RE: Multiple AD domains

Darcy Kevin (FCA) Wed, 27 Jul 2016 12:37:24 -0700

My preference? Have all your clients use BIND to resolve DNS (this gives access 
to more advanced features like sortlisting, good query logging, 
blacklisting/redirection through the RPZ mechanism, Anycast, etc.). Set up the 
BIND instances as slaves for the AD zones, and have the AD folks add the BIND 
instances to the apex NS records so that the DCs will trigger fast replication 
to BIND via the NOTIFY extension to the protocol.


I’d never let a regular PC client use Microsoft DNS for resolving DNS. Perish 
the thought!

Note that this approach, if implemented simply, doesn’t scale to large numbers 
of BIND instances (because you don’t want to add dozens or hundreds of apex NS 
records to the zone). Beyond a certain threshold, you’d want to set up a 
multi-level slaving/NOTIFY hierarchy on the BIND side…

                                                                                
                                                                                
                                                - Kevin



[FCA_Pantone_email]
----------------------------------------------------------------------
Kevin Darcy
NAFTA Information Security Projects

FCA US LLC
1075 W Entrance Dr,
Auburn Hills, MI 48326
USA

Telephone: +1 (248) 838-6601
Mobile: +1 (810) 397-0103
Email: kevin.da...@fcagroup.com

From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Jeff 
Sadowski
Sent: Wednesday, July 27, 2016 3:00 PM
To: bind-users@lists.isc.org
Subject: Re: Multiple AD domains

should I setup 192.168.1.1 as slaves to these two domains would that fix it?

On Wed, Jul 27, 2016 at 12:56 PM, Jeff Sadowski 
<jeff.sadow...@gmail.com<mailto:jeff.sadow...@gmail.com>> wrote:
On the samba mailing list they described setting up the DC as the NS and 
forward to another machine for more rules.
This will work fine for one domain. Now lets say I have 2 domains.

If I setup forwarders like so on 192.168.1.1

zone "domainA" IN { type forward; forward only; forwarders { 192.168.2.1; }; };
zone "domainB" IN { type forward; forward only; forwarders { 192.168.3.1; }; };

It will cache entries for each domain and if a computer gets a different 
address for dhcp it will update on the domain's DNS but the dns on 192.168.1.1 
will have a cached entry untill it expires.

192.168.2.1 and 192.168.3.1 are setup to forward all other zones than their 
domain names to 192.168.1.1

if I have DNS server set for all machines in domainA to 192.168.2.1 all 
machines on domainA see any DNS changes to domainA imediately machines on 
domainB are cached and can take time to clear out.
And
if I have DNS server set for all machines in domainB to 192.168.3.1 all 
machines on domainB see any DNS changes to domainB imediately machines on 
domainA are cached and can take time to clear out.

What is the best way to resolve this issue?

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Multiple AD domains

Reply via email to