Peaceful coexistence with Windows domain

Kevin Darcy kcd at chrysler.com
Fri Mar 13 03:44:41 UTC 2009


You mean, other than the fact that MS-DNS is an inferior DNS 
implementation and, as pointed out in the original post, would need to 
forward all queries for names outside of the AD zones?

                                                                         
                                             - Kevin


Ben Bridges wrote:
> > If I dump the delegation and make an MX record in the master, mail 
> will be
> > OK, but then no one can query records in that zone because it's not
> > actually delegated unless they point at MS-DNS.
> Is there a reason why you can't point all of your internal hosts (AD 
> and non-AD) at your AD's for resolution?
>  
>
> ------------------------------------------------------------------------
> *From:* bind-users-bounces at lists.isc.org on behalf of Peter Laws
> *Sent:* Thu 3/12/2009 4:51 PM
> *To:* bind-users at isc.org
> *Subject:* Peaceful coexistence with Windows domain
>
> Our environment includes a couple of AD servers.  They serve DNS to PCs
> using AD (but not all PCs).  They allow DDNS for clients and slave the 
> rest
> of our environment's zones.  For some reason, they *forward* every other
> query to us, but never mind that.  Look it up your own damn ... well, 
> never
> mind.
>
> At any rate, we don't actually delegate "their" zone to them.  This causes
> problems, as you can imagine.
>
> I'm told that the reason we're doing things this way is that we don't want
> any of those "internal addresses" to be queried by the unwashed masses
> lurking outside our perimeter.
>
> So my thought was, well, let's delegate the zone to the AD servers.  Since
> they are already ACLed (or whatever MS calls it), no one will be able to
> see "their" records off-campus but on-campus folks will be able to
> (finally) resolv addresses in that zone regardless of where they point
> (internally) for DNS.
>
> Except that they need an MX record for that zone.
>
> So adding the NS record to delegate the zone to them properly meant 
> that no
> one could see the MX from the outside (since the MS-DNS is ACLed).
>
> If I dump the delegation and make an MX record in the master, mail will be
> OK, but then no one can query records in that zone because it's not
> actually delegated unless they point at MS-DNS.
>
> We thought of slaving that zone on the master, but then we run into
> security, who doesn't want any of that "internal information" leaked out.
> No problem, since we're slaving the zone, we'll pop an ACL on it.  Problem
> solved!  Hurray.
>
> Except for that MX record.
>
> Once you delegate a zone, you *delegate* the zone.  The MX is invisible.
>
>
> So my requirements are to 1) allow that MX record to be seen "outside", 2)
> allow any host in our environment to be able to query names in any zone
> regardless of which system they point at for DNS, and 3) not have any
> records in that zone be visible "outside" save for that MX.
>
> I'm assuming that switching our configuration to use views would help, but
> we'd like to avoid that, at least for now.
>
> Any quick fixes?
>
> I checked, and per the MS-People, MS-DNS cannot put ACLs on particular
> records.  Neither can BIND, so no surprise there.
>
> Which rock do I need to look under?
>
> --
> Peter Laws / N5UWY
> National Weather Center / Network Operations Center
> University of Oklahoma Information Technology
> plaws at ou.edu
> -----------------------------------------------------------------------
> Feedback? Contact my director, Craig Cochell, craigc at ou.edu. Thank you!
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users




More information about the bind-users mailing list