Re: Private separate DNS domains
On 2014-04-08 07:35, Jason Brandt wrote: ... All of our Windows clients resolve through our Bind servers, and have no problems with any AD resources. The only MSW machines that point to our AD DNS servers, are our DC's. All clients will resolve just fine through BIND, so long as your zones are configured correctly, and you can resolve the necessary AD records through your BIND servers. It doesn't matter what type of DNS server you point clients to, be it Windows, BIND, etc, so long as DNS is properly configured to forward requests to the appropriate servers. We don't have forwarders, or recursion enabled on our AD DNS servers. I prefer to keep it simple, and have one set of resolvers for all clients. ... Jason, I'm with you. But I'm also with not arguing with those who just keep repeating, But MS says something terrible will happen if we do that! when they are perfectly willing to forward to someone else to do the real work. Joe Yao ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Private separate DNS domains
Hello all, We have a sort of private DNS such that servers can lookup zones that don’t actually exist in the real, public DNS, they just exist within our private NOCs. In addition, we have always had both Windows AD handling the Windows side of things and we have had BIND handling Linux. When the BIND servers don’t know about a domain, they forward to a public server such as google’s 8.8.8.8 thing. For some reason the Windows guys aren’t allowed that option on their DNS (I believe it’s a security requirement), so any Windows server that DOES need public DNS resolution always has a BIND server listed in the TCP/IP properties of the network interface (from what I have seen, it’s usually not the first DNS server in the list). Anyway, up until now Windows servers primarily got DNS answers via AD (except as mentioned above), and Linux servers via the BIND servers. Recently, however, we have enabled AD authentication on Linux, meaning the Linux servers need to know about the AD domains (well, they need to know about the kerberos and ldap service records and whatnot). The current mechanism is to put the Windows AD server into the resolv.conf BEFORE the BIND servers, since, as has been explained to me a Linux server will perform a query against all three simultaneously (that doesn’t immediately ring true to me, it’s just what I was told). While this does seem to work, I’ve been wondering if it would be of any benefit to instead let the BIND servers know about the AD zones in some way, allowing us to continue with our “Linux sends all queries to BIND” methodology. As I understand BIND could be theoretically doing conditional forwarding, or it could use stub zones, or perhaps could be a slave with AD as the master. Is it just as well to leave things alone? Or would one of these be preferable to its current setup? Any advice or guidance would be greatly appreciated. Thanks in advance. V/r, Bryan ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Private separate DNS domains
I have ours setup with AD as a stub, and then point all our clients to our bind servers as resolvers. Works well. On Tue, Apr 8, 2014 at 5:08 AM, Bryan Harris bryanlhar...@me.com wrote: Hello all, We have a sort of private DNS such that servers can lookup zones that don't actually exist in the real, public DNS, they just exist within our private NOCs. In addition, we have always had both Windows AD handling the Windows side of things and we have had BIND handling Linux. When the BIND servers don't know about a domain, they forward to a public server such as google's 8.8.8.8 thing. For some reason the Windows guys aren't allowed that option on their DNS (I believe it's a security requirement), so any Windows server that DOES need public DNS resolution always has a BIND server listed in the TCP/IP properties of the network interface (from what I have seen, it's usually not the first DNS server in the list). Anyway, up until now Windows servers primarily got DNS answers via AD (except as mentioned above), and Linux servers via the BIND servers. Recently, however, we have enabled AD authentication on Linux, meaning the Linux servers need to know about the AD domains (well, they need to know about the kerberos and ldap service records and whatnot). The current mechanism is to put the Windows AD server into the resolv.conf BEFORE the BIND servers, since, as has been explained to me a Linux server will perform a query against all three simultaneously (that doesn't immediately ring true to me, it's just what I was told). While this does seem to work, I've been wondering if it would be of any benefit to instead let the BIND servers know about the AD zones in some way, allowing us to continue with our Linux sends all queries to BIND methodology. As I understand BIND could be theoretically doing conditional forwarding, or it could use stub zones, or perhaps could be a slave with AD as the master. Is it just as well to leave things alone? Or would one of these be preferable to its current setup? Any advice or guidance would be greatly appreciated. Thanks in advance. V/r, Bryan ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Jason K. Brandt Systems Administrator Bradley University ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Private separate DNS domains
On 2014-04-08 06:08, Bryan Harris wrote: Hello all, We have a sort of private DNS such that servers can lookup zones that don’t actually exist in the real, public DNS, they just exist within our private NOCs. In addition, we have always had both Windows AD handling the Windows side of things and we have had BIND handling Linux. When the BIND servers don’t know about a domain, they forward to a public server such as google’s 8.8.8.8 thing. For some reason the Windows guys aren’t allowed that option on their DNS (I believe it’s a security requirement), so any Windows server that DOES need public DNS resolution always has a BIND server listed in the TCP/IP properties of the network interface (from what I have seen, it’s usually not the first DNS server in the list). Anyway, up until now Windows servers primarily got DNS answers via AD (except as mentioned above), and Linux servers via the BIND servers. Recently, however, we have enabled AD authentication on Linux, meaning the Linux servers need to know about the AD domains (well, they need to know about the kerberos and ldap service records and whatnot). The current mechanism is to put the Windows AD server into the resolv.conf BEFORE the BIND servers, since, as has been explained to me a Linux server will perform a query against all three simultaneously (that doesn’t immediately ring true to me, it’s just what I was told). While this does seem to work, I’ve been wondering if it would be of any benefit to instead let the BIND servers know about the AD zones in some way, allowing us to continue with our “Linux sends all queries to BIND” methodology. As I understand BIND could be theoretically doing conditional forwarding, or it could use stub zones, or perhaps could be a slave with AD as the master. Is it just as well to leave things alone? Or would one of these be preferable to its current setup? Any advice or guidance would be greatly appreciated. ... You were told wrong about simultaneously from /etc/resolv.conf. It uses the first one that gives an answer. If the first one times out, it asks the next and ignores any response from the first, etc. (If you think about it, what happens if two simultaneously respond with different answers? If one never responds?) What we do is have our (separate) Linux/BIND resolving name servers forward any queries about internal MSW AD DNS domains to the MSW AD name servers, otherwise they do what they would normally do. Which, for the most part, is to recursively resolve starting from the one and only set of genuine root servers rather than forwarding to someone else and allowing that someone else to put something into our DNS or monitor it. Even if they have sworn to do no evil. The MSW workstations and servers do only look up from the MSW AD servers, for some MSW reason that nobody can explain except MS says they have to. The MSW AD servers forward all DNS queries that they cannot resolve to the Linux/BIND resolving name servers. Joe Yao ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Private separate DNS domains
On Tue, Apr 8, 2014 at 6:15 AM, Joseph S D Yao j...@tux.org wrote: The MSW workstations and servers do only look up from the MSW AD servers, for some MSW reason that nobody can explain except MS says they have to. The MSW AD servers forward all DNS queries that they cannot resolve to the Linux/BIND resolving name servers. Joe Yao ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users All of our Windows clients resolve through our Bind servers, and have no problems with any AD resources. The only MSW machines that point to our AD DNS servers, are our DC's. All clients will resolve just fine through BIND, so long as your zones are configured correctly, and you can resolve the necessary AD records through your BIND servers. It doesn't matter what type of DNS server you point clients to, be it Windows, BIND, etc, so long as DNS is properly configured to forward requests to the appropriate servers. We don't have forwarders, or recursion enabled on our AD DNS servers. I prefer to keep it simple, and have one set of resolvers for all clients. -- Jason K. Brandt Systems Administrator Bradley University ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Private separate DNS domains
In article mailman.2610.1396955773.20661.bind-us...@lists.isc.org, Joseph S D Yao j...@tux.org wrote: On 2014-04-08 06:08, Bryan Harris wrote: ... The current mechanism is to put the Windows AD server into the resolv.conf BEFORE the BIND servers, since, as has been explained to me a Linux server will perform a query against all three simultaneously (that doesnât immediately ring true to me, itâs just what I was told). ... ... You were told wrong about simultaneously from /etc/resolv.conf. It uses the first one that gives an answer. If the first one times out, it asks the next and ignores any response from the first, etc. (If you think about it, what happens if two simultaneously respond with different answers? If one never responds?) ... Novell's LAN Workplace for DOS used to do simultaneous queries to however many (max 3 IIRC) servers you put in its RESOLV.CFG. I've never seen it happen on a *ix/*ux box. I can't remember if the slower servers received port unreachables when their answers trailed in behind the leader. Sam -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Private separate DNS domains
Regardless of what you've been told, the resolvers (nameservers) in /etc/resolv.conf are tried *in*sequence*, and if a valid response (where NXDOMAIN _is_ a valid response) is received from one resolver, none of the others are tried. So, I'm surprised that your mix-and-match-resolvers hack actually works. The only thing that comes to mind is that the Windows DNS is so horked that it's returning SERVFAIL for names outside of its authoritative domains. That would trigger failover to another resolver, but that's an *ugly* way to integrate BIND and Windows DNS. Instead of guessing at such things, learn how to use tcpdump/Wireshark and find out what's really happening under the covers. I haven't seen a resolver implementation send queries *simultaneously* to all resolvers, since circa Windows 95. And I've never seen it on Linux. As for a long-term solution, either define an internal root zone (with conditional forwarding exceptions for the external stuff you *need* to resolve), or, if you must, forward by default to the Internet and then define all of the private stuff as master/slave/stub on your internal servers. - Kevin On 4/8/2014 6:08 AM, Bryan Harris wrote: Hello all, We have a sort of private DNS such that servers can lookup zones that don’t actually exist in the real, public DNS, they just exist within our private NOCs. In addition, we have always had both Windows AD handling the Windows side of things and we have had BIND handling Linux. When the BIND servers don’t know about a domain, they forward to a public server such as google’s 8.8.8.8 thing. For some reason the Windows guys aren’t allowed that option on their DNS (I believe it’s a security requirement), so any Windows server that DOES need public DNS resolution always has a BIND server listed in the TCP/IP properties of the network interface (from what I have seen, it’s usually not the first DNS server in the list). Anyway, up until now Windows servers primarily got DNS answers via AD (except as mentioned above), and Linux servers via the BIND servers. Recently, however, we have enabled AD authentication on Linux, meaning the Linux servers need to know about the AD domains (well, they need to know about the kerberos and ldap service records and whatnot). The current mechanism is to put the Windows AD server into the resolv.conf BEFORE the BIND servers, since, as has been explained to me a Linux server will perform a query against all three simultaneously (that doesn’t immediately ring true to me, it’s just what I was told). While this does seem to work, I’ve been wondering if it would be of any benefit to instead let the BIND servers know about the AD zones in some way, allowing us to continue with our “Linux sends all queries to BIND” methodology. As I understand BIND could be theoretically doing conditional forwarding, or it could use stub zones, or perhaps could be a slave with AD as the master. Is it just as well to leave things alone? Or would one of these be preferable to its current setup? Any advice or guidance would be greatly appreciated. Thanks in advance. V/r, Bryan ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users