bind vs. MS DNS

[Chris Cox]

huffman at graze.net wrote:
> All,
> 
>    Don't want to start any nasty feuds, but can anyone point me to pros
> / cons
> of using bind in favor of MS DNS?  My company is currently looking at
> migrating
> from a UNIX / Bind DNS scenario to MS DNS / Active Directory.  I feel
> that the
> maturity, security, and stability of bind on UNIX are big wins, but
> currently
> we're not hosting our own DNS externally, so security is *less* of a
> concern and
> we're small so things like views, and scalability are also not
> concerns....
> 
> Pointers to any articles would also be helpful.
> 

My two cents...

In spite of having many MCSE's, I have not seen a correctly functioning
Microsoft based DHCP/DNS that handles NON-Microsoft clients in
a reasonable manner.

Problems I have seen....

1. The ability for any non-Microsoft client to nuke almost entry
inside of Microsoft DNS.  Which is a problem when key pieces of
the infrastructure are having their DNS records replaced.  A
reasonable solution is to have different levels of authorization
rights on each DNS record.. that way, DHCP clients will not
have enough authority to remove a record that really should
not be changed (but it doesn't fix the following).

2. There doesn't appear to be a good way of managing inverse
records with Microsoft.  They resort to "skulking" out trash...
this is just plain wrong in so many ways it's not funny.
Machines that determine their hostname by doing an reverse PTR
lookup in DNS will get the first record that comes back, and
it's not unusual for there to be several "trashed" (old) records
inside of MS's DNS.  Thus a machine might end up with a
hostname that actually forward resolves (A) to some other
address.  ISC DHCP signs its entries which allows that particular
DHCP to know if it has authority to remove the record or
not and therefore it keeps this kind of thing from happening.
Supposedly, Microsoft handles this sort of thing for Microsoft
based hosts... but it's very anti-non-Microsoft host... and
especially causes problems with floating equipment (laptops).

3. So called Microsoft advocates in this list are constantly
"claiming" to have knowledge on how to fix these things, but
post very little content (another typical behavior).  I have
nothing but contempt for their unhelpful attitudes.


Things I believe in that ISC DHCP/BIND tend to believe in....

1. For dynamic DNS, the DHCP server handles secured TSIG updates to
the ISC BIND server for clients.  Microsoft default behavior is that
clients update the BIND server (which is predictable behavior from
a company that is not too focused on core security principles).
Avoids trashy PTR records that are so prevalent with MS's soln.

2. I do not delegate the "_" zones.  Rather I allow the MS boxes
to update those zones by using less secure IP based authorization.
While this may not be "secure"... I really don't think you can have
MS boxes on your network and be "secure" anyway.  I do not see any
good reason for Microsoft to own any part of the core infrastructure.
If you are worried about not having Microsoft security, realize
that Microsoft isn't that interested in making it easy for foreign
(non Microsoft) hosts to access their "security" (client or server side).

3. I don't split zones for dynamic vs. static.  While this was needed
I believe at sometime (maybe BIND v8 somewhere??), you now use
dynamic updates to manage the whole zone.  DHCP will sign it's records
and you can put nsupdated records for addresses outside of the
DHCP range.

Ultimately, IMHO, the question is "Who will integrate or attempt
to integrate any and all hosts on my network?"  Clearly, *ix has
a better track record of openness.  History has shown time and
time again, that Microsoft insists upon complete and total
domination on the network and NOT integration.

I have setup network for multi-million dollar companies using
ISC BIND/DHCP in a totally DDNS environment with mixed hosts
and it just plain works.  I have used NIS for account management
using Samba as the mechanism for tranparent creation of
those accounts so there is only once central user repository
(yes.. under Windows).  Unix boxes (most all of them) can
be made to authenticate passwords to the Microsoft Domain,
so weak incrypted passwords (a weakness of NIS) is no longer
a problem.  And Windows and *ix coexist with each other.

Samba has gone a long way into making the central user
repository also open, so that even that piece could reside
on a open *ix plaform.  IMHO, with Samba 3, they are VERY,
VERY close.  My only problem is that Microsoft maintains
the ownership of the target that the Samba team is trying
to hit, and I'm positive, beyond a shadow of doubt that if
they get too close, Microsoft will do whatever it takes
to make the Samba system incompatible rather than risk
losing any marketshare to *ix.

If there's any good news here... the good news is that
DNS/DHCP has a good, large install base on the internet
outside of Microsoft (they don't own these targets yet),
so it's harder for them to embrace and extend (and destroy
of course) those protocols. (but obviously they are trying
very, very, very hard... the SRV records, "_" zones, etc.)
Microsoft's recent "security" focus, may help delay these
other agendas.. hopefully allowing open systems to gain
even more of a foothold which will help keep the protocols
open and friendly.

I need to put some stuff up on the net, at least with some
sample BIND/DHCP configs for DDNS.... look for a post
later.

Flame away!!