Active Directory Security Concern
Kevin Darcy
kcd at daimlerchrysler.com
Wed Dec 4 00:59:13 UTC 2002
tom thumb wrote:
> All,
>
> Unfortunately we are going to be upgrading to Active Directory
Sorry to hear it.
> and
> would like to maintain using UNIX for our DNS infrastructure. What
> are the security concerns in disabling name checking and allowing
> dynamic dns?
Disabling name checking isn't particularly high risk in security terms,
although the fact that you have to do it implies that you're running
BIND 8, and from a security standpoint, you may be better off with
BIND 9.
Dynamic DNS is a bigger concern, since the flavors of
crypto-authentication used by Microsoft products is incompatible with
that used by BIND and _vice_versa_. So you're limited to authenticating
by source IP address, which is pretty weak. For these reasons and other,
some folks prefer a "half-and-half" solution where they just delegate
the "underscore" subdomains, e.g. _tcp, _udp, _msdcs to a Microsoft
DNS/AD server and let it manage those itself. This leaves the main
domain(s) running on your existing DNS infrastructure without having to
open up Dynamic Update.
Alternatively, you could -- as we do -- have AD use a completely
different namespace.
- Kevin
More information about the bind-users
mailing list