Peaceful coexistence with Windows domain

Frank Pikelner frank.pikelner at netcraftcommunications.com
Fri Mar 13 15:48:23 UTC 2009 

On Thu, 2009-03-12 at 16:51 -0500, Peter Laws wrote:
> Our environment includes a couple of AD servers.  They serve DNS to PCs 
> using AD (but not all PCs).  They allow DDNS for clients and slave the rest 
> of our environment's zones.  For some reason, they *forward* every other 
> query to us, but never mind that.  Look it up your own damn ... well, never 
> mind.
> 
> At any rate, we don't actually delegate "their" zone to them.  This causes 
> problems, as you can imagine.
> 
> I'm told that the reason we're doing things this way is that we don't want 
> any of those "internal addresses" to be queried by the unwashed masses 
> lurking outside our perimeter.
> 
> So my thought was, well, let's delegate the zone to the AD servers.  Since 
> they are already ACLed (or whatever MS calls it), no one will be able to 
> see "their" records off-campus but on-campus folks will be able to 
> (finally) resolv addresses in that zone regardless of where they point 
> (internally) for DNS.
> 
> Except that they need an MX record for that zone.
> 
> So adding the NS record to delegate the zone to them properly meant that no 
> one could see the MX from the outside (since the MS-DNS is ACLed).
> 
> If I dump the delegation and make an MX record in the master, mail will be 
> OK, but then no one can query records in that zone because it's not 
> actually delegated unless they point at MS-DNS.
> 
> We thought of slaving that zone on the master, but then we run into 
> security, who doesn't want any of that "internal information" leaked out. 
> No problem, since we're slaving the zone, we'll pop an ACL on it.  Problem 
> solved!  Hurray.
> 
> Except for that MX record.
> 
> Once you delegate a zone, you *delegate* the zone.  The MX is invisible.
> 
> 
> So my requirements are to 1) allow that MX record to be seen "outside", 2) 
> allow any host in our environment to be able to query names in any zone 
> regardless of which system they point at for DNS, and 3) not have any 
> records in that zone be visible "outside" save for that MX.
> 
> I'm assuming that switching our configuration to use views would help, but 
> we'd like to avoid that, at least for now.
> 
> Any quick fixes?
> 
> I checked, and per the MS-People, MS-DNS cannot put ACLs on particular 
> records.  Neither can BIND, so no surprise there.
> 
> Which rock do I need to look under?
> 


My suggestion would be to have your internal hosts register themselves
with your internal DNS servers (Windows AD/DNS servers as in your case
should be fine if that is what you use). Next, create your zones that
you wish to publish to the outside world on either the same or another
(prefer) internal DNS master server (BIND). The servers that you will be
exposing to the Internet in a DMZ should then be configured as slaves
and pull their zones from the internal master (through a firewall). Your
internal systems should use the internal DNS servers (Windows AD/DNS) to
resolve your internal services and if outside queries need to be
performed then they should be forwarded by the internal DNS servers to
the DNS slaves in the DMZ, who in tern would recursively resolve the
queries on the Internet. 

Cheers,

Frank

More information about the bind-users mailing list