BIND and AD DNS

Kevin Darcy kcd at chrysler.com
Thu Jan 10 03:12:13 UTC 2008


Beavis wrote:
> Greetings Folks!
>
>    needed some help on setting up BIND to work with Active Directory
> DNS. most of the resources that are available via microsoft suggest
> that i use BIND to provide dynamic updates but I'm currently looking
> for a more straight forward way of doing it without having BIND do the
> work on behalf of AD DNS. I would like to have BIND resolve queries
> for both internet and my local non-ad domains, if an AD integrated
> server/workstation would query an AD zone (ex. domain.corp) I would
> like to divert that directly to the AD DNS servers.
>
> would this be a possible scenario? I know that you can setup
> forwarders but this is more of a general way of forwarding queries.
> I'm leaning on a more zone related query.
>
>
>   
Well, you can't really "divert" a stub resolver to use different 
upstream resolvers for different parts of the namespace. Stub resolvers 
are, after all, by definition, only capable of using a _static_ set of 
upstream resolvers for _all_ resolution. They're dumb.

The only things that you can really "divert" are iterative resolvers, 
ones that are smart enough to follow delegations and go ask the 
authoritative nameservers for a zone, rather than simply expecting other 
resolvers to do the work for them. You could then just put all the AD 
stuff in a subdomain and delegate that subdomain as a subzone to the 
Microsoft DNS servers. Iterative resolvers will see the delegation, and 
subsequent queries for names in the domain will use the Microsoft DNS 
servers, for as long as that delegation information persists in the 
iterative resolver's cache. Unfortunately, while it's theoretically 
*possible* to configure every AD client with its own iterative resolver 
(e.g. the Windows version of BIND configured with a hints file), this is 
not part of the "standard" AD client model, and would likely be 
difficult to manage.

About the best you can do realistically is put cheap Linux/Unix boxes in 
between the clients and your core DNS infrastructure, which will provide 
the iterative resolution function. Typically such boxes serve other 
functions too, e.g. DHCP, web proxy, RADIUS server, etc.

Note that if you have a requirement for all clients to be able to 
resolve Internet names, and access to the Internet DNS is forbidden by 
your firewalls to a given intermediate resolver, then it can't have a 
"pure" iterative resolution function; it would need to be a hybrid of 
iterative resolution for certain "internal" parts of the namespace (e.g. 
example.com, 10.in-addr.arpa), and global forwarding towards the 
Internet (along whatever resolution path your firewalls permit) for 
everything else.

                                                                         
                           - Kevin




More information about the bind-users mailing list