bind-users Digest, Vol 1773, Issue 1

Barry S. Finkel bsfinkel at att.net
Wed Feb 26 17:23:45 UTC 2014 

"Lawrence K. Chen, P.Eng." <lkchen at ksu.edu> wrote:

> Hmmm, so that explains what I'm seeing in my logs of my nameservers
> getting hammered by AD.
>
> Should I be worried?  Is there anything that could be done on my end to
> help reduce the impact?
>
> ----
>
> On our campus, we have always allowed delegation of subdomains to
> department nameservers, with the requirement that we be secondary to
> them.  Some departments also have other domains on their nameservers,
> again have us as their secondary (and often we're the only published
> nameservers for these domains.)
>
> But, AD was different...they did their own thing.
>
> Except there's this problem now with their authoritative servers also
> being open recursive query resolvers ... exposed to the whole world.
>
> Since they won't turn off recursion (and there's no way to limit its scope)
>
> So, we've started pushing that they need to use us as secondaries.
>
> Right now it has only been tested with Central AD, where I'm seeing one
> DC sending updates ranging from a few minutes to a few hours.  While the
> other DC is trying at intervals of 2-9 minutes, but its N-1....
>
> Though when they were first trying to get it going...they had some
> trouble, which turned out that it thought the IP space of my nameservers
> belonged to it and that my nameservers were not part that space.
>
> Namely, one of my DNS vlans is 129.130.254.0/28 (ns-1.ksu.edu lives
> here, ns-2.ksu.edu/ns-3.ksu.edu live in the other one)...where some
> other portion of the /24 is a vlan that they have servers in.
>
> Hmmm, I noticed in the dump of ads.ksu.edu, it has A records for my
> nameservers....is that a problem?


Where I used to work, there was NO computer that had an AD DNS
Server address in its TCP/IP configuration.  ALL computers
used the two BIND internal servers for their DNS resolution.
The Domain Controllers were NOT accessible from the Internet,
so we were not worried about Internet access to those DC DNS
Servers.  Only one sub-domain was completely DHCP-dynamic and mastered
on a Windows DC DNS, so with the exception of this forward zone and its
five /24 reverse zones, the only zones on the Windows DCs were the
AD zones - _msdcs, _sites, _tcp, and _udp.  The forward and reverse
zones were on the BIND servers only, and all these "_" zones were
slaved on the BIND servers.

--Barry Finkel

More information about the bind-users mailing list