Private & separate DNS domains

[Bryan Harris]

Hello all,

We have a sort of private DNS such that servers can lookup zones that don’t actually exist in the real, public DNS, they just exist within our private NOCs.  In addition, we have always had both Windows AD handling the Windows side of things and we have had BIND handling Linux.

When the BIND servers don’t know about a domain, they forward to a public server such as google’s 8.8.8.8 thing.  For some reason the Windows guys aren’t allowed that option on their DNS (I believe it’s a security requirement), so any Windows server that DOES need public DNS resolution always has a BIND server listed in the TCP/IP properties of the network interface (from what I have seen, it’s usually not the first DNS server in the list).

Anyway, up until now Windows servers primarily got DNS answers via AD (except as mentioned above), and Linux servers via the BIND servers.  Recently, however, we have enabled AD authentication on Linux, meaning the Linux servers need to know about the AD domains (well, they need to know about the kerberos and ldap service records and whatnot).

The current mechanism is to put the Windows AD server into the resolv.conf BEFORE the BIND servers, since, as has been explained to me a Linux server will perform a query against all three simultaneously (that doesn’t immediately ring true to me, it’s just what I was told).  While this does seem to work, I’ve been wondering if it would be of any benefit to instead let the BIND servers know about the AD zones in some way, allowing us to continue with our “Linux sends all queries to BIND” methodology.

As I understand BIND could be theoretically doing conditional forwarding, or it could use stub zones, or perhaps could be a slave with AD as the master.  Is it just as well to leave things alone?  Or would one of these be preferable to its current setup?  Any advice or guidance would be greatly appreciated.

Thanks in advance.

V/r,
Bryan