Re: Bind 9.1 As SOA with Windows 2003 DNS Server - DNS

This is a discussion on Re: Bind 9.1 As SOA with Windows 2003 DNS Server - DNS ; Skywalker wrote: > Currently in an NT 4 domain with a Windows 2003 DNS server. The Bind > server is the SOA for the zone. We plan to keep the BIND server as the > SOA. The BIND server has ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: Re: Bind 9.1 As SOA with Windows 2003 DNS Server

  1. Re: Bind 9.1 As SOA with Windows 2003 DNS Server

    Skywalker wrote:
    > Currently in an NT 4 domain with a Windows 2003 DNS server. The Bind
    > server is the SOA for the zone. We plan to keep the BIND server as the
    > SOA. The BIND server has multiple interfaces, so it is serving DNS
    > internally and externally on our network. Firewall rules block
    > computers from performing dynamic DNS updates to the BIND server. We
    > want the dynamic updates to happen on the Windows 2003 DNS server.
    > Network traces prove that the computers only attempt to update the BIND
    > server after performing an SOA query. Obviously, we are not using
    > Active Directory Integrated DNS nor do I know at this point if that
    > will happen. We will have a Windows 2003 domain controller in the next
    > couple of weeks. When we try to run dynamic DNS from an XP client, the
    > computer cannot register itself on the Windows 2003 DNS server as it is
    > not the SOA for that zone. We have proved that the computer can
    > register itself on the Windows 2003 DNS server, if the Windows 2003 DNS
    > server is the SOA for the zone. There are no plans to remove BIND.
    > Does anyone have a solution? Any information would be helpful.
    >

    I had to read your message several times before I got a sense of what
    you meant by "is the SOA for the zone". Eventually, the conclusion I
    came to is that the MNAME field of the zone's SOA RR contains the name
    of a BIND server. Is that correct? Is there any reason to keep things
    that way? Seems like you'd make your life a lot easier if you just put
    the name of your Windows DNS server there. Note that changing the value
    of SOA.MNAME, _ipso_facto_ has no implications whatsoever on what kind
    of software you run on what servers, to support your DNS infrastructure.
    It doesn't imply, for instance, that you can't run BIND any more.

    In any case, according to the Dynamic Update RFC (2136), what you're
    trying to do _should_ work, even with the BIND server in the SOA.MNAME,
    but *if*and*only*if* the name of the Windows DNS server is in the NS
    records of the zone. The basic algorithm is: try the SOA.MNAME, if there
    is also an NS record for it in the zone; if that doesn't work, then try
    the other NS records. If your clients aren't failing over to the other
    servers in the NS records of the zone, then I would say they aren't
    RFC-compliant.

    If the Windows DNS box isn't in the SOA.MNAME, and it isn't in the NS
    records for the zone, I'm not sure how you expected the Dynamic Update
    clients to be able to find it. Extra-sensory perception?


    - Kevin



  2. Re: Bind 9.1 As SOA with Windows 2003 DNS Server

    I think I found the answer. Our basic problem is that we are using the
    same domain name (mycompany.com) for internal and external use. I read
    an article about split-brain DNS from Microsoft. We would have an
    external DNS server that is authoritative for the zone and an internal
    DNS server that is authoritative for the the same zone name. This
    method would not expose our internal computers to the outside. The
    internal DNS server could perform forward lookups to the external DNS
    server. The internal computer could therefore perform dynamic DNS
    updates to the internal DNS server. Does this make sense?



  3. Re: Bind 9.1 As SOA with Windows 2003 DNS Server

    I use the same domain name both inside and outside. I use 2 views, one
    for outside and one for inside; that equals roughly two independent
    servers. My internal view has recursion enabled the external has it
    disabled. All internal IPs are in the 192.168.x.x range and all external
    IPs are routable.

    I have never seen a glitch with this setup, nothing is leaked between
    internal and external.

    I can't believe that your basic problem is that you use the same domain
    for internal and external use; I do that to support that mail etc. has
    only one name to look up. That name is the same internally and
    externally, but it gets a different IP depending on my physical location
    when I do the lookup.

    Skywalker wrote:
    > I think I found the answer. Our basic problem is that we are using the
    > same domain name (mycompany.com) for internal and external use. I read
    > an article about split-brain DNS from Microsoft. We would have an
    > external DNS server that is authoritative for the zone and an internal
    > DNS server that is authoritative for the the same zone name. This
    > method would not expose our internal computers to the outside. The
    > internal DNS server could perform forward lookups to the external DNS
    > server. The internal computer could therefore perform dynamic DNS
    > updates to the internal DNS server. Does this make sense?
    >
    >
    >


    --
    Best regards

    Sten Carlsen

    No improvements come from shouting:

    "MALE BOVINE MANURE!!!"



  4. Re: Bind 9.1 As SOA with Windows 2003 DNS Server

    Skywalker wrote:
    > I think I found the answer. Our basic problem is that we are using the
    > same domain name (mycompany.com) for internal and external use. I read
    > an article about split-brain DNS from Microsoft. We would have an
    > external DNS server that is authoritative for the zone and an internal
    > DNS server that is authoritative for the the same zone name. This
    > method would not expose our internal computers to the outside. The
    > internal DNS server could perform forward lookups to the external DNS
    > server. The internal computer could therefore perform dynamic DNS
    > updates to the internal DNS server. Does this make sense

    No, not really. Your problem, as you previously reported it, was that
    Dynamic Updates weren't being made to your Microsoft DNS server unless
    that server was defined as the "SOA" for the zone (still not 100% sure
    what you mean by that term). So what bearing does it have on your
    problem whether a particular hosted instance of a zone is designated as
    "internal" or "external"? In my last response, I implicitly invited you
    to either a) change the MNAME field of the zone's SOA RR to refer to
    your Microsoft DNS server (assuming that you were equating "SOA" with
    the MNAME field thereof), or at least b) double-check that there is an
    NS record at the apex of the zone referring to your Microsoft server. If
    neither of those things are true, then the client has no way of knowing
    that the Microsoft server is an available target for its Dynamic
    Updates, so you shouldn't be surprised that the Dynamic Updates are
    never processed.


    - Kevin

    P.S. This is a BIND-oriented list, so we're getting a little off-topic
    when talking about how Microsoft-OS Dynamic Update clients talk to a
    Microsoft DNS server. You might be better off taking this to a
    Microsoft-specific list.



  5. Re: Bind 9.1 As SOA with Windows 2003 DNS Server

    I use the same domain name both inside and outside. I use 2 views, one
    for outside and one for inside; that equals roughly two independent
    servers. My internal view has recursion enabled the external has it
    disabled. All internal IPs are in the 192.168.x.x range and all external
    IPs are routable.

    I have never seen a glitch with this setup, nothing is leaked between
    internal and external.

    I can't believe that your basic problem is that you use the same domain
    for internal and external use; I do that to support that mail etc. has
    only one name to look up. That name is the same internally and
    externally, but it gets a different IP depending on my physical location
    when I do the lookup.

    Skywalker wrote:
    > I think I found the answer. Our basic problem is that we are using the
    > same domain name (mycompany.com) for internal and external use. I read
    > an article about split-brain DNS from Microsoft. We would have an
    > external DNS server that is authoritative for the zone and an internal
    > DNS server that is authoritative for the the same zone name. This
    > method would not expose our internal computers to the outside. The
    > internal DNS server could perform forward lookups to the external DNS
    > server. The internal computer could therefore perform dynamic DNS
    > updates to the internal DNS server. Does this make sense?
    >
    >
    >


    --
    Best regards

    Sten Carlsen

    No improvements come from shouting:

    "MALE BOVINE MANURE!!!"



+ Reply to Thread