Enterprise DNS Architecture - AD and BIND

Matus UHLAR - fantomas uhlar at fantomas.sk
Wed Nov 9 10:01:31 UTC 2016


>On Wed, Nov 09, 2016 at 01:11:16AM +0000, Baird, Josh wrote:
>> I'm not quite sure why you would have your caching servers forward to
>> other DNS servers (Google, OpenDNS, etc).  I would enable recursion
>> on them  and would not forward anything.  I would also consider
>> making these caching servers at each location slave your *internal*
>> authoritative zones (or views) to override recursion.

On 08.11.16 17:15, Ray Van Dolson wrote:
>A couple thoughts on this:
>
>1) The external caches tend to be pretty "close" latency wise and
>   presumably have a very large cache to pull from.  My belief is we'd
>   probably see lower average response times for queries *not* already
>   cached this way....
>
>2) Security folks prefer external access to fewer IP's.  Simpler red
>   tape wise I guess.

I don't know hot big security is to rely on external DNS provider you don't
have contract with...

shorter path should make better results and forwarding makes the path longer...

if you are going the multi-AD way, simply forward from requests from AD to a
few BIND caching servers (slaving your internal zones) that will have access
to outside.

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Boost your system's speed by 500% - DEL C:\WINDOWS\*.*


More information about the bind-users mailing list