Private & separate DNS domains
jbrandt at fsmail.bradley.edu
Tue Apr 8 10:55:35 UTC 2014
I have ours setup with AD as a stub, and then point all our clients to our
bind servers as resolvers. Works well.
On Tue, Apr 8, 2014 at 5:08 AM, Bryan Harris <bryanlharris at me.com> wrote:
> Hello all,
> We have a sort of private DNS such that servers can lookup zones that
> don't actually exist in the real, public DNS, they just exist within our
> private NOCs. In addition, we have always had both Windows AD handling the
> Windows side of things and we have had BIND handling Linux.
> When the BIND servers don't know about a domain, they forward to a public
> server such as google's 220.127.116.11 thing. For some reason the Windows guys
> aren't allowed that option on their DNS (I believe it's a security
> requirement), so any Windows server that DOES need public DNS resolution
> always has a BIND server listed in the TCP/IP properties of the network
> interface (from what I have seen, it's usually not the first DNS server in
> the list).
> Anyway, up until now Windows servers primarily got DNS answers via AD
> (except as mentioned above), and Linux servers via the BIND servers.
> Recently, however, we have enabled AD authentication on Linux, meaning the
> Linux servers need to know about the AD domains (well, they need to know
> about the kerberos and ldap service records and whatnot).
> The current mechanism is to put the Windows AD server into the resolv.conf
> BEFORE the BIND servers, since, as has been explained to me a Linux server
> will perform a query against all three simultaneously (that doesn't
> immediately ring true to me, it's just what I was told). While this does
> seem to work, I've been wondering if it would be of any benefit to instead
> let the BIND servers know about the AD zones in some way, allowing us to
> continue with our "Linux sends all queries to BIND" methodology.
> As I understand BIND could be theoretically doing conditional forwarding,
> or it could use stub zones, or perhaps could be a slave with AD as the
> master. Is it just as well to leave things alone? Or would one of these
> be preferable to its current setup? Any advice or guidance would be
> greatly appreciated.
> Thanks in advance.
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> bind-users mailing list
> bind-users at lists.isc.org
Jason K. Brandt
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the bind-users