BIND integration with windows DNS

Phil Mayers p.mayers at imperial.ac.uk
Tue Jul 27 07:11:21 UTC 2010


On 07/27/2010 07:10 AM, Arnoud Tijssen wrote:
> I`m facing kind of a challenge. At the moment we have BIND and
> windows DNS within our corporate network.
>
> I would like to get rid of windows DNS and switch completely over to
> BIND, but since DNS is so intertwined with AD this is not an option
> since it probably introduces more problems then it solves

You can do it. We run a large AD domain with DNS completely on bind.

>
> So my next option was to delegate all the windows specific subdomains
> (i.e. _tcp.example.com, _udp.example.com, _sites.example.com,
> _msdcs.example.com etc.) to windows DNS for dynamic updates and let

You can run these on bind too (we do). Since updates to these special 
zones are by AD controllers only, you can use IP-based update policies. 
Obviously this is less secure.

Recent versions of bind also have GSSAPI (secure update) support. It 
seems pretty sparsely documented though.

> the main domain, .example.com, reside on BIND. After setting up BIND
> and windows DNS and removing the main domain entry from the windows
> DNS servers, leaving only the windows specific subdomains, and
> pointing the dns resolvers of windows to the BIND servers the windows
> clients were unable to register themselves within DNS and AD
> properly. It seems the clients register themselves in the main zone
> file of the domain, which resides on BIND.

Yes. This is windows default behaviour. You can turn this off in group 
policy, or again, recent version of bind support GSSAPI and you can have 
the clients do secure update. The problem is that bind does not have the 
garbage collection support that windows DNS does for client registrations.

>
> Since I don`t want all dynamic updates from windows clients polluting
> my main zone file, but still want one primary DNS serving the main
> domain instead of two, BIND and windows, what it is the best option
> if there is one.

Sorry - I don't follow. You say you don't want windows clients updating 
the zone, and they're not. So what's the problem (i.e what have I 
misunderstood)?



More information about the bind-users mailing list