Private & separate DNS domains
Hello all, We have a sort of private DNS such that servers can lookup zones that don’t actually exist in the real, public DNS, they just exist within our private NOCs. In addition, we have always had both Windows AD handling the Windows side of things and we have had BIND handling Linux. When the BIND servers don’t know about a domain, they forward to a public server such as google’s 8.8.8.8 thing. For some reason the Windows guys aren’t allowed that option on their DNS (I believe it’s a security requirement), so any Windows server that DOES need public DNS resolution always has a BIND server listed in the TCP/IP properties of the network interface (from what I have seen, it’s usually not the first DNS server in the list). Anyway, up until now Windows servers primarily got DNS answers via AD (except as mentioned above), and Linux servers via the BIND servers. Recently, however, we have enabled AD authentication on Linux, meaning the Linux servers need to know about the AD domains (well, they need to know about the kerberos and ldap service records and whatnot). The current mechanism is to put the Windows AD server into the resolv.conf BEFORE the BIND servers, since, as has been explained to me a Linux server will perform a query against all three simultaneously (that doesn’t immediately ring true to me, it’s just what I was told). While this does seem to work, I’ve been wondering if it would be of any benefit to instead let the BIND servers know about the AD zones in some way, allowing us to continue with our “Linux sends all queries to BIND” methodology. As I understand BIND could be theoretically doing conditional forwarding, or it could use stub zones, or perhaps could be a slave with AD as the master. Is it just as well to leave things alone? Or would one of these be preferable to its current setup? Any advice or guidance would be greatly appreciated. Thanks in advance. V/r, Bryan ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Private & separate DNS domains
I have ours setup with AD as a stub, and then point all our clients to our bind servers as resolvers. Works well. On Tue, Apr 8, 2014 at 5:08 AM, Bryan Harris wrote: > Hello all, > > We have a sort of private DNS such that servers can lookup zones that > don't actually exist in the real, public DNS, they just exist within our > private NOCs. In addition, we have always had both Windows AD handling the > Windows side of things and we have had BIND handling Linux. > > When the BIND servers don't know about a domain, they forward to a public > server such as google's 8.8.8.8 thing. For some reason the Windows guys > aren't allowed that option on their DNS (I believe it's a security > requirement), so any Windows server that DOES need public DNS resolution > always has a BIND server listed in the TCP/IP properties of the network > interface (from what I have seen, it's usually not the first DNS server in > the list). > > Anyway, up until now Windows servers primarily got DNS answers via AD > (except as mentioned above), and Linux servers via the BIND servers. > Recently, however, we have enabled AD authentication on Linux, meaning the > Linux servers need to know about the AD domains (well, they need to know > about the kerberos and ldap service records and whatnot). > > The current mechanism is to put the Windows AD server into the resolv.conf > BEFORE the BIND servers, since, as has been explained to me a Linux server > will perform a query against all three simultaneously (that doesn't > immediately ring true to me, it's just what I was told). While this does > seem to work, I've been wondering if it would be of any benefit to instead > let the BIND servers know about the AD zones in some way, allowing us to > continue with our "Linux sends all queries to BIND" methodology. > > As I understand BIND could be theoretically doing conditional forwarding, > or it could use stub zones, or perhaps could be a slave with AD as the > master. Is it just as well to leave things alone? Or would one of these > be preferable to its current setup? Any advice or guidance would be > greatly appreciated. > > Thanks in advance. > > V/r, > Bryan > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- Jason K. Brandt Systems Administrator Bradley University ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND behaviour when using multiple active ZSK's
Hello All,
we've stumbled upon a particularity with Bind 9.8 and 9.9 versions, and are
wondering if anyone else already bumped into this.
When using more than 1 active ZSK, in a bind auto-maintain scenario, BIND tends
to lose control when renewing RRSIG’s.
You experience this as sudden bursts in serial increments / NOTIFY's.
When you raise the logging level you see that it renews some RRsigs over and
over again (several thousand times).
We are able to reproduce this on:
- various BIND 9.8 and 9.9 versions. Not on BIND 9.7 versions (haven’t tried 10
versions)
- pre-packaged versions, hand compiled versions with both -O0 and -03
- both physical / hardware virtualized and para-virtualized hosts
- various linux distributions and kernel versions (tested EL5/EL6 variants and
debian variants)
- both production zones as test dummy zones
- with NSEC, NSEC3 and NSEC3 opt-out setups
- with various timings / different DNSKEY's
The likelyhood of this happening increases when the amount of pending RRSIG's
increases, we do get a ~100% reproduction rate when using the following setup:
- dummy zone with 1M records, each with 2 nameservers and 1 DS record
- sign it with an expiration of 7 days in the future, and a 600sec jitter
interval (it also happens when using a jitter interval of 1 hour, but it was
reduced to facilitate testing)
- fast-forward little over 5 days (aim a little earlier than the 75% interval
when BIND will renew signatures)
cat debug7.nfo | egrep "add re-sign" | awk '{ print $8 }' | sort | uniq -c |
sort -rn -k 1 | head -n 20
236367 eu.
5654 GI0AO9KPOOHS3HQCRAUR3ADT5QMR94RT.eu.
5471 testdomain-911794.eu.
5178 testdomain-389749.eu.
5077 testdomain-199411.eu.
5019 testdomain-387060.eu.
4881 J11CL0B2DNTMFI3UPD5KS8PC7GNCDI58.eu.
4711 17IJ2OFH012BBAN78FVLGQ11Q37J0N6E.eu.
4562 CHKMSCN61P7NLDC5JQ7APVGPJVJRFRLR.eu.
4417 85B9IPB80VJIE6IKPE4KU2FBKRR71MM3.eu.
4247 testdomain-461370.eu.
4124 J0G8D50KAPM787DSVREK9S32CR8KG9HO.eu.
1 testdomain-99.eu.
1 testdomain-98.eu.
1 testdomain-97.eu.
1 testdomain-96.eu.
1 testdomain-95.eu.
1 testdomain-94.eu.
1 testdomain-93.eu.
1 testdomain-92.eu.
If you go through the log for one of those RRset's you will see that it
continues to remove/generate signatures over and over again for several
minutes, and than it suddenly stops for that RRset.
A bit later you might however see the same behaviour for another RRset
Br,
Thomas Dupas
EURid vzw. http://www.EURid.eu
The European Registry of Internet Domain Names
Disclaimer:
This email and any attachment hereto is intended solely for the person
to which it is addressed and may contain confidential and/or privileged
information. If you are not the intended recipient or if you have received
this email in error, please delete it and immediately contact the sender by
telephone or email, and destroy any copies of this information. You should
not use or copy it, nor disclose its content to any other person or rely
upon this information. Please note that any views presented in the email and
any attachment hereto are solely those of the author and do not necessarily
represent those of EURid. While all care has been taken to avoid any known
viruses, the recipient is advised to check this email and any attachment for
presence of viruses.
http://www.eurid.eu/en/legal-disclaimer
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Private & separate DNS domains
On 2014-04-08 06:08, Bryan Harris wrote: Hello all, We have a sort of private DNS such that servers can lookup zones that don’t actually exist in the real, public DNS, they just exist within our private NOCs. In addition, we have always had both Windows AD handling the Windows side of things and we have had BIND handling Linux. When the BIND servers don’t know about a domain, they forward to a public server such as google’s 8.8.8.8 thing. For some reason the Windows guys aren’t allowed that option on their DNS (I believe it’s a security requirement), so any Windows server that DOES need public DNS resolution always has a BIND server listed in the TCP/IP properties of the network interface (from what I have seen, it’s usually not the first DNS server in the list). Anyway, up until now Windows servers primarily got DNS answers via AD (except as mentioned above), and Linux servers via the BIND servers. Recently, however, we have enabled AD authentication on Linux, meaning the Linux servers need to know about the AD domains (well, they need to know about the kerberos and ldap service records and whatnot). The current mechanism is to put the Windows AD server into the resolv.conf BEFORE the BIND servers, since, as has been explained to me a Linux server will perform a query against all three simultaneously (that doesn’t immediately ring true to me, it’s just what I was told). While this does seem to work, I’ve been wondering if it would be of any benefit to instead let the BIND servers know about the AD zones in some way, allowing us to continue with our “Linux sends all queries to BIND” methodology. As I understand BIND could be theoretically doing conditional forwarding, or it could use stub zones, or perhaps could be a slave with AD as the master. Is it just as well to leave things alone? Or would one of these be preferable to its current setup? Any advice or guidance would be greatly appreciated. ... You were told wrong about "simultaneously" from /etc/resolv.conf. It uses the first one that gives an answer. If the first one times out, it asks the next and ignores any response from the first, etc. (If you think about it, what happens if two "simultaneously" respond with different answers? If one never responds?) What we do is have our (separate) Linux/BIND resolving name servers forward any queries about internal MSW AD DNS domains to the MSW AD name servers, otherwise they do what they would normally do. Which, for the most part, is to recursively resolve starting from the one and only set of genuine root servers rather than forwarding to someone else and allowing that someone else to put something into our DNS or monitor it. Even if they have sworn to do no evil. The MSW workstations and servers do only look up from the MSW AD servers, for some MSW reason that nobody can explain except "MS says they have to". The MSW AD servers forward all DNS queries that they cannot resolve to the Linux/BIND resolving name servers. Joe Yao ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Private & separate DNS domains
On Tue, Apr 8, 2014 at 6:15 AM, Joseph S D Yao wrote: > > The MSW workstations and servers do only look up from the MSW AD servers, > for some MSW reason that nobody can explain except "MS says they have to". > The MSW AD servers forward all DNS queries that they cannot resolve to the > Linux/BIND resolving name servers. > > > Joe Yao > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > All of our Windows clients resolve through our Bind servers, and have no problems with any AD resources. The only MSW machines that point to our AD DNS servers, are our DC's. All clients will resolve just fine through BIND, so long as your zones are configured correctly, and you can resolve the necessary AD records through your BIND servers. It doesn't matter what type of DNS server you point clients to, be it Windows, BIND, etc, so long as DNS is properly configured to forward requests to the appropriate servers. We don't have forwarders, or recursion enabled on our AD DNS servers. I prefer to keep it simple, and have one set of resolvers for all clients. -- Jason K. Brandt Systems Administrator Bradley University ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Private & separate DNS domains
In article , Joseph S D Yao wrote: > On 2014-04-08 06:08, Bryan Harris wrote: > > ... > > The current mechanism is to put the Windows AD server into the > > resolv.conf BEFORE the BIND servers, since, as has been explained to > > me a Linux server will perform a query against all three > > simultaneously (that doesnât immediately ring true to me, itâs just > > what I was told). ... > ... > > > You were told wrong about "simultaneously" from /etc/resolv.conf. It > uses the first one that gives an answer. If the first one times out, it > asks the next and ignores any response from the first, etc. (If you > think about it, what happens if two "simultaneously" respond with > different answers? If one never responds?) ... Novell's LAN Workplace for DOS used to do simultaneous queries to however many (max 3 IIRC) servers you put in its RESOLV.CFG. I've never seen it happen on a *ix/*ux box. I can't remember if the slower servers received port unreachables when their answers trailed in behind the leader. Sam -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Private & separate DNS domains
Regardless of what you've been told, the resolvers ("nameserver"s) in
/etc/resolv.conf are tried *in*sequence*, and if a valid response (where
NXDOMAIN _is_ a valid response) is received from one resolver, none of
the others are tried. So, I'm surprised that your
mix-and-match-resolvers hack actually works. The only thing that comes
to mind is that the Windows DNS is so horked that it's returning
SERVFAIL for names outside of its authoritative domains. That would
trigger failover to another resolver, but that's an *ugly* way to
integrate BIND and Windows DNS.
Instead of guessing at such things, learn how to use tcpdump/Wireshark
and find out what's really happening under the covers. I haven't seen a
resolver implementation send queries *simultaneously* to all resolvers,
since circa Windows 95. And I've never seen it on Linux.
As for a long-term solution, either define an internal root zone (with
conditional forwarding exceptions for the external stuff you *need* to
resolve), or, if you must, forward by default to the Internet and then
define all of the "private" stuff as master/slave/stub on your internal
servers.
- Kevin
On 4/8/2014 6:08 AM, Bryan Harris wrote:
Hello all,
We have a sort of private DNS such that servers can lookup zones that don’t
actually exist in the real, public DNS, they just exist within our private
NOCs. In addition, we have always had both Windows AD handling the Windows
side of things and we have had BIND handling Linux.
When the BIND servers don’t know about a domain, they forward to a public
server such as google’s 8.8.8.8 thing. For some reason the Windows guys aren’t
allowed that option on their DNS (I believe it’s a security requirement), so
any Windows server that DOES need public DNS resolution always has a BIND
server listed in the TCP/IP properties of the network interface (from what I
have seen, it’s usually not the first DNS server in the list).
Anyway, up until now Windows servers primarily got DNS answers via AD (except
as mentioned above), and Linux servers via the BIND servers. Recently,
however, we have enabled AD authentication on Linux, meaning the Linux servers
need to know about the AD domains (well, they need to know about the kerberos
and ldap service records and whatnot).
The current mechanism is to put the Windows AD server into the resolv.conf
BEFORE the BIND servers, since, as has been explained to me a Linux server will
perform a query against all three simultaneously (that doesn’t immediately ring
true to me, it’s just what I was told). While this does seem to work, I’ve
been wondering if it would be of any benefit to instead let the BIND servers
know about the AD zones in some way, allowing us to continue with our “Linux
sends all queries to BIND” methodology.
As I understand BIND could be theoretically doing conditional forwarding, or it
could use stub zones, or perhaps could be a slave with AD as the master. Is it
just as well to leave things alone? Or would one of these be preferable to its
current setup? Any advice or guidance would be greatly appreciated.
Thanks in advance.
V/r,
Bryan
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Delegation of part of a zone to a global server load balancer
On Mon, 7 Apr 2014 18:08:57 –0400, Kevin Darcy
mailto:k...@chrysler.com>> wrote:
I'm assuming you have forwarding set up. Make sure to set "forwarders { };" in
the aelabad.net zone definition. Failure to do so means that your recursive
queries for names in subzones forward out towards the Internet, instead of
following the delegations down to the austin-energy.net nameservers, as you
intended.
That is indeed the secret sauce I was missing. Thank you.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
What if no root servers?
I'm interested in a special use-case, where (say, in an emergency), access to most of the Internet (and hence the root servers) is cut off. In this situation, there is an emergency connected network consisting of several domains, each with known nameserver IP addresses. The hosts in domain aaa.com know (typically, via DHCP) about the nameservers for their domain, but nothing about domain bbb.com. At first I thought that one should place "glue" NS records for domain bbb.com in the zone for aaa.com, so that hosts in aaa.com that use the aaa.com nameservers, will be able to refer to the hostnames in domain bbb.com. I understand that one can do this for subdomains. However, a bit of research seems to suggest that a stub zone is the proper way to do this. Is this what a "stub" zone is for? -- Dean ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
