting our own DNS externally, so security is *less* of a concern and
>>we're small so things like views, and scalability are also not concerns....

Views could be useful in the future, even if you're not using them now.
Think about scenarios where they could be used, and decide whether those
are even remote possibilities.  Will you ever need to resolve a host name
differently for internal vs. external clients?  For example, you might
have an external web server with the same name, and use one-way replication
from an internal web server.  Will you ever use NAT/RFC1918 IP address space
that might require something to be advertised differently on each side of
a firewall?  Etc.

>>Pointers to any articles would also be helpful.
>>
> 
> Well, first of all, if you already have a functioning UNIX/BIND DNS 
> infrastructure, why is the burden not on your Microsofties to justify 
> changing that? Why should the burden be on you to defend it?
> 
> Also, hopefully you realize that this is not a strict either/or 
> situation. BIND and AD/MS-DNS can co-exist. Delegate the "underscore" 
> zones (_msdcs and friends) to the MS-DNS servers and they can do 
> whatever they want with it. 

And of course ADS and BIND can co-exist without using MS-DNS.  You can
host all the zones on BIND, and, either a) allow only the DC's to update
the underscore zones (no GSS-TSIG yet, so less secure), or b) do not allow
them to update them and tweak the DC's to not perform the updates.  Unless
you're making lots of changes to your ADS environment, maintaining those
zones manually is not a big deal at all.  See the following to disable the
updates (under the net logon service section):

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;q246804

> Now, if you want to make secure Dynamic 
> Updates directly from Win2K (or Win2K3) clients to the DNS of your main 
> domain, then you're not going to be able to use BIND for that. But
> technically that's not an Active Directory function; it's a Win2K* 
> function, and one that many folks find to be not worth the resources it 
> consumes. Depends on what you're trying to achieve.

We turn off DDNS in all of our client images.  Client-initiated dynamic
updates is a bad idea anyway.  We use TSIG signed updates from ISC's
DHCP server for the few zones where we do DDNS.  DHCP is probably
another aspect of this discussion regarding migration too.  :-(

-Robert

> Off the top of my head, the pros of MS-DNS are: secure Dynamic Update 
> compatibility with Win2K* clients, the "scavenging" feature, and 
> multi-master replication. The pros of BIND are: better 
> standards-adherence, better manageability (easier to automate functions 
> via Unix scripting, easier to troubleshoot since you have than just a 
> GUI to look at), faster response to security problems (based on 
> Microsoft's track record of providing security patches), wider variety 
> of platforms (various Unix and Linux flavors; you can even run it on 
> Windows if you want, but you lose some of the other benefits if you do 
> that), more flexibility (you said you didn't care about views and the 
> like, but other features like sortlists, logging options, 
> resource-tuning options, etc. might come in useful some day, and last I 
> heard, weren't available in MS-DNS, although I see they finally added 
> stub zones and selective forwarding...).

More information about the bind-users mailing list