Private & separate DNS domains

Joseph S D Yao jsdy at
Tue Apr 8 11:15:58 UTC 2014

On 2014-04-08 06:08, Bryan Harris wrote:
> Hello all,
> We have a sort of private DNS such that servers can lookup zones that
> don’t actually exist in the real, public DNS, they just exist within
> our private NOCs.  In addition, we have always had both Windows AD
> handling the Windows side of things and we have had BIND handling
> Linux.
> When the BIND servers don’t know about a domain, they forward to a
> public server such as google’s thing.  For some reason the
> Windows guys aren’t allowed that option on their DNS (I believe it’s 
> a
> security requirement), so any Windows server that DOES need public 
> resolution always has a BIND server listed in the TCP/IP properties 
> of
> the network interface (from what I have seen, it’s usually not the
> first DNS server in the list).
> Anyway, up until now Windows servers primarily got DNS answers via AD
> (except as mentioned above), and Linux servers via the BIND servers.
> Recently, however, we have enabled AD authentication on Linux, 
> meaning
> the Linux servers need to know about the AD domains (well, they need
> to know about the kerberos and ldap service records and whatnot).
> The current mechanism is to put the Windows AD server into the
> resolv.conf BEFORE the BIND servers, since, as has been explained to
> me a Linux server will perform a query against all three
> simultaneously (that doesn’t immediately ring true to me, it’s just
> what I was told).  While this does seem to work, I’ve been wondering
> if it would be of any benefit to instead let the BIND servers know
> about the AD zones in some way, allowing us to continue with our
> “Linux sends all queries to BIND” methodology.
> As I understand BIND could be theoretically doing conditional
> forwarding, or it could use stub zones, or perhaps could be a slave
> with AD as the master.  Is it just as well to leave things alone?  Or
> would one of these be preferable to its current setup?  Any advice or
> guidance would be greatly appreciated.

You were told wrong about "simultaneously" from /etc/resolv.conf.  It 
uses the first one that gives an answer.  If the first one times out, it 
asks the next and ignores any response from the first, etc.  (If you 
think about it, what happens if two "simultaneously" respond with 
different answers?  If one never responds?)

What we do is have our (separate) Linux/BIND resolving name servers 
forward any queries about internal MSW AD DNS domains to the MSW AD name 
servers, otherwise they do what they would normally do.  Which, for the 
most part, is to recursively resolve starting from the one and only set 
of genuine root servers rather than forwarding to someone else and 
allowing that someone else to put something into our DNS or monitor it.  
Even if they have sworn to do no evil.

The MSW workstations and servers do only look up from the MSW AD 
servers, for some MSW reason that nobody can explain except "MS says 
they have to".  The MSW AD servers forward all DNS queries that they 
cannot resolve to the Linux/BIND resolving name servers.

Joe Yao

More information about the bind-users mailing list