Peaceful coexistence with Windows domain

Ben Bridges bbridges at springnet.net
Fri Mar 13 22:18:53 UTC 2009


Inferior as MS-DNS may be, it is my experience that taking dns away from
AD admins is like trying to take a bone away from a pit bull.  And it
sounds like the AD's already are forwarding requests to the BIND servers
(or performing recursive lookups, one of the two).  So the only change I
was suggesting was to have all internal hosts use the AD's for
resolution so that they could then sanitize the zone on their BIND
servers.  That's not the ideal solution (and perhaps not even a
particularly good one), but I didn't think installing additional BIND
servers (etc.) for their non-AD internal hosts would qualify as a
"quick" fix (which is what he asked for).

Ben


> -----Original Message-----
> From: bind-users-bounces at lists.isc.org 
> [mailto:bind-users-bounces at lists.isc.org] On Behalf Of Kevin Darcy
> Sent: Thursday, March 12, 2009 10:45 PM
> To: bind-users at isc.org
> Subject: Re: Peaceful coexistence with Windows domain
> 
> You mean, other than the fact that MS-DNS is an inferior DNS 
> implementation and, as pointed out in the original post, 
> would need to forward all queries for names outside of the AD zones?
> 
>                                                               
>            
>                                              - Kevin
> 
> 
> Ben Bridges wrote:
> > > If I dump the delegation and make an MX record in the master, mail
> > will be
> > > OK, but then no one can query records in that zone 
> because it's not 
> > > actually delegated unless they point at MS-DNS.
> > Is there a reason why you can't point all of your internal 
> hosts (AD 
> > and non-AD) at your AD's for resolution?
> >  
> >
> > 
> ----------------------------------------------------------------------
> > --
> > *From:* bind-users-bounces at lists.isc.org on behalf of Peter Laws
> > *Sent:* Thu 3/12/2009 4:51 PM
> > *To:* bind-users at isc.org
> > *Subject:* Peaceful coexistence with Windows domain
> >
> > Our environment includes a couple of AD servers.  They serve DNS to 
> > PCs using AD (but not all PCs).  They allow DDNS for 
> clients and slave 
> > the rest of our environment's zones.  For some reason, they 
> *forward* 
> > every other query to us, but never mind that.  Look it up your own 
> > damn ... well, never mind.
> >
> > At any rate, we don't actually delegate "their" zone to them.  This 
> > causes problems, as you can imagine.
> >
> > I'm told that the reason we're doing things this way is 
> that we don't 
> > want any of those "internal addresses" to be queried by the 
> unwashed 
> > masses lurking outside our perimeter.
> >
> > So my thought was, well, let's delegate the zone to the AD 
> servers.  
> > Since they are already ACLed (or whatever MS calls it), no 
> one will be 
> > able to see "their" records off-campus but on-campus folks will be 
> > able to
> > (finally) resolv addresses in that zone regardless of where 
> they point
> > (internally) for DNS.
> >
> > Except that they need an MX record for that zone.
> >
> > So adding the NS record to delegate the zone to them properly meant 
> > that no one could see the MX from the outside (since the MS-DNS is 
> > ACLed).
> >
> > If I dump the delegation and make an MX record in the master, mail 
> > will be OK, but then no one can query records in that zone because 
> > it's not actually delegated unless they point at MS-DNS.
> >
> > We thought of slaving that zone on the master, but then we run into 
> > security, who doesn't want any of that "internal 
> information" leaked out.
> > No problem, since we're slaving the zone, we'll pop an ACL on it.  
> > Problem solved!  Hurray.
> >
> > Except for that MX record.
> >
> > Once you delegate a zone, you *delegate* the zone.  The MX 
> is invisible.
> >
> >
> > So my requirements are to 1) allow that MX record to be seen 
> > "outside", 2) allow any host in our environment to be able to query 
> > names in any zone regardless of which system they point at for DNS, 
> > and 3) not have any records in that zone be visible 
> "outside" save for that MX.
> >
> > I'm assuming that switching our configuration to use views 
> would help, 
> > but we'd like to avoid that, at least for now.
> >
> > Any quick fixes?
> >
> > I checked, and per the MS-People, MS-DNS cannot put ACLs on 
> particular 
> > records.  Neither can BIND, so no surprise there.
> >
> > Which rock do I need to look under?
> >
> > --
> > Peter Laws / N5UWY
> > National Weather Center / Network Operations Center University of 
> > Oklahoma Information Technology plaws at ou.edu
> > 
> ----------------------------------------------------------------------
> > - Feedback? Contact my director, Craig Cochell, 
> craigc at ou.edu. Thank 
> > you!
> > _______________________________________________
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> >
> > 
> ----------------------------------------------------------------------
> > --
> >
> > _______________________________________________
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> 
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 



More information about the bind-users mailing list