Multiple AD domains

Darcy Kevin (FCA) kevin.darcy at
Wed Jul 27 19:36:13 UTC 2016

My preference? Have all your clients use BIND to resolve DNS (this gives access to more advanced features like sortlisting, good query logging, blacklisting/redirection through the RPZ mechanism, Anycast, etc.). Set up the BIND instances as slaves for the AD zones, and have the AD folks add the BIND instances to the apex NS records so that the DCs will trigger fast replication to BIND via the NOTIFY extension to the protocol.

I’d never let a regular PC client use Microsoft DNS for resolving DNS. Perish the thought!

Note that this approach, if implemented simply, doesn’t scale to large numbers of BIND instances (because you don’t want to add dozens or hundreds of apex NS records to the zone). Beyond a certain threshold, you’d want to set up a multi-level slaving/NOTIFY hierarchy on the BIND side…

                                                                                                                                                                                                                - Kevin

Kevin Darcy
NAFTA Information Security Projects

1075 W Entrance Dr,
Auburn Hills, MI 48326

Telephone: +1 (248) 838-6601
Mobile: +1 (810) 397-0103
Email: kevin.darcy at

From: bind-users [mailto:bind-users-bounces at] On Behalf Of Jeff Sadowski
Sent: Wednesday, July 27, 2016 3:00 PM
To: bind-users at
Subject: Re: Multiple AD domains

should I setup as slaves to these two domains would that fix it?

On Wed, Jul 27, 2016 at 12:56 PM, Jeff Sadowski <jeff.sadowski at<mailto:jeff.sadowski at>> wrote:
On the samba mailing list they described setting up the DC as the NS and forward to another machine for more rules.
This will work fine for one domain. Now lets say I have 2 domains.

If I setup forwarders like so on

zone "domainA" IN { type forward; forward only; forwarders {; }; };
zone "domainB" IN { type forward; forward only; forwarders {; }; };

It will cache entries for each domain and if a computer gets a different address for dhcp it will update on the domain's DNS but the dns on will have a cached entry untill it expires. and are setup to forward all other zones than their domain names to

if I have DNS server set for all machines in domainA to all machines on domainA see any DNS changes to domainA imediately machines on domainB are cached and can take time to clear out.
if I have DNS server set for all machines in domainB to all machines on domainB see any DNS changes to domainB imediately machines on domainA are cached and can take time to clear out.

What is the best way to resolve this issue?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 3764 bytes
Desc: image001.jpg
URL: <>

More information about the bind-users mailing list