Private & separate DNS domains

Jason Brandt jbrandt at
Tue Apr 8 10:55:35 UTC 2014

I have ours setup with AD as a stub, and then point all our clients to our
bind servers as resolvers.  Works well.

On Tue, Apr 8, 2014 at 5:08 AM, Bryan Harris <bryanlharris at> wrote:

> Hello all,
> We have a sort of private DNS such that servers can lookup zones that
> don't actually exist in the real, public DNS, they just exist within our
> private NOCs.  In addition, we have always had both Windows AD handling the
> Windows side of things and we have had BIND handling Linux.
> When the BIND servers don't know about a domain, they forward to a public
> server such as google's thing.  For some reason the Windows guys
> aren't allowed that option on their DNS (I believe it's a security
> requirement), so any Windows server that DOES need public DNS resolution
> always has a BIND server listed in the TCP/IP properties of the network
> interface (from what I have seen, it's usually not the first DNS server in
> the list).
> Anyway, up until now Windows servers primarily got DNS answers via AD
> (except as mentioned above), and Linux servers via the BIND servers.
>  Recently, however, we have enabled AD authentication on Linux, meaning the
> Linux servers need to know about the AD domains (well, they need to know
> about the kerberos and ldap service records and whatnot).
> The current mechanism is to put the Windows AD server into the resolv.conf
> BEFORE the BIND servers, since, as has been explained to me a Linux server
> will perform a query against all three simultaneously (that doesn't
> immediately ring true to me, it's just what I was told).  While this does
> seem to work, I've been wondering if it would be of any benefit to instead
> let the BIND servers know about the AD zones in some way, allowing us to
> continue with our "Linux sends all queries to BIND" methodology.
> As I understand BIND could be theoretically doing conditional forwarding,
> or it could use stub zones, or perhaps could be a slave with AD as the
> master.  Is it just as well to leave things alone?  Or would one of these
> be preferable to its current setup?  Any advice or guidance would be
> greatly appreciated.
> Thanks in advance.
> V/r,
> Bryan
> _______________________________________________
> Please visit to
> unsubscribe from this list
> bind-users mailing list
> bind-users at

Jason K. Brandt
Systems Administrator
Bradley University
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list