Integrating BIND with Active Directory

Barry Finkel b19141 at achilles.ctd.anl.gov
Wed Sep 11 15:08:22 UTC 2002 

Ron Hall <thorn at cc.mcgill.ca> replied to my posting:

> And I have this and it does work. That part was easy :)
>
> I'm looking for any "gotchas", that need be added to the conf
> files that I don't know about.
>
> The problem is that the security people would like to hide the
> AD servers behind a firewall so that any updates requests
> that go to the "main" BIND servers are "passed" on to the
> AD servers so that the 53 port for the AD servers need only\
> "know" about the "main" BIND servers. At least that is their
> hope. I personally don't think it works that way, but I get
> to ask and accomplish 1 of 3 things:
>
> 	1) I get told how to do it.
> 	
> 	2) I get told that it is not doable.
>
> 	3) I make an ass of myself.
>
> Personally I end up at 3 at lot, but I also get the answers
> I I think I need :) So we take the good with the bad :)
>
> Thanks for your time and patience and of course your answer.

I would assume that all of the DDNS updates to the "_" zones would
go to the W2k master server for those zones.  The only DDNS updates
should come from W2k Domain Controllers, and they know how to find
the master server.  W2k workstations may try DDNS self-registrations
to your BIND master, but I assume that you handle those requests
currently (by denying them).

Assuming that none of your client machines has the W2k DNS server
listed in its TCP/IP configuration as a DNS server, then you should
make the W2k master a "hidden" server.  See Q267855.  Then the only
DNS servers that have to talk to the W2k DNS Server are all of the
slave servers.  Here we have a firewall that permits any outbound
traffic, but limits inbound traffic.  The only traffic inbound from
the Internet to my W2k master is that from our offsite BIND slave
servers (and, of course, inbound responses to outbound queries).
I you limit outbound traffic through the firewall from your
W2k DNS Server, then you might have problems.

In summary, you can limit inbound traffic to the W2k DNS to port 53
(TCP and UDP) from your BIND servers.  You may need to allow outbound
port 53 traffic from your W2k DNS to more than just the BIND servers.
Of course, the W2k DNS Server is running on a DC, and if other pieces
of the W2k AD are outside the firewall, you will need to open the
W2k/AD conduits through the firewall.
----------------------------------------------------------------------
Barry S. Finkel
Electronics and Computing Technologies Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
Building 222, Room D209              Internet: BSFinkel at anl.gov
Argonne, IL   60439-4828             IBMMAIL:  I1004994

More information about the bind-users mailing list