Enterprise DNS Architecture - AD and BIND

Matus UHLAR - fantomas uhlar at fantomas.sk
Wed Nov 9 09:55:43 UTC 2016 

On 08.11.16 16:09, Ray Van Dolson wrote:
>What I'm thinking:

>- Have an AD server at every location we have a BIND server.  This way
>  client machines talk DNS *only* to AD servers so Dynamic DNS &
>  friends work reliably.  AD servers would then forward to BIND servers
>  as needed.

This could work, multiple AD servers could give you more services than just
BIND (if you need them).

In fact AD servers don't really need to forward to BIND servers, unless you
of course run something special on forwarders.

>    + Alternative: Configure clients to do DNS updates via DHCP Option
>      81, etc. instead of via Dynamic DNS.  This would allow clients to
>      point at BIND and take advantage of Anycast for resiliency and I
>      avoid needing to figure out how to make BIND pass RFC 2136
>      requests on from clients to AD reliably...

Even a better idea...

>- Caching Servers will be the same configuration no matter where they
>  are, and do the same things:
>
>    + "." will forward out to OpenDNS or Google, etc. for Internet
>      lookups.

Don't do that - your caching servers should do their own recursion and not
rely on public DNS servers.

>    + Will be a "slave" for all AD owned domains.  Thought here is
>      better client response times and fewer issues w/ TTL and cache
>      and better resiliency...

this might be a problem, using multiple AD servers is AFAIK not possible
(they don't have consistent data, so using *XFR is unreliable) so each
caching server will only rely on one AD server

>        - Alternative: Leave these as static-stub, but now I made need
>          logic in Ansible or whereever to point to "nearby" AD servers
>          depending on where the BIND server lives to keep response
>          times low when things aren't cached.  That or not care about
>          latency...

BIND does measure latency on its own, so providing all AD servers in
configuration should not be a problem

>    + Will be a "slave" for all of the split-view zones (only for the
>      "internal" view).  Could do static-stub here as well, but think
>      slave may serve us better for similar reasons as w/ AD.

>    + I can introduce my split view zones for VPN here as well.  I
>      haven't thought this one through fully yet, but am hopeful I
>      don't need to fully duplicate the zones above and could instead
>      forward queries from one view to another........
>
>- Authoritative BIND Servers mostly stay as-is aside from needing to be
>  configured to send notify's out to caching servers and proper FW
>  access maintained for AXFR.

if you have authoritative zones that are important to you, better slave them
and send notifies... that will give you better performance and faster
propagation of changes. 

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0...

More information about the bind-users mailing list