Private & separate DNS domains

Jason Brandt jbrandt at fsmail.bradley.edu
Tue Apr 8 10:55:35 UTC 2014


I have ours setup with AD as a stub, and then point all our clients to our
bind servers as resolvers.  Works well.


On Tue, Apr 8, 2014 at 5:08 AM, Bryan Harris <bryanlharris at me.com> wrote:

> Hello all,
>
> We have a sort of private DNS such that servers can lookup zones that
> don't actually exist in the real, public DNS, they just exist within our
> private NOCs.  In addition, we have always had both Windows AD handling the
> Windows side of things and we have had BIND handling Linux.
>
> When the BIND servers don't know about a domain, they forward to a public
> server such as google's 8.8.8.8 thing.  For some reason the Windows guys
> aren't allowed that option on their DNS (I believe it's a security
> requirement), so any Windows server that DOES need public DNS resolution
> always has a BIND server listed in the TCP/IP properties of the network
> interface (from what I have seen, it's usually not the first DNS server in
> the list).
>
> Anyway, up until now Windows servers primarily got DNS answers via AD
> (except as mentioned above), and Linux servers via the BIND servers.
>  Recently, however, we have enabled AD authentication on Linux, meaning the
> Linux servers need to know about the AD domains (well, they need to know
> about the kerberos and ldap service records and whatnot).
>
> The current mechanism is to put the Windows AD server into the resolv.conf
> BEFORE the BIND servers, since, as has been explained to me a Linux server
> will perform a query against all three simultaneously (that doesn't
> immediately ring true to me, it's just what I was told).  While this does
> seem to work, I've been wondering if it would be of any benefit to instead
> let the BIND servers know about the AD zones in some way, allowing us to
> continue with our "Linux sends all queries to BIND" methodology.
>
> As I understand BIND could be theoretically doing conditional forwarding,
> or it could use stub zones, or perhaps could be a slave with AD as the
> master.  Is it just as well to leave things alone?  Or would one of these
> be preferable to its current setup?  Any advice or guidance would be
> greatly appreciated.
>
> Thanks in advance.
>
> V/r,
> Bryan
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 
Jason K. Brandt
Systems Administrator
Bradley University
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140408/79d3868e/attachment.html>


More information about the bind-users mailing list