RE: DNS Servers
We run a small AD setup with BIND as DNS. We don't even allow dynamic updates, and it all works fine. We get some event log spam, but as long as you register the DNS entries somehow, the automated stuff from the clients doesn't need to do it. OT: As to whether AD makes sense - well back in 2008 when we were planning our setup, it made a lot of sense. Here in 2014 I think SAMBA 4 for auth and Puppet for conf management might just make more sense, if it ties as well in with SL6 as SL6 SSSD to AD. The major pain I have right now is I have *too many choices* for how to configure Windows (Is that a problem??). I can use Group Policy, I can use Fusion Inventory, I can use Puppet. It's a trick to work out which is best for what. I will say, I've hit interesting bugs in GPO deployment, and so much of the debugging seems obfuscated for no reason. Puppet at least has a force a run that easily gives you details about what's going on so you can debug quickly. GPO debugging feels far more like black magic - there's at least 3 different ways to go about it and you have to go through each till you find the problem, and the fix may well be Reinstall Windows because you can't remove and reinstall just the GP client. With Puppet, I've left GPP registry settings and attempts to manage third party apps (unless they come with an ADM(x) file - because why reinvent the wheel) behind. -- James Pulver CLASSE Computer Group Cornell University -Original Message- From: owner-scientific-linux-us...@listserv.fnal.gov [mailto:owner-scientific-linux-us...@listserv.fnal.gov] On Behalf Of Nico Kadel-Garcia Sent: Friday, January 10, 2014 12:36 AM To: Jeremy Wellner Cc: owner-scientific-linux-us...@listserv.fnal.gov; SCIENTIFIC-LINUX-USERS@FNAL.GOV Subject: Re: DNS Servers AD does many things, many of them quite badly. If you need an drop-in authentication server, you might consider if y9ou really need AD, or if Samba 4.1.x will do the job. I've got RPM building tools for that at https://github.com/nkadel/samba4repo, and they work well on Scientific Linux 6 with the necessary RPM's built up from scratch. AD is handy for easy integration with Microsoft servers, such as Exchange and SQL, and for providing Windows trained personnel familiar tools. But its DNS is not good. It allows multiple PTR records for the same IP address, configuring DNS views is a nightmare, its export tool is a proprietary format that looks vaguely like valid DNS but isn't, It does not understand that foor.bar.com may hve *nothing to do* in any logical sense with bar.com DNS If you need it for things like the authenticated dynamic DNS for your laptops and wi-fi, and don't want to spend the time building up Samba or similar tools, cool. But keep it the heck away from your server DNS. If you need chroot cages and good source control managed configurations backups consider looking up my presentation at SVNday in Berlin a few years: How to Subvert Masters and Slaves, BIND Them, and Make Them Report Names and Addresses. On Thu, Jan 9, 2014 at 9:37 PM, Jeremy Wellner jwell...@stanwood.wednet.edu wrote: That's a resounding stay the course and I don't mind that one bit. It's been rock solid and I've been happy with it. So as a secondary question, we are planning on adding Active Directory in to our network and I know that it is very particular about it's DNS. Will AD be happy with being given a delegate domain to have as it's sandbox or does that throw my BIND install out the window? Thank you all for the advise!! :)
Re: DNS Servers
AD is fine with a delegated domain. Allow zone transfers so the BIND server can generate reverse DNS with mkrdns Nico Kadel-Garcia Email: nka...@gmail.com Sent from iPhone On Jan 9, 2014, at 21:37, Jeremy Wellner jwell...@stanwood.wednet.edu wrote: That's a resounding stay the course and I don't mind that one bit. It's been rock solid and I've been happy with it. So as a secondary question, we are planning on adding Active Directory in to our network and I know that it is very particular about it's DNS. Will AD be happy with being given a delegate domain to have as it's sandbox or does that throw my BIND install out the window? Thank you all for the advise!! :)
Re: DNS Servers
Excellent feedback guys! Thank you all so much!!! :) Jeremy On Fri, Jan 10, 2014 at 6:32 AM, Nico Kadel-Garcia nka...@gmail.com wrote: AD is fine with a delegated domain. Allow zone transfers so the BIND server can generate reverse DNS with mkrdns Nico Kadel-Garcia Email: nka...@gmail.com Sent from iPhone On Jan 9, 2014, at 21:37, Jeremy Wellner jwell...@stanwood.wednet.edu wrote: That's a resounding stay the course and I don't mind that one bit. It's been rock solid and I've been happy with it. So as a secondary question, we are planning on adding Active Directory in to our network and I know that it is very particular about it's DNS. Will AD be happy with being given a delegate domain to have as it's sandbox or does that throw my BIND install out the window? Thank you all for the advise!! :) -- Jeremy Wellner Technology Group Stanwood-Camano School District jwell...@stanwood.wednet.edu Internal: x4357 External: 360-629-1205 Cell: 360-420-5486 “We’re here to put a dent in the universe. Otherwise why else even be here?” -Steve Jobs
Re: DNS Servers
On 10/01/2014 11:16 AM, Jeremy Wellner wrote: I've been using BIND on RHEL5 for years and it's come time to overhaul those venerable DNS boxes. I've seen alot of alternatives like NSD, PowerDNS, YADIFA, and others but I'm wondering what experience has been with going to something other than BIND. Having a database backend is very attractive, but so is having a manageable GUI for those in the department that work with adding devices and are scared of text files and the black of terminal. Use bind. DNS is all about reliability - not pretty or GUIs... -- Steven Haigh Email: net...@crc.id.au Web: https://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 Fax: (03) 8338 0299 signature.asc Description: OpenPGP digital signature
Re: DNS Servers
Bind works well period!That said one of my favorite DNS appliances uses PowerDNS under the hood and it works very well too if you configure it correctly.The others I really can't speak to because I've never used them.It really comes down to this you need to balance your budget as compared to man hours. I tend to use appliances for my core DNS servers where ever possible because there are a lot of really good ones and I have support staff time limitations, but I also use Bind 9 slave servers to handle most of the actual query traffic because it reduces my support and equipment costs. That said if you are more concerned about the initial upfront cost and support cost than man hours Bind is the safest bet because its the standard that all the others are based on.-- Sent from my HP Pre3On Jan 9, 2014 19:28, Steven Haigh net...@crc.id.au wrote: On 10/01/2014 11:16 AM, Jeremy Wellner wrote: I've been using BIND on RHEL5 for years and it's come time to overhaul those venerable DNS boxes. I've seen alot of alternatives like NSD, PowerDNS, YADIFA, and others but I'm wondering what experience has been with going to something other than BIND. Having a database backend is very attractive, but so is having a manageable GUI for those in the department that work with adding devices and are scared of text files and the black of terminal. Use bind. DNS is all about reliability - not pretty or GUIs... -- Steven Haigh Email: net...@crc.id.au Web: https://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 Fax: (03) 8338 0299
Re: DNS Servers
I in theory would like webmin for this in a fast and dirty development environment, but it still has too many infosec problems for my taste for production.In the past when I had the time and work driven focus to harden webmin with only custom module which all used sudo for an appliance I was able to reconcile my issues, but in production as is it stock webmin is risky. Many if these concerns could be handles by selinux now but the webmin developers are still behind the ball on writing the appropriate rules or even requiring module writer to include the prerequisite rules so I still wouldn't consider it in production. -- Sent from my HP Pre3On Jan 9, 2014 19:50, Nico Kadel-Garcia nka...@gmail.com wrote: BIND for the server, "webmin" for the configuration tool. and my presentation at SVNday a few years ago if you wnat notes on how to put it under source control. Don't forget "mkrdns" for generating your reverse DNS reliably: the RPM building tools are at https://github.com/nkadel/repoforge-rpms-nkadel-dev/tree/master/specs/mkrdns/ On Thu, Jan 9, 2014 at 7:26 PM, Steven Haigh net...@crc.id.au wrote: On 10/01/2014 11:16 AM, Jeremy Wellner wrote: I've been using BIND on RHEL5 for years and it's come time to overhaul those venerable DNS boxes. I've seen alot of alternatives like NSD, PowerDNS, YADIFA, and others but I'm wondering what experience has been with going to something other than BIND. Having a database backend is very attractive, but so is having a manageable GUI for those in the department that work with adding devices and are scared of text files and the black of terminal. Use bind. DNS is all about reliability - not pretty or GUIs... -- Steven Haigh Email: net...@crc.id.au Web: https://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 Fax: (03) 8338 0299
Re: DNS Servers
Its doable to have bind be your DNS for AD it just takes some work and planing. The primary thing is make sure dynamic DNS works properly.The big catches there are making sure you have the right Service entries and ensuring dynamic DNS works correctly. By the way neither of theism are AD specific requirements they actually stem from the RFCs that describe LDAP 3 and the RFCs which describe TLS and Kerberos V which the LDAP 3 RFC's reference. Essentially AD is Microsoft's implementation of LDAP 3 and since Windows server 2008 its very RFC compliant with some Microsoft windows specific optimizations and automation-- Sent from my HP Pre3On Jan 9, 2014 21:38, Jeremy Wellner jwell...@stanwood.wednet.edu wrote: Thats a resounding stay the course and I dont mind that one bit. Its been rock solid and Ive been happy with it.So as a secondary question, we are planning on adding Active Directory in to our network and I know that it is very particular about its DNS. Will AD be happy with being given a delegate domain to have as its sandbox or does that throw my BIND install out the window? Thank you all for the advise!! :)
Re: DNS Servers
AD does many things, many of them quite badly. If you need an drop-in authentication server, you might consider if y9ou really need AD, or if Samba 4.1.x will do the job. I've got RPM building tools for that at https://github.com/nkadel/samba4repo, and they work well on Scientific Linux 6 with the necessary RPM's built up from scratch. AD is handy for easy integration with Microsoft servers, such as Exchange and SQL, and for providing Windows trained personnel familiar tools. But its DNS is not good. It allows multiple PTR records for the same IP address, configuring DNS views is a nightmare, its export tool is a proprietary format that looks vaguely like valid DNS but isn't, It does not understand that foor.bar.com may hve *nothing to do* in any logical sense with bar.com DNS If you need it for things like the authenticated dynamic DNS for your laptops and wi-fi, and don't want to spend the time building up Samba or similar tools, cool. But keep it the heck away from your server DNS. If you need chroot cages and good source control managed configurations backups consider looking up my presentation at SVNday in Berlin a few years: How to Subvert Masters and Slaves, BIND Them, and Make Them Report Names and Addresses. On Thu, Jan 9, 2014 at 9:37 PM, Jeremy Wellner jwell...@stanwood.wednet.edu wrote: That's a resounding stay the course and I don't mind that one bit. It's been rock solid and I've been happy with it. So as a secondary question, we are planning on adding Active Directory in to our network and I know that it is very particular about it's DNS. Will AD be happy with being given a delegate domain to have as it's sandbox or does that throw my BIND install out the window? Thank you all for the advise!! :)
