BIND integration with windows DNS

Arnoud Tijssen ATijssen at Ram.nl
Tue Jul 27 07:31:40 UTC 2010 

>From previous mail;


>
> Since I don`t want all dynamic updates from windows clients polluting
> my main zone file, but still want one primary DNS serving the main
> domain instead of two, BIND and windows, what it is the best option
> if there is one.

Sorry - I don't follow. You say you don't want windows clients updating 
the zone, and they're not. So what's the problem (i.e what have I 
misunderstood)?


The problem is that I want a clean zonefile, since it gets synchronized to our slave server, which get used by the outside world.
But I do want the clients to register themselves in DNS. We use DHCP for most of the desktop systems internally and for troubleshooteing it is very convenient to be able to deduct which client system belongs to which ip address.
Therefor I tried to delegate all off the windows specific subdomains to windows DNS and put a forward on BIND for these subdomains, but unfortunately that doesn`t work. 

So basically I would like to have all to reside on our BIND master and slave servers and be able to let windows clients update the dns dynamically, preferably secure, without polluting the zonefile with all of the extra data produced by the clients.

Is there a tutorial of some where hwo to implement what you  are suggesting?

Thnx,
Arnoud






--Original Message-----
From: bind-users-bounces+atijssen=ram.nl at lists.isc.org [mailto:bind-users-bounces+atijssen=ram.nl at lists.isc.org] On Behalf Of Phil Mayers
Sent: dinsdag 27 juli 2010 9:11
To: bind-users at lists.isc.org
Subject: Re: BIND integration with windows DNS

On 07/27/2010 07:10 AM, Arnoud Tijssen wrote:
> I`m facing kind of a challenge. At the moment we have BIND and
> windows DNS within our corporate network.
>
> I would like to get rid of windows DNS and switch completely over to
> BIND, but since DNS is so intertwined with AD this is not an option
> since it probably introduces more problems then it solves

You can do it. We run a large AD domain with DNS completely on bind.

>
> So my next option was to delegate all the windows specific subdomains
> (i.e. _tcp.example.com, _udp.example.com, _sites.example.com,
> _msdcs.example.com etc.) to windows DNS for dynamic updates and let

You can run these on bind too (we do). Since updates to these special 
zones are by AD controllers only, you can use IP-based update policies. 
Obviously this is less secure.

Recent versions of bind also have GSSAPI (secure update) support. It 
seems pretty sparsely documented though.

> the main domain, .example.com, reside on BIND. After setting up BIND
> and windows DNS and removing the main domain entry from the windows
> DNS servers, leaving only the windows specific subdomains, and
> pointing the dns resolvers of windows to the BIND servers the windows
> clients were unable to register themselves within DNS and AD
> properly. It seems the clients register themselves in the main zone
> file of the domain, which resides on BIND.

Yes. This is windows default behaviour. You can turn this off in group 
policy, or again, recent version of bind support GSSAPI and you can have 
the clients do secure update. The problem is that bind does not have the 
garbage collection support that windows DNS does for client registrations.

>
> Since I don`t want all dynamic updates from windows clients polluting
> my main zone file, but still want one primary DNS serving the main
> domain instead of two, BIND and windows, what it is the best option
> if there is one.

Sorry - I don't follow. You say you don't want windows clients updating 
the zone, and they're not. So what's the problem (i.e what have I 
misunderstood)?
_______________________________________________
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list