>> If you are doing that, >> then I suggest you find a different way to operate - the AD DC is the >> security heart of the network, and should be more protected than that.
GR> My AD DC is not directly connected to the internet. It is GR> behind an internet gateway router which has 53 open and GR> routing traffic to/from the BIND server on the AD DC. Nothing unusual about this. GR> The point of the split DNS and views is exactly to prevent GR> exposing internal network to the outside world. Which, to me at least, means that queries from the world are hitting the BIND server on your AD - which is *exactly* what Andrew was talking about. ...And when someone finds a way to compromise BIND, your AD is also totally compromised. It's probably a lot easier to burn down and rebuild a BIND server vs your whole AD infrastructure. I guess this whole branch of the discussion is essentially off-topic, but were I in your shoes, I'd be running a stand-alone BIND server completely separate from the AD for security as well as simplicity purposes. [Or moving the "external" DNS services into a service provider somewhere.] ...Or run it in a VM if you have to. Just don't, IMO, run a world-reachable BIND server as part of AD. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba