BIND and AD DNS
Kevin Darcy
kcd at chrysler.com
Thu Jan 10 03:12:13 UTC 2008
Beavis wrote:
> Greetings Folks!
>
> needed some help on setting up BIND to work with Active Directory
> DNS. most of the resources that are available via microsoft suggest
> that i use BIND to provide dynamic updates but I'm currently looking
> for a more straight forward way of doing it without having BIND do the
> work on behalf of AD DNS. I would like to have BIND resolve queries
> for both internet and my local non-ad domains, if an AD integrated
> server/workstation would query an AD zone (ex. domain.corp) I would
> like to divert that directly to the AD DNS servers.
>
> would this be a possible scenario? I know that you can setup
> forwarders but this is more of a general way of forwarding queries.
> I'm leaning on a more zone related query.
>
>
>
Well, you can't really "divert" a stub resolver to use different
upstream resolvers for different parts of the namespace. Stub resolvers
are, after all, by definition, only capable of using a _static_ set of
upstream resolvers for _all_ resolution. They're dumb.
The only things that you can really "divert" are iterative resolvers,
ones that are smart enough to follow delegations and go ask the
authoritative nameservers for a zone, rather than simply expecting other
resolvers to do the work for them. You could then just put all the AD
stuff in a subdomain and delegate that subdomain as a subzone to the
Microsoft DNS servers. Iterative resolvers will see the delegation, and
subsequent queries for names in the domain will use the Microsoft DNS
servers, for as long as that delegation information persists in the
iterative resolver's cache. Unfortunately, while it's theoretically
*possible* to configure every AD client with its own iterative resolver
(e.g. the Windows version of BIND configured with a hints file), this is
not part of the "standard" AD client model, and would likely be
difficult to manage.
About the best you can do realistically is put cheap Linux/Unix boxes in
between the clients and your core DNS infrastructure, which will provide
the iterative resolution function. Typically such boxes serve other
functions too, e.g. DHCP, web proxy, RADIUS server, etc.
Note that if you have a requirement for all clients to be able to
resolve Internet names, and access to the Internet DNS is forbidden by
your firewalls to a given intermediate resolver, then it can't have a
"pure" iterative resolution function; it would need to be a hybrid of
iterative resolution for certain "internal" parts of the namespace (e.g.
example.com, 10.in-addr.arpa), and global forwarding towards the
Internet (along whatever resolution path your firewalls permit) for
everything else.
- Kevin
More information about the bind-users
mailing list